1 <?xml version=
"1.0" encoding=
"utf-8"?>
2 <database name=
"ovn-nb" title=
"OVN Northbound Database">
4 This database is the interface between OVN and the cloud management system
5 (CMS), such as OpenStack, running above it. The CMS produces almost all of
6 the contents of the database. The
<code>ovn-northd
</code> program
7 monitors the database contents, transforms it, and stores it into the
<ref
8 db=
"OVN_Southbound"/> database.
12 We generally speak of ``the'' CMS, but one can imagine scenarios in
13 which multiple CMSes manage different parts of an OVN deployment.
19 Each of the tables in this database contains a special column, named
20 <code>external_ids
</code>. This column has the same form and purpose each
25 <dt><code>external_ids
</code>: map of string-string pairs
</dt>
27 Key-value pairs for use by the CMS. The CMS might use certain pairs, for
28 example, to identify entities in its own configuration that correspond to
29 those in this database.
33 <table name=
"NB_Global" title=
"Northbound configuration">
35 Northbound configuration for an OVN system. This table must have exactly
39 <group title=
"Status">
40 These columns allow a client to track the overall configuration state of
43 <column name=
"nb_cfg">
44 Sequence number for client to increment. When a client modifies any
45 part of the northbound database configuration and wishes to wait for
46 <code>ovn-northd
</code> and possibly all of the hypervisors to finish
47 applying the changes, it may increment this sequence number.
50 <column name=
"sb_cfg">
51 Sequence number that
<code>ovn-northd
</code> sets to the value of
<ref
52 column=
"nb_cfg"/> after it finishes applying the corresponding
53 configuration changes to the
<ref db=
"OVN_Southbound"/> database.
56 <column name=
"hv_cfg">
57 Sequence number that
<code>ovn-northd
</code> sets to the smallest
58 sequence number of all the chassis in the system, as reported in the
59 <code>Chassis
</code> table in the southbound database. Thus,
<ref
60 column=
"hv_cfg"/> equals
<ref column=
"nb_cfg"/> if all chassis are
61 caught up with the northbound configuration (which may never happen, if
62 any chassis is down). This value can regress, if a chassis was removed
63 from the system and rejoins before catching up.
67 <group title=
"Common Columns">
68 <column name=
"external_ids">
69 See
<em>External IDs
</em> at the beginning of this document.
72 <group title=
"Connection Options">
73 <column name=
"connections">
74 Database clients to which the Open vSwitch database server should
75 connect or on which it should listen, along with options for how these
76 connections should be configured. See the
<ref table=
"Connection"/>
77 table for more information.
80 Global SSL configuration.
85 <table name=
"Logical_Switch" title=
"L2 logical switch">
87 Each row represents one L2 logical switch.
91 There are two kinds of logical switches, that is, ones that fully
92 virtualize the network (overlay logical switches) and ones that provide
93 simple connectivity to a physical network (bridged logical switches).
94 They work in the same way when providing connectivity between logical
95 ports on same chasis, but differently when connecting remote logical
96 ports. Overlay logical switches connect remote logical ports by tunnels,
97 while bridged logical switches provide connectivity to remote ports by
98 bridging the packets to directly connected physical L2 segment with the
99 help of
<code>localnet
</code> ports. Each bridged logical switch has
100 one and only one
<code>localnet
</code> port, which has only one special
101 address
<code>unknown
</code>.
104 <column name=
"ports">
106 The logical ports connected to the logical switch.
110 It is an error for multiple logical switches to include the same
115 <column name=
"load_balancer">
116 Load balance a virtual ip address to a set of logical port endpoint
121 Access control rules that apply to packets within the logical switch.
124 <column name=
"qos_rules">
125 QOS marking rules that apply to packets within the logical switch.
128 <column name=
"dns_records">
129 This column defines the DNS records to be used for resolving internal
130 DNS queries within the logical switch by the native DNS resolver.
131 Please see the
<ref table=
"DNS"/> table.
134 <group title=
"Naming">
136 These columns provide names for the logical switch. From OVN's
137 perspective, these names have no special meaning or purpose other than
138 to provide convenience for human interaction with the database.
139 There is no requirement for the name to be unique. (For a unique
140 identifier for a logical switch, use its row UUID.)
144 (Originally,
<ref column=
"name"/> was intended to serve the purpose of
145 a human-friendly name, but the Neutron integration used it to uniquely
146 identify its own switch object, in the format
147 <code>neutron-
<var>uuid
</var></code>. Later on, Neutron started
148 propagating the friendly name of a switch as
<ref column=
"external_ids"
149 key=
"neutron:network_name"/>. Perhaps this can be cleaned up someday.)
153 A name for the logical switch.
156 <column name=
"external_ids" key=
"neutron:network_name">
157 Another name for the logical switch.
161 <group title=
"IP Address Assignment">
163 These options control automatic IP address management (IPAM) for ports
164 attached to the logical switch. To enable IPAM for IPv4, set
<ref
165 column=
"other_config" key=
"subnet"/> and optionally
<ref
166 column=
"other_config:exclude_ips"/>. To enable IPAM for IPv6, set
167 <ref column=
"other_config" key=
"ipv6_prefix"/>. IPv4 and IPv6 may
168 be enabled together or separately.
172 To request dynamic address assignment for a particular port, use the
173 <code>dynamic
</code> keyword in the
<ref table=
"Logical_Switch_Port"
174 column=
"addresses"/> column of the port's
<ref
175 table=
"Logical_Switch_Port"/> row. This requests both an IPv4 and an
176 IPv6 address, if IPAM for IPv4 and IPv6 are both enabled.
179 <column name=
"other_config" key=
"subnet">
180 Set this to an IPv4 subnet, e.g.
<code>192.168.0.0/
24</code>, to enable
181 <code>ovn-northd
</code> to automatically assign IP addresses within
185 <column name=
"other_config" key=
"exclude_ips">
187 To exclude some addresses from automatic IP address management, set
188 this to a list of the IPv4 addresses or
<code>..
</code>-delimited
189 ranges to exclude. The addresses or ranges should be a subset of
190 those in
<ref column=
"other_config" key=
"subnet"/>.
193 Whether listed or not,
<code>ovn-northd
</code> will never allocate
194 the first or last address in a subnet, such as
192.168.0.0 or
195 192.168.0.255 in
192.168.0.0/
24.
201 <li><code>192.168.0.2 192.168.0.10</code></li>
202 <li><code>192.168.0.4 192.168.0.30.
.192.168.0.60 192.168.0.110.
.192.168.0.120</code></li>
203 <li><code>192.168.0.110.
.192.168.0.120 192.168.0.25.
.192.168.0.30 192.168.0.144</code></li>
207 <column name=
"other_config" key=
"ipv6_prefix">
208 Set this to an IPv6 prefix to enable
<code>ovn-northd
</code> to
209 automatically assign IPv6 addresses using this prefix. The assigned
210 IPv6 address will be generated using the IPv6 prefix and the MAC
211 address (converted to an IEEE EUI64 identifier) of the port. The IPv6
212 prefix defined here should be a valid IPv6 address ending with
218 <li><code>aef0::
</code></li>
219 <li><code>bef0:
1234:a890:
5678::
</code></li>
220 <li><code>8230:
5678::
</code></li>
225 <group title=
"Common Columns">
226 <column name=
"external_ids">
227 See
<em>External IDs
</em> at the beginning of this document.
232 <table name=
"Logical_Switch_Port" title=
"L2 logical switch port">
234 A port within an L2 logical switch.
237 <group title=
"Core Features">
240 The logical port name.
244 For entities (VMs or containers) that are spawned in the hypervisor,
245 the name used here must match those used in the
<ref key=
"iface-id"
246 table=
"Interface" column=
"external_ids" db=
"Open_vSwitch"/> in the
247 <ref db=
"Open_vSwitch"/> database's
<ref table=
"Interface"
248 db=
"Open_vSwitch"/> table, because hypervisors use
<ref key=
"iface-id"
249 table=
"Interface" column=
"external_ids" db=
"Open_vSwitch"/> as a lookup
250 key to identify the network interface of that entity.
254 For containers that share a VIF within a VM, the name can be any
255 unique identifier. See
<code>Containers
</code>, below, for more
262 Specify a type for this logical port. Logical ports can be used to
263 model other types of connectivity into an OVN logical switch. The
264 following types are defined:
268 <dt>(empty string)
</dt>
270 A VM (or VIF) interface.
273 <dt><code>router
</code></dt>
275 A connection to a logical router.
278 <dt><code>localnet
</code></dt>
280 A connection to a locally accessible network from each
281 <code>ovn-controller
</code> instance. A logical switch can only
282 have a single
<code>localnet
</code> port attached. This is used
283 to model direct connectivity to an existing network.
286 <dt><code>localport
</code></dt>
288 A connection to a local VIF. Traffic that arrives on a
289 <code>localport
</code> is never forwarded over a tunnel to another
290 chassis. These ports are present on every chassis and have the same
291 address in all of them. This is used to model connectivity to local
292 services that run on every hypervisor.
295 <dt><code>l2gateway
</code></dt>
297 A connection to a physical network.
300 <dt><code>vtep
</code></dt>
302 A port to a logical switch on a VTEP gateway.
308 <group title=
"Options">
309 <column name=
"options">
310 This column provides key/value settings specific to the logical port
311 <ref column=
"type"/>. The type-specific options are described
315 <group title=
"Options for router ports">
317 These options apply when
<ref column=
"type"/> is
<code>router
</code>.
320 <column name=
"options" key=
"router-port">
321 Required. The
<ref column=
"name"/> of the
<ref
322 table=
"Logical_Router_Port"/> to which this logical switch port is
326 <column name=
"options" key=
"nat-addresses">
328 This is used to send gratuitous ARPs for SNAT and DNAT IP
329 addresses via the
<code>localnet
</code> port that is attached
330 to the same logical switch as this type
<code>router
</code>
331 port. This option is specified on a logical switch port that is
332 connected to a gateway router, or a logical switch port that is
333 connected to a distributed gateway port on a logical router.
337 This must take one of the following forms:
341 <dt><code>router
</code></dt>
344 Gratuitous ARPs will be sent for all SNAT and DNAT external IP
345 addresses and for all load balancer IP addresses defined on the
346 <ref column=
"options" key=
"router-port"/>'s logical router,
347 using the
<ref column=
"options" key=
"router-port"/>'s MAC
352 This form of
<ref column=
"options" key=
"nat-addresses"/> is
353 valid for logical switch ports where
<ref column=
"options"
354 key=
"router-port"/> is the name of a port on a gateway router,
355 or the name of a distributed gateway port.
359 Supported only in OVN
2.8 and later. Earlier versions required
360 NAT addresses to be manually synchronized.
364 <dt><code>Ethernet address followed by one or more IPv4 addresses
</code></dt>
367 Example:
<code>80:fa:
5b:
06:
72:b7
158.36.44.22
368 158.36.44.24</code>. This would result in generation of
369 gratuitous ARPs for IP addresses
158.36.44.22 and
158.36.44.24
370 with a MAC address of
80:fa:
5b:
06:
72:b7.
374 This form of
<ref column=
"options" key=
"nat-addresses"/> is
375 only valid for logical switch ports where
<ref column=
"options"
376 key=
"router-port"/> is the name of a port on a gateway router.
383 <group title=
"Options for localnet ports">
385 These options apply when
<ref column=
"type"/> is
386 <code>localnet
</code>.
389 <column name=
"options" key=
"network_name">
390 Required. The name of the network to which the
<code>localnet
</code>
391 port is connected. Each hypervisor, via
<code>ovn-controller
</code>,
392 uses its local configuration to determine exactly how to connect to
393 this locally accessible network.
397 <group title=
"Options for l2gateway ports">
399 These options apply when
<ref column=
"type"/> is
400 <code>l2gateway
</code>.
403 <column name=
"options" key=
"network_name">
404 Required. The name of the network to which the
<code>l2gateway
</code>
405 port is connected. The L2 gateway, via
<code>ovn-controller
</code>,
406 uses its local configuration to determine exactly how to connect to
410 <column name=
"options" key=
"l2gateway-chassis">
411 Required. The chassis on which the
<code>l2gateway
</code> logical
412 port should be bound to.
<code>ovn-controller
</code> running on the
413 defined chassis will connect this logical port to the physical network.
418 <group title=
"Options for vtep ports">
420 These options apply when
<ref column=
"type"/> is
<code>vtep
</code>.
423 <column name=
"options" key=
"vtep-physical-switch">
424 Required. The name of the VTEP gateway.
427 <column name=
"options" key=
"vtep-logical-switch">
428 Required. A logical switch name connected by the VTEP gateway.
432 <group title=
"VMI (or VIF) Options">
434 These options apply to logical ports with
<ref column=
"type"/> having
438 <column name=
"options" key=
"requested-chassis">
439 If set, identifies a specific chassis (by name or hostname) that
440 is allowed to bind this port. Using this option will prevent
441 thrashing between two chassis trying to bind the same port during
442 a live migration. It can also prevent similar thrashing due to a
443 mis-configuration, if a port is accidentally created on more than
447 <column name=
"options" key=
"qos_max_rate">
448 If set, indicates the maximum rate for data sent from this interface,
449 in bit/s. The traffic will be shaped according to this limit.
452 <column name=
"options" key=
"qos_burst">
453 If set, indicates the maximum burst size for data sent from this
459 <group title=
"Containers">
461 When a large number of containers are nested within a VM, it may be too
462 expensive to dedicate a VIF to each container. OVN can use VLAN tags
463 to support such cases. Each container is assigned a VLAN ID and each
464 packet that passes between the hypervisor and the VM is tagged with the
465 appropriate ID for the container. Such VLAN IDs never appear on a
466 physical wire, even inside a tunnel, so they need not be unique except
467 relative to a single VM on a hypervisor.
471 These columns are used for VIFs that represent nested containers using
472 shared VIFs. For VMs and for containers that have dedicated VIFs, they
476 <column name=
"parent_name">
477 The VM interface through which the nested container sends its network
478 traffic. This must match the
<ref column=
"name"/> column for some
479 other
<ref table=
"Logical_Switch_Port"/>.
482 <column name=
"tag_request">
484 The VLAN tag in the network traffic associated with a container's
485 network interface. The client can request
<code>ovn-northd
</code>
486 to allocate a tag that is unique within the scope of a specific
487 parent (specified in
<ref column=
"parent_name"/>) by setting a value
488 of
<code>0</code> in this column. The allocated value is written
489 by
<code>ovn-northd
</code> in the
<ref column=
"tag"/> column.
490 (Note that these tags are allocated and managed locally in
491 <code>ovn-northd
</code>, so they cannot be reconstructed in the event
492 that the database is lost.) The client can also request a specific
493 non-zero tag and
<code>ovn-northd
</code> will honor it and copy that
494 value to the
<ref column=
"tag"/> column.
498 When
<ref column=
"type"/> is set to
<code>localnet
</code> or
499 <code>l2gateway
</code>, this can
500 be set to indicate that the port represents a connection to a
501 specific VLAN on a locally accessible network. The VLAN ID is used
502 to match incoming traffic and is also added to outgoing traffic.
508 The VLAN tag allocated by
<code>ovn-northd
</code> based on the
509 contents of the
<ref column=
"tag_request"/> column.
514 <group title=
"Port State">
517 This column is populated by
<code>ovn-northd
</code>, rather
518 than by the CMS plugin as is most of this database. When a
519 logical port is bound to a physical location in the OVN
520 Southbound database
<ref db=
"OVN_Southbound"
521 table=
"Binding"/> table,
<code>ovn-northd
</code> sets this
522 column to
<code>true
</code>; otherwise, or if the port
523 becomes unbound later, it sets it to
<code>false
</code>.
524 This allows the CMS to wait for a VM's (or container's)
525 networking to become active before it allows the VM (or
530 Logical ports of router type are an exception to this rule.
531 They are considered to be always up, that is this column is
532 always set to
<code>true
</code>.
536 <column name=
"enabled">
537 This column is used to administratively set port state. If this column
538 is empty or is set to
<code>true
</code>, the port is enabled. If this
539 column is set to
<code>false
</code>, the port is disabled. A disabled
540 port has all ingress and egress traffic dropped.
545 <group title=
"Addressing">
546 <column name=
"addresses">
548 Addresses owned by the logical port.
552 Each element in the set must take one of the following forms:
556 <dt><code>Ethernet address followed by zero or more IPv4 or IPv6 addresses (or both)
</code></dt>
559 An Ethernet address defined is owned by the logical port.
560 Like a physical Ethernet NIC, a logical port ordinarily has
561 a single fixed Ethernet address.
565 When a OVN logical switch processes a unicast Ethernet frame
566 whose destination MAC address is in a logical port's
<ref
567 column=
"addresses"/> column, it delivers it only to that port, as
568 if a MAC learning process had learned that MAC address on the
573 If IPv4 or IPv6 address(es) (or both) are defined, it indicates
574 that the logical port owns the given IP addresses.
578 If IPv4 address(es) are defined, the OVN logical switch uses this
579 information to synthesize responses to ARP requests without
580 traversing the physical network. The OVN logical router connected
581 to the logical switch, if any, uses this information to avoid
582 issuing ARP requests for logical switch ports.
586 Note that the order here is important. The Ethernet address must
587 be listed before the IP address(es) if defined.
595 <dt><code>80:fa:
5b:
06:
72:b7
</code></dt>
597 This indicates that the logical port owns the above mac address.
600 <dt><code>80:fa:
5b:
06:
72:b7
10.0.0.4 20.0.0.4</code></dt>
602 This indicates that the logical port owns the mac address and two
606 <dt><code>80:fa:
5b:
06:
72:b7 fdaa:
15f2:
72cf:
0:f816:
3eff:fe20:
3f41
</code></dt>
608 This indicates that the logical port owns the mac address and
612 <dt><code>80:fa:
5b:
06:
72:b7
10.0.0.4 fdaa:
15f2:
72cf:
0:f816:
3eff:fe20:
3f41
</code></dt>
614 This indicates that the logical port owns the mac address and
615 1 IPv4 address and
1 IPv6 address.
620 <dt><code>unknown
</code></dt>
622 This indicates that the logical port has an unknown set of Ethernet
623 addresses. When an OVN logical switch processes a unicast Ethernet
624 frame whose destination MAC address is not in any logical port's
625 <ref column=
"addresses"/> column, it delivers it to the port (or
626 ports) whose
<ref column=
"addresses"/> columns include
627 <code>unknown
</code>.
630 <dt><code>dynamic
</code></dt>
632 Use this keyword to make
<code>ovn-northd
</code> generate a
633 globally unique MAC address and choose an unused IPv4 address with
634 the logical port's subnet and store them in the port's
<ref
635 column=
"dynamic_addresses"/> column.
<code>ovn-northd
</code> will
636 use the subnet specified in
<ref table=
"Logical_Switch"
637 column=
"other_config" key=
"subnet"/> in the port's
<ref
638 table=
"Logical_Switch"/>.
641 <dt><code>Ethernet address followed by keyword
"dynamic"</code></dt>
645 The keyword
<code>dynamic
</code> after the MAC address indicates
646 that
<code>ovn-northd
</code> should choose an unused IPv4 address
647 from the logical port's subnet and store it with the specified
648 MAC in the port's
<ref column=
"dynamic_addresses"/> column.
649 <code>ovn-northd
</code> will use the subnet specified in
<ref
650 table=
"Logical_Switch" column=
"other_config" key=
"subnet"/> in
651 the port's
<ref table=
"Logical_Switch"/> table.
659 <dt><code>80:fa:
5b:
06:
72:b7 dynamic
</code></dt>
661 This indicates that the logical port owns the specified
662 MAC address and
<code>ovn-northd
</code> should allocate an
663 unused IPv4 address for the logical port from the corresponding
664 logical switch subnet.
669 <dt><code>router
</code></dt>
672 Accepted only when
<ref column=
"type"/> is
<code>router
</code>.
673 This indicates that the Ethernet, IPv4, and IPv6 addresses for
674 this logical switch port should be obtained from the connected
675 logical router port, as specified by
<code>router-port
</code> in
676 <ref column=
"options"/>.
680 The resulting addresses are used to populate the logical
681 switch's destination lookup, and also for the logical switch
682 to generate ARP and ND replies.
686 If the connected logical router port has a
687 <code>redirect-chassis
</code> specified and the logical router
688 has rules specified in
<ref column=
"nat" table=
"Logical_Router"/>
689 with
<ref column=
"external_mac" table=
"NAT"/>, then those
690 addresses are also used to populate the switch's destination
695 Supported only in OVN
2.7 and later. Earlier versions required
696 router addresses to be manually synchronized.
703 <column name=
"dynamic_addresses">
705 Addresses assigned to the logical port by
<code>ovn-northd
</code>, if
706 <code>dynamic
</code> is specified in
<ref column=
"addresses"/>.
707 Addresses will be of the same format as those that populate the
<ref
708 column=
"addresses"/> column. Note that dynamically assigned
709 addresses are constructed and managed locally in ovn-northd, so they
710 cannot be reconstructed in the event that the database is lost.
714 <column name=
"port_security">
716 This column controls the addresses from which the host attached to the
717 logical port (``the host'') is allowed to send packets and to which it
718 is allowed to receive packets. If this column is empty, all addresses
723 Each element in the set must begin with one Ethernet address.
724 This would restrict the host to sending packets from and receiving
725 packets to the ethernet addresses defined in the logical port's
726 <ref column=
"port_security"/> column. It also restricts the inner
727 source MAC addresses that the host may send in ARP and IPv6
728 Neighbor Discovery packets. The host is always allowed to receive packets
729 to multicast and broadcast Ethernet addresses.
733 Each element in the set may additionally contain one or more IPv4 or
734 IPv6 addresses (or both), with optional masks. If a mask is given, it
735 must be a CIDR mask. In addition to the restrictions described for
736 Ethernet addresses above, such an element restricts the IPv4 or IPv6
737 addresses from which the host may send and to which it may receive
738 packets to the specified addresses. A masked address, if the host part
739 is zero, indicates that the host is allowed to use any address in the
740 subnet; if the host part is nonzero, the mask simply indicates the size
741 of the subnet. In addition:
747 If any IPv4 address is given, the host is also allowed to receive
748 packets to the IPv4 local broadcast address
255.255.255.255 and to
749 IPv4 multicast addresses (
224.0.0.0/
4). If an IPv4 address with a
750 mask is given, the host is also allowed to receive packets to the
751 broadcast address in that specified subnet.
755 If any IPv4 address is given, the host is additionally restricted
756 to sending ARP packets with the specified source IPv4 address.
757 (RARP is not restricted.)
763 If any IPv6 address is given, the host is also allowed to receive
764 packets to IPv6 multicast addresses (ff00::/
8).
768 If any IPv6 address is given, the host is additionally restricted
769 to sending IPv6 Neighbor Discovery Solicitation or Advertisement
770 packets with the specified source address or, for solicitations,
771 the unspecified address.
777 If an element includes an IPv4 address, but no IPv6 addresses, then
778 IPv6 traffic is not allowed. If an element includes an IPv6 address,
779 but no IPv4 address, then IPv4 and ARP traffic is not allowed.
783 This column uses the same lexical syntax as the
<ref column=
"match"
784 table=
"Pipeline" db=
"OVN_Southbound"/> column in the OVN Southbound
785 database's
<ref table=
"Pipeline" db=
"OVN_Southbound"/> table. Multiple
786 addresses within an element may be space or comma separated.
790 This column is provided as a convenience to cloud management systems,
791 but all of the features that it implements can be implemented as ACLs
792 using the
<ref table=
"ACL"/> table.
800 <dt><code>80:fa:
5b:
06:
72:b7
</code></dt>
802 The host may send traffic from and receive traffic to the specified
803 MAC address, and to receive traffic to Ethernet multicast and
804 broadcast addresses, but not otherwise. The host may not send ARP or
805 IPv6 Neighbor Discovery packets with inner source Ethernet addresses
806 other than the one specified.
809 <dt><code>80:fa:
5b:
06:
72:b7
192.168.1.10/
24</code></dt>
811 This adds further restrictions to the first example. The host may
812 send IPv4 packets from or receive IPv4 packets to only
192.168.1.10,
813 except that it may also receive IPv4 packets to
192.168.1.255 (based
814 on the subnet mask),
255.255.255.255, and any address in
224.0.0.0/
4.
815 The host may not send ARPs with a source Ethernet address other than
816 80:fa:
5b:
06:
72:b7 or source IPv4 address other than
192.168.1.10.
817 The host may not send or receive any IPv6 (including IPv6 Neighbor
821 <dt><code>"80:fa:5b:12:42:ba",
"80:fa:5b:06:72:b7 192.168.1.10/24"</code></dt>
823 The host may send traffic from and receive traffic to the
824 specified MAC addresses, and
825 to receive traffic to Ethernet multicast and broadcast addresses,
826 but not otherwise. With MAC
80:fa:
5b:
12:
42:ba, the host may
827 send traffic from and receive traffic to any L3 address.
828 With MAC
80:fa:
5b:
06:
72:b7, the host may send IPv4 packets from or
829 receive IPv4 packets to only
192.168.1.10, except that it may also
830 receive IPv4 packets to
192.168.1.255 (based on the subnet mask),
831 255.255.255.255, and any address in
224.0.0.0/
4. The host may not
832 send or receive any IPv6 (including IPv6 Neighbor Discovery) traffic.
839 <column name=
"dhcpv4_options">
840 This column defines the DHCPv4 Options to be included by the
841 <code>ovn-controller
</code> when it replies to the DHCPv4 requests.
842 Please see the
<ref table=
"DHCP_Options"/> table.
845 <column name=
"dhcpv6_options">
846 This column defines the DHCPv6 Options to be included by the
847 <code>ovn-controller
</code> when it replies to the DHCPv6 requests.
848 Please see the
<ref table=
"DHCP_Options"/> table.
852 <group title=
"Naming">
853 <column name=
"external_ids" key=
"neutron:port_name">
855 This column gives an optional human-friendly name for the port. This
856 name has no special meaning or purpose other than to provide
857 convenience for human interaction with the northbound database.
861 Neutron copies this from its own port object's name. (Neutron ports
862 do are not assigned human-friendly names by default, so it will often
868 <group title=
"Common Columns">
869 <column name=
"external_ids">
871 See
<em>External IDs
</em> at the beginning of this document.
875 The
<code>ovn-northd
</code> program copies all these pairs into the
876 <ref column=
"external_ids"/> column of the
877 <ref table=
"Port_Binding"/> table in
<ref db=
"OVN_Southbound"/>
884 <table name=
"Address_Set" title=
"Address Sets">
886 Each row in this table represents a named set of addresses.
887 An address set may contain Ethernet, IPv4, or IPv6 addresses
888 with optional bitwise or CIDR masks.
889 Address set may ultimately be used in ACLs to compare against
890 fields such as
<code>ip4.src
</code> or
<code>ip6.src
</code>.
891 A single address set must contain addresses of the
892 same type. As an example, the following would create an address set
893 with three IP addresses:
897 ovn-nbctl create Address_Set name=set1 addresses='
10.0.0.1 10.0.0.2 10.0.0.3'
901 Address sets may be used in the
<ref column=
"match" table=
"ACL"/> column
902 of the
<ref table=
"ACL"/> table. For syntax information, see the details
903 of the expression language used for the
<ref column=
"match"
904 table=
"Logical_Flow" db=
"OVN_Southbound"/> column in the
<ref
905 table=
"Logical_Flow" db=
"OVN_Southbound"/> table of the
<ref
906 db=
"OVN_Southbound"/> database.
910 A name for the address set. Names are ASCII and must match
911 <code>[a-zA-Z_.][a-zA-Z_
.0-
9]*
</code>.
914 <column name=
"addresses">
915 The set of addresses in string form.
918 <group title=
"Common Columns">
919 <column name=
"external_ids">
920 See
<em>External IDs
</em> at the beginning of this document.
925 <table name=
"Load_Balancer" title=
"load balancer">
927 Each row represents one load balancer.
931 A name for the load balancer. This name has no special meaning or
932 purpose other than to provide convenience for human interaction with
938 A map of virtual IP addresses (and an optional port number with
939 <code>:
</code> as a separator) associated with this load balancer and
940 their corresponding endpoint IP addresses (and optional port numbers
941 with
<code>:
</code> as separators) separated by commas. If
942 the destination IP address (and port number) of a packet leaving a
943 container or a VM matches the virtual IP address (and port number)
944 provided here as a key, then OVN will statefully replace the
945 destination IP address by one of the provided IP address (and port
946 number) in this map as a value. IPv4 and IPv6 addresses are supported
947 for load balancing; however a VIP of one address family may not be
948 mapped to a destination IP address of a different family. If
949 specifying an IPv6 address with a port, the address portion must be
950 enclosed in square brackets. Examples for keys are
"192.168.1.4" and
951 "[fd0f::1]:8800". Examples for value are
"10.0.0.1, 10.0.0.2" and
952 "20.0.0.10:8800, 20.0.0.11:8800".
956 <column name=
"protocol">
958 Valid protocols are
<code>tcp
</code> or
<code>udp
</code>. This column
959 is useful when a port number is provided as part of the
960 <code>vips
</code> column. If this column is empty and a port number
961 is provided as part of
<code>vips
</code> column, OVN assumes the
962 protocol to be
<code>tcp
</code>.
966 <group title=
"Common Columns">
967 <column name=
"external_ids">
968 See
<em>External IDs
</em> at the beginning of this document.
973 <table name=
"ACL" title=
"Access Control List (ACL) rule">
975 Each row in this table represents one ACL rule for a logical switch
976 that points to it through its
<ref column=
"acls"/> column. The
<ref
977 column=
"action"/> column for the highest-
<ref column=
"priority"/>
978 matching row in this table determines a packet's treatment. If no row
979 matches, packets are allowed by default. (Default-deny treatment is
980 possible: add a rule with
<ref column=
"priority"/> 0,
<code>0</code> as
981 <ref column=
"match"/>, and
<code>deny
</code> as
<ref column=
"action"/>.)
984 <column name=
"priority">
986 The ACL rule's priority. Rules with numerically higher priority
987 take precedence over those with lower. If two ACL rules with
988 the same priority both match, then the one actually applied to a
993 Return traffic from an
<code>allow-related
</code> flow is always
994 allowed and cannot be changed through an ACL.
998 <column name=
"direction">
999 <p>Direction of the traffic to which this rule should apply:
</p>
1002 <code>from-lport
</code>: Used to implement filters on traffic
1003 arriving from a logical port. These rules are applied to the
1004 logical switch's ingress pipeline.
1007 <code>to-lport
</code>: Used to implement filters on traffic
1008 forwarded to a logical port. These rules are applied to the
1009 logical switch's egress pipeline.
1014 <column name=
"match">
1016 The packets that the ACL should match, in the same expression
1017 language used for the
<ref column=
"match" table=
"Logical_Flow"
1018 db=
"OVN_Southbound"/> column in the OVN Southbound database's
1019 <ref table=
"Logical_Flow" db=
"OVN_Southbound"/> table. The
1020 <code>outport
</code> logical port is only available in the
1021 <code>to-lport
</code> direction (the
<code>inport
</code> is
1022 available in both directions).
1026 By default all traffic is allowed. When writing a more
1027 restrictive policy, it is important to remember to allow flows
1028 such as ARP and IPv6 neighbor discovery packets.
1032 Note that you can not create an ACL matching on a port with
1033 type=router or type=localnet.
1037 <column name=
"action">
1038 <p>The action to take when the ACL rule matches:
</p>
1041 <code>allow
</code>: Forward the packet.
1045 <code>allow-related
</code>: Forward the packet and related traffic
1046 (e.g. inbound replies to an outbound connection).
1050 <code>drop
</code>: Silently drop the packet.
1054 <code>reject
</code>: Drop the packet, replying with a RST for TCP or
1055 ICMP unreachable message for other IP-based protocols.
1056 <code>Not implemented--currently treated as drop
</code>
1061 <group title=
"Logging">
1063 These columns control whether and how OVN logs packets that match an
1069 If set to
<code>true
</code>, packets that match the ACL will trigger
1070 a log message on the transport node or nodes that perform ACL
1071 processing. Logging may be combined with any
<ref column=
"action"/>.
1075 If set to
<code>false
</code>, the remaining columns in this group
1076 have no significance.
1080 <column name=
"name">
1082 This name, if it is provided, is included in log records. It
1083 provides the administrator and the cloud management system a way to
1084 associate a log record with a particular ACL.
1088 <column name=
"severity">
1090 The severity of the ACL. The severity levels match those of syslog,
1091 in decreasing level of severity:
<code>alert
</code>,
1092 <code>warning
</code>,
<code>notice
</code>,
<code>info
</code>, or
1093 <code>debug
</code>. When the column is empty, the default is
1099 <group title=
"Common Columns">
1100 <column name=
"external_ids">
1101 See
<em>External IDs
</em> at the beginning of this document.
1106 <table name=
"Logical_Router" title=
"L3 logical router">
1108 Each row represents one L3 logical router.
1111 <column name=
"ports">
1115 <column name=
"static_routes">
1116 One or more static routes for the router.
1119 <column name=
"enabled">
1120 This column is used to administratively set router state. If this column
1121 is empty or is set to
<code>true
</code>, the router is enabled. If this
1122 column is set to
<code>false
</code>, the router is disabled. A disabled
1123 router has all ingress and egress traffic dropped.
1127 One or more NAT rules for the router. NAT rules only work on
1128 Gateway routers, and on distributed routers with one logical router
1129 port with a
<code>redirect-chassis
</code> specified.
1132 <column name=
"load_balancer">
1133 Load balance a virtual ip address to a set of logical port ip
1134 addresses. Load balancer rules only work on the Gateway routers.
1137 <group title=
"Naming">
1139 These columns provide names for the logical router. From OVN's
1140 perspective, these names have no special meaning or purpose other than
1141 to provide convenience for human interaction with the northbound
1142 database. There is no requirement for the name to be unique. (For a
1143 unique identifier for a logical router, use its row UUID.)
1147 (Originally,
<ref column=
"name"/> was intended to serve the purpose of
1148 a human-friendly name, but the Neutron integration used it to uniquely
1149 identify its own router object, in the format
1150 <code>neutron-
<var>uuid
</var></code>. Later on, Neutron started
1151 propagating the friendly name of a router as
<ref column=
"external_ids"
1152 key=
"neutron:router_name"/>. Perhaps this can be cleaned up someday.)
1155 <column name=
"name">
1156 A name for the logical router.
1159 <column name=
"external_ids" key=
"neutron:router_name">
1160 Another name for the logical router.
1164 <group title=
"Options">
1166 Additional options for the logical router.
1169 <column name=
"options" key=
"chassis">
1171 If set, indicates that the logical router in question is a Gateway
1172 router (which is centralized) and resides in the set chassis. The
1173 same value is also used by
<code>ovn-controller
</code> to
1174 uniquely identify the chassis in the OVN deployment and
1175 comes from
<code>external_ids:system-id
</code> in the
1176 <code>Open_vSwitch
</code> table of Open_vSwitch database.
1180 The Gateway router can only be connected to a distributed router
1181 via a switch if SNAT and DNAT are to be configured in the Gateway
1185 <column name=
"options" key=
"dnat_force_snat_ip">
1187 If set, indicates the IP address to use to force SNAT a packet
1188 that has already been DNATed in the gateway router. When multiple
1189 gateway routers are configured, a packet can potentially enter any
1190 of the gateway router, get DNATted and eventually reach the logical
1191 switch port. For the return traffic to go back to the same gateway
1192 router (for unDNATing), the packet needs a SNAT in the first place.
1193 This can be achieved by setting the above option with a gateway
1194 specific IP address.
1197 <column name=
"options" key=
"lb_force_snat_ip">
1199 If set, indicates the IP address to use to force SNAT a packet
1200 that has already been load-balanced in the gateway router. When
1201 multiple gateway routers are configured, a packet can potentially
1202 enter any of the gateway routers, get DNATted as part of the load-
1203 balancing and eventually reach the logical switch port.
1204 For the return traffic to go back to the same gateway router (for
1205 unDNATing), the packet needs a SNAT in the first place. This can be
1206 achieved by setting the above option with a gateway specific IP
1212 <group title=
"Common Columns">
1213 <column name=
"external_ids">
1214 See
<em>External IDs
</em> at the beginning of this document.
1219 <table name=
"QoS" title=
"QOS table">
1221 Each row in this table represents one QOS rule for a logical switch
1222 that points to it through its
<ref column=
"qos_rules"/> column. The
<ref
1223 column=
"action"/> column for the highest-
<ref column=
"priority"/>
1224 matching row in this table determines a packet's qos marking. If no row
1225 matches, packets will not have any qos marking.
1228 <column name=
"priority">
1230 The QOS rule's priority. Rules with numerically higher priority
1231 take precedence over those with lower. If two QOS rules with
1232 the same priority both match, then the one actually applied to a
1233 packet is undefined.
1237 <column name=
"direction">
1239 The value of this field is similar to
<ref colun=
"direction"
1240 table=
"ACL" db=
"OVN_Northbound"/> column in the OVN Northbound
1241 database's
<ref table=
"ACL" db=
"OVN_Northbound"/> table.
1245 <column name=
"match">
1247 The packets that the QOS rules should match, in the same expression
1248 language used for the
<ref column=
"match" table=
"Logical_Flow"
1249 db=
"OVN_Southbound"/> column in the OVN Southbound database's
1250 <ref table=
"Logical_Flow" db=
"OVN_Southbound"/> table. The
1251 <code>outport
</code> logical port is only available in the
1252 <code>to-lport
</code> direction (the
<code>inport
</code> is
1253 available in both directions).
1257 <column name=
"action">
1258 <p>The action to be performed on the matched packet
</p>
1261 <code>dscp
</code>: The value of this action should be in the
1262 range of
0 to
63 (inclusive).
1267 <column name=
"bandwidth">
1269 The bandwidth limit to be performed on the matched packet.
1270 Currently only supported in the userspace by dpdk.
1274 <code>rate
</code>: The value of rate limit in kbps.
1277 <code>burst
</code>: The value of burst rate limit in kbps.
1278 This is optional and needs to specify the
<code>rate
</code> first.
1283 <column name=
"external_ids">
1284 See
<em>External IDs
</em> at the beginning of this document.
1288 <table name=
"Logical_Router_Port" title=
"L3 logical router port">
1290 A port within an L3 logical router.
1294 Exactly one
<ref table=
"Logical_Router"/> row must reference a given
1295 logical router port.
1298 <column name=
"name">
1300 A name for the logical router port.
1304 In addition to provide convenience for human interaction with the
1305 northbound database, this column is used as reference by its patch port
1306 in
<ref table=
"Logical_Switch_Port"/> or another logical router port in
1307 <ref table=
"Logical_Router_Port"/>.
1311 <column name=
"gateway_chassis">
1313 If set, this indicates that this logical router port represents
1314 a distributed gateway port that connects this router to a logical
1315 switch with a localnet port. There may be at most one such
1316 logical router port on each logical router.
1320 Several
<ref table=
"Gateway_Chassis"/> can be referenced for a given
1321 logical router port. A single
<ref table=
"Gateway_Chassis"/> is
1322 functionally equivalent to setting
1323 <ref column=
"options" key=
"redirect-chassis"/>. Refer to the
1324 description of
<ref column=
"options" key=
"redirect-chassis"/>
1325 for additional details on gateway handling.
1329 Defining more than one
<ref table=
"Gateway_Chassis"/> will enable
1330 gateway high availability. Only one gateway will be active at a
1331 time. OVN chassis will use BFD to monitor connectivity to a
1332 gateway. If connectivity to the active gateway is interrupted,
1333 another gateway will become active.
1334 The
<ref column=
"priority" table=
"Gateway_Chassis"/> column
1335 specifies the order that gateways will be chosen by OVN.
1339 <column name=
"networks">
1341 The IP addresses and netmasks of the router. For example,
1342 <code>192.168.0.1/
24</code> indicates that the router's IP
1343 address is
192.168.0.1 and that packets destined to
1344 192.168.0.
<var>x
</var> should be routed to this port.
1348 A logical router port always adds a link-local IPv6 address
1349 (fe80::/
64) automatically generated from the interface's MAC
1350 address using the modified EUI-
64 format.
1355 The Ethernet address that belongs to this router port.
1358 <column name=
"enabled">
1359 This column is used to administratively set port state. If this column
1360 is empty or is set to
<code>true
</code>, the port is enabled. If this
1361 column is set to
<code>false
</code>, the port is disabled. A disabled
1362 port has all ingress and egress traffic dropped.
1365 <group title=
"ipv6_ra_configs">
1367 This column defines the IPv6 ND RA address mode and ND MTU Option to be
1368 included by
<code>ovn-controller
</code> when it replies to the IPv6
1369 Router solicitation requests.
1372 <column name=
"ipv6_ra_configs" key=
"address_mode">
1373 The address mode to be used for IPv6 address configuration.
1374 The supported values are:
1377 <code>slaac
</code>: Address configuration using Router
1378 Advertisement (RA) packet. The IPv6 prefixes defined in the
1379 <ref table=
"Logical_Router_Port"/> table's
1380 <ref table=
"Logical_Router_Port" column=
"networks"/> column will
1381 be included in the RA's ICMPv6 option - Prefix information.
1385 <code>dhcpv6_stateful
</code>: Address configuration using DHCPv6.
1389 <code>dhcpv6_stateless
</code>: Address configuration using Router
1390 Advertisement (RA) packet. Other IPv6 options are provided by
1396 <column name=
"ipv6_ra_configs" key=
"mtu">
1397 The recommended MTU for the link. Default is
0, which means no MTU
1398 Option will be included in RA packet replied by ovn-controller.
1399 Per RFC
2460, the mtu value is recommended no less than
1280, so
1400 any mtu value less than
1280 will be considered as no MTU Option.
1403 <column name=
"ipv6_ra_configs" key=
"send_periodic">
1404 If set to true, then this router interface will send router
1405 advertisements periodically. The default is false.
1408 <column name=
"ipv6_ra_configs" key=
"max_interval">
1409 The maximum number of seconds to wait between sending periodic router
1410 advertisements. This option has no effect if
<ref
1411 column=
"ipv6_ra_configs" key=
"send_periodic"/> is false. The default
1415 <column name=
"ipv6_ra_configs" key=
"min_interval">
1416 The minimum number of seconds to wait between sending periodic router
1417 advertisements. This option has no effect if
<ref
1418 column=
"ipv6_ra_configs" key=
"send_periodic"/> is false. The default
1419 is one-third of
<ref column=
"ipv6_ra_configs" key=
"max_interval"/>,
1420 i.e.
200 seconds if that key is unset.
1424 <group title=
"Options">
1426 Additional options for the logical router port.
1429 <column name=
"options" key=
"redirect-chassis">
1431 If set, this indicates that this logical router port represents
1432 a distributed gateway port that connects this router to a logical
1433 switch with a localnet port. There may be at most one such
1434 logical router port on each logical router.
1438 Even when a
<code>redirect-chassis
</code> is specified, the
1439 logical router port still effectively resides on each chassis.
1440 However, due to the implications of the use of L2 learning in the
1441 physical network, as well as the need to support advanced features
1442 such as one-to-many NAT (aka IP masquerading), a subset of the
1443 logical router processing is handled in a centralized manner on
1444 the specified
<code>redirect-chassis
</code>.
1448 When this option is specified, the peer logical switch port's
1449 <ref column=
"addresses" table=
"Logical_Switch_Port"/> must be
1450 set to
<code>router
</code>. With this setting, the
<ref
1451 column=
"external_mac" table=
"NAT"/>s specified in NAT rules are
1452 automatically programmed in the peer logical switch's
1453 destination lookup on the chassis where the
<ref
1454 column=
"logical_port" table=
"NAT"/> resides. In addition, the
1455 logical router's MAC address is automatically programmed in the
1456 peer logical switch's destination lookup flow on the
1457 <code>redirect-chassis
</code>.
1461 When this option is specified and it is desired to generate
1462 gratuitous ARPs for NAT addresses, then the peer logical switch
1463 port's
<ref column=
"options" key=
"nat-addresses"
1464 table=
"Logical_Switch_Port"/> should be set to
1465 <code>router
</code>.
1469 While
<ref column=
"options" key=
"redirect-chassis"/> is still
1470 supported for backwards compatibility, it is now preferred to
1471 specify one or more
<ref column=
"gateway_chassis"/> instead.
1472 It is functionally equivalent, but allows you to specify multiple
1473 chassis to enable high availability.
1478 <group title=
"Attachment">
1480 A given router port serves one of two purposes:
1485 To attach a logical switch to a logical router. A logical router
1486 port of this type is referenced by exactly one
<ref
1487 table=
"Logical_Switch_Port"/> of type
<code>router
</code>.
1488 The value of
<ref column=
"name"/> is set as
1489 <code>router-port
</code> in column
<ref column=
"options"/> of
1490 <ref table=
"Logical_Switch_Port"/>. In this case
<ref
1491 column=
"peer"/> column is empty.
1495 To connect one logical router to another. This requires a pair of
1496 logical router ports, each connected to a different router. Each
1497 router port in the pair specifies the other in its
<ref
1498 column=
"peer"/> column. No
<ref table=
"Logical_Switch"/> refers to
1503 <column name=
"peer">
1505 For a router port used to connect two logical routers, this
1506 identifies the other router port in the pair by
<ref column=
"name"/>.
1510 For a router port attached to a logical switch, this column is empty.
1515 <group title=
"Common Columns">
1516 <column name=
"external_ids">
1517 See
<em>External IDs
</em> at the beginning of this document.
1522 <table name=
"Logical_Router_Static_Route" title=
"Logical router static routes">
1524 Each record represents a static route.
1528 When multiple routes match a packet, the longest-prefix match is chosen.
1529 For a given prefix length, a
<code>dst-ip
</code> route is preferred over
1530 a
<code>src-ip
</code> route.
1533 <column name=
"ip_prefix">
1535 IP prefix of this route (e.g.
192.168.100.0/
24).
1539 <column name=
"policy">
1541 If it is specified, this setting describes the policy used to make
1542 routing decisions. This setting must be one of the following strings:
1546 <code>src-ip
</code>: This policy sends the packet to the
1547 <ref column=
"nexthop"/> when the packet's source IP address matches
1548 <ref column=
"ip_prefix"/>.
1551 <code>dst-ip
</code>: This policy sends the packet to the
1552 <ref column=
"nexthop"/> when the packet's destination IP address
1553 matches
<ref column=
"ip_prefix"/>.
1557 If not specified, the default is
<code>dst-ip
</code>.
1561 <column name=
"nexthop">
1563 Nexthop IP address for this route. Nexthop IP address should be the IP
1564 address of a connected router port or the IP address of a logical port.
1568 <column name=
"output_port">
1570 The name of the
<ref table=
"Logical_Router_Port"/> via which the packet
1571 needs to be sent out. This is optional and when not specified,
1572 OVN will automatically figure this out based on the
1573 <ref column=
"nexthop"/>. When this is specified and there are
1574 multiple IP addresses on the router port and none of them are in the
1575 same subnet of
<ref column=
"nexthop"/>, OVN chooses the first IP
1576 address as the one via which the
<ref column=
"nexthop"/> is reachable.
1580 <group title=
"Common Columns">
1581 <column name=
"external_ids">
1582 See
<em>External IDs
</em> at the beginning of this document.
1588 <table name=
"NAT" title=
"NAT rules">
1590 Each record represents a NAT rule.
1593 <column name=
"type">
1594 <p>Type of the NAT rule.
</p>
1597 When
<ref column=
"type"/> is
<code>dnat
</code>, the externally
1598 visible IP address
<ref column=
"external_ip"/> is DNATted to the IP
1599 address
<ref column=
"logical_ip"/> in the logical space.
1602 When
<ref column=
"type"/> is
<code>snat
</code>, IP packets
1603 with their source IP address that either matches the IP address
1604 in
<ref column=
"logical_ip"/> or is in the network provided by
1605 <ref column=
"logical_ip"/> is SNATed into the IP address in
1606 <ref column=
"external_ip"/>.
1609 When
<ref column=
"type"/> is
<code>dnat_and_snat
</code>, the
1610 externally visible IP address
<ref column=
"external_ip"/> is
1611 DNATted to the IP address
<ref column=
"logical_ip"/> in the
1612 logical space. In addition, IP packets with the source IP
1613 address that matches
<ref column=
"logical_ip"/> is SNATed into
1614 the IP address in
<ref column=
"external_ip"/>.
1619 <column name=
"external_ip">
1623 <column name=
"external_mac">
1629 This is only used on the gateway port on distributed routers.
1630 This must be specified in order for the NAT rule to be
1631 processed in a distributed manner on all chassis. If this is
1632 not specified for a NAT rule on a distributed router, then
1633 this NAT rule will be processed in a centralized manner on
1634 the gateway port instance on the
<code>redirect-chassis
</code>.
1638 This MAC address must be unique on the logical switch that the
1639 gateway port is attached to. If the MAC address used on the
1640 <ref column=
"logical_port"/> is globally unique, then that MAC
1641 address can be specified as this
<ref column=
"external_mac"/>.
1645 <column name=
"logical_ip">
1646 An IPv4 network (e.g
192.168.1.0/
24) or an IPv4 address.
1649 <column name=
"logical_port">
1651 The name of the logical port where the
<ref column=
"logical_ip"/>
1656 This is only used on distributed routers. This must be
1657 specified in order for the NAT rule to be processed in a
1658 distributed manner on all chassis. If this is not specified
1659 for a NAT rule on a distributed router, then this NAT rule
1660 will be processed in a centralized manner on the gateway
1661 port instance on the
<code>redirect-chassis
</code>.
1665 <group title=
"Common Columns">
1666 <column name=
"external_ids">
1667 See
<em>External IDs
</em> at the beginning of this document.
1673 <table name=
"DHCP_Options" title=
"DHCP options">
1675 OVN implements native DHCPv4 support which caters to the common
1676 use case of providing an IPv4 address to a booting instance by
1677 providing stateless replies to DHCPv4 requests based on statically
1678 configured address mappings. To do this it allows a short list of
1679 DHCPv4 options to be configured and applied at each compute host
1680 running
<code>ovn-controller
</code>.
1684 OVN also implements native DHCPv6 support which provides stateless
1685 replies to DHCPv6 requests.
1688 <column name=
"cidr">
1690 The DHCPv4/DHCPv6 options will be included if the logical port has its
1691 IP address in this
<ref column=
"cidr"/>.
1695 <group title=
"DHCPv4 options">
1697 The CMS should define the set of DHCPv4 options as key/value pairs
1698 in the
<ref column=
"options"/> column of this table. For
1699 <code>ovn-controller
</code> to include these DHCPv4 options, the
1700 <ref column=
"dhcpv4_options"/> of
<ref table=
"Logical_Switch_Port"/>
1701 should refer to an entry in this table.
1704 <group title=
"Mandatory DHCPv4 options">
1706 The following options must be defined.
1709 <column name=
"options" key=
"server_id">
1710 The IP address for the DHCP server to use. This should be in the
1711 subnet of the offered IP. This is also included in the DHCP offer as
1712 option
54, ``server identifier.''
1715 <column name=
"options" key=
"server_mac">
1716 The Ethernet address for the DHCP server to use.
1719 <column name=
"options" key=
"lease_time"
1720 type='{
"type":
"integer",
"minInteger":
0,
"maxInteger":
4294967295}'
>
1722 The offered lease time in seconds,
1726 The DHCPv4 option code for this option is
51.
1731 <group title=
"IPv4 DHCP Options">
1733 Below are the supported DHCPv4 options whose values are an IPv4
1734 address, e.g.
<code>192.168.1.1</code>. Some options accept multiple
1735 IPv4 addresses enclosed within curly braces, e.g.
<code>{
192.168.1.2,
1736 192.168.1.3}
</code>. Please refer to RFC
2132 for more details on
1737 DHCPv4 options and their codes.
1740 <column name=
"options" key=
"router">
1742 The IP address of a gateway for the client to use. This should be
1743 in the subnet of the offered IP. The DHCPv4 option code for this
1748 <column name=
"options" key=
"netmask">
1750 The DHCPv4 option code for this option is
1.
1754 <column name=
"options" key=
"dns_server">
1756 The DHCPv4 option code for this option is
6.
1760 <column name=
"options" key=
"log_server">
1762 The DHCPv4 option code for this option is
7.
1766 <column name=
"options" key=
"lpr_server">
1768 The DHCPv4 option code for this option is
9.
1772 <column name=
"options" key=
"swap_server">
1774 The DHCPv4 option code for this option is
16.
1778 <column name=
"options" key=
"policy_filter">
1780 The DHCPv4 option code for this option is
21.
1784 <column name=
"options" key=
"router_solicitation">
1786 The DHCPv4 option code for this option is
32.
1790 <column name=
"options" key=
"nis_server">
1792 The DHCPv4 option code for this option is
41.
1796 <column name=
"options" key=
"ntp_server">
1798 The DHCPv4 option code for this option is
42.
1802 <column name=
"options" key=
"tftp_server">
1804 The DHCPv4 option code for this option is
66.
1808 <column name=
"options" key=
"classless_static_route">
1810 The DHCPv4 option code for this option is
121.
1814 This option can contain one or more static routes, each of which
1815 consists of a destination descriptor and the IP address of the
1816 router that should be used to reach that destination. Please see
1817 RFC
3442 for more details.
1821 Example:
<code>{
30.0.0.0/
24,
10.0.0.10,
0.0.0.0/
0,
10.0.0.1}
</code>
1825 <column name=
"options" key=
"ms_classless_static_route">
1827 The DHCPv4 option code for this option is
249. This option is
1828 similar to
<code>classless_static_route
</code> supported by
1829 Microsoft Windows DHCPv4 clients.
1834 <group title=
"Boolean DHCP Options">
1836 These options accept a Boolean value, expressed as
<code>0</code> for
1837 false or
<code>1</code> for true.
1840 <column name=
"options" key=
"ip_forward_enable"
1841 type='{
"type":
"string",
"enum": [
"set", [
"0",
"1"]]}'
>
1843 The DHCPv4 option code for this option is
19.
1847 <column name=
"options" key=
"router_discovery"
1848 type='{
"type":
"string",
"enum": [
"set", [
"0",
"1"]]}'
>
1850 The DHCPv4 option code for this option is
31.
1854 <column name=
"options" key=
"ethernet_encap"
1855 type='{
"type":
"string",
"enum": [
"set", [
"0",
"1"]]}'
>
1857 The DHCPv4 option code for this option is
36.
1862 <group title=
"Integer DHCP Options">
1864 These options accept a nonnegative integer value.
1867 <column name=
"options" key=
"default_ttl"
1868 type='{
"type":
"integer",
"minInteger":
0,
"maxInteger":
255}'
>
1869 The DHCPv4 option code for this option is
23.
1872 <column name=
"options" key=
"tcp_ttl"
1873 type='{
"type":
"integer",
"minInteger":
0,
"maxInteger":
255}'
>
1874 The DHCPv4 option code for this option is
37.
1877 <column name=
"options" key=
"mtu"
1878 type='{
"type":
"integer",
"minInteger":
68,
"maxInteger":
65535}'
>
1879 The DHCPv4 option code for this option is
26.
1882 <column name=
"options" key=
"T1"
1883 type='{
"type":
"integer",
"minInteger":
68,
"maxInteger":
4294967295}'
>
1884 This specifies the time interval from address assignment until the
1885 client begins trying to renew its address. The DHCPv4 option code
1886 for this option is
58.
1889 <column name=
"options" key=
"T2"
1890 type='{
"type":
"integer",
"minInteger":
68,
"maxInteger":
4294967295}'
>
1891 This specifies the time interval from address assignment until the
1892 client begins trying to rebind its address. The DHCPv4 option code
1893 for this option is
59.
1898 <group title=
"DHCPv6 options">
1900 OVN also implements native DHCPv6 support. The CMS should define
1901 the set of DHCPv6 options as key/value pairs. The define DHCPv6
1902 options will be included in the DHCPv6 response to the DHCPv6
1903 Solicit/Request/Confirm packet from the logical ports having the
1904 IPv6 addresses in the
<ref column=
"cidr"/>.
1907 <group title=
"Mandatory DHCPv6 options">
1909 The following options must be defined.
1912 <column name=
"options" key=
"server_id">
1914 The Ethernet address for the DHCP server to use. This is also
1915 included in the DHCPv6 reply as option
2, ``Server Identifier''
1916 to carry a DUID identifying a server between a client and a server.
1917 <code>ovn-controller
</code> defines DUID based on
1918 Link-layer Address [DUID-LL].
1923 <group title=
"IPv6 DHCPv6 options">
1925 Below are the supported DHCPv6 options whose values are an IPv6
1926 address, e.g.
<code>aef0::
4</code>. Some options accept multiple
1927 IPv6 addresses enclosed within curly braces, e.g.
<code>{aef0::
4,
1928 aef0::
5}
</code>. Please refer to RFC
3315 for more details on
1929 DHCPv6 options and their codes.
1932 <column name=
"options" key=
"dns_server">
1934 The DHCPv6 option code for this option is
23. This option specifies
1935 the DNS servers that the VM should use.
1940 <group title=
"String DHCPv6 options">
1942 These options accept string values.
1945 <column name=
"options" key=
"domain_search">
1947 The DHCPv6 option code for this option is
24. This option specifies
1948 the domain search list the client should use to resolve hostnames
1953 Example:
<code>"ovn.org"</code>.
1957 <column name=
"options" key=
"dhcpv6_stateless">
1959 This option specifies the OVN native DHCPv6 will work in stateless
1960 mode, which means OVN native DHCPv6 will not offer IPv6 addresses
1961 for VM/VIF ports, but only reply other configurations, such as
1962 DNS and domain search list. When setting this option with string
1963 value
"true", VM/VIF will configure IPv6 addresses by stateless
1964 way. Default value for this option is false.
1970 <group title=
"Common Columns">
1971 <column name=
"external_ids">
1972 See
<em>External IDs
</em> at the beginning of this document.
1977 <table name=
"Connection" title=
"OVSDB client connections.">
1979 Configuration for a database connection to an Open vSwitch database
1984 This table primarily configures the Open vSwitch database server
1985 (
<code>ovsdb-server
</code>).
1989 The Open vSwitch database server can initiate and maintain active
1990 connections to remote clients. It can also listen for database
1994 <group title=
"Core Features">
1995 <column name=
"target">
1996 <p>Connection methods for clients.
</p>
1998 The following connection methods are currently supported:
2001 <dt><code>ssl:
<var>ip
</var></code>[
<code>:
<var>port
</var></code>]
</dt>
2004 The specified SSL
<var>port
</var> on the host at the given
2005 <var>ip
</var>, which must be expressed as an IP address
2006 (not a DNS name). A valid SSL configuration must be provided
2007 when this form is used, this configuration can be specified
2008 via command-line options or the
<ref table=
"SSL"/> table.
2011 If
<var>port
</var> is not specified, it defaults to
6640.
2014 SSL support is an optional feature that is not always
2015 built as part of Open vSwitch.
2019 <dt><code>tcp:
<var>ip
</var></code>[
<code>:
<var>port
</var></code>]
</dt>
2022 The specified TCP
<var>port
</var> on the host at the given
2023 <var>ip
</var>, which must be expressed as an IP address (not a
2024 DNS name), where
<var>ip
</var> can be IPv4 or IPv6 address. If
2025 <var>ip
</var> is an IPv6 address, wrap it in square brackets,
2026 e.g.
<code>tcp:[::
1]:
6640</code>.
2029 If
<var>port
</var> is not specified, it defaults to
6640.
2032 <dt><code>pssl:
</code>[
<var>port
</var>][
<code>:
<var>ip
</var></code>]
</dt>
2035 Listens for SSL connections on the specified TCP
<var>port
</var>.
2036 Specify
0 for
<var>port
</var> to have the kernel automatically
2037 choose an available port. If
<var>ip
</var>, which must be
2038 expressed as an IP address (not a DNS name), is specified, then
2039 connections are restricted to the specified local IP address
2040 (either IPv4 or IPv6 address). If
<var>ip
</var> is an IPv6
2041 address, wrap in square brackets,
2042 e.g.
<code>pssl:
6640:[::
1]
</code>. If
<var>ip
</var> is not
2043 specified then it listens only on IPv4 (but not IPv6) addresses.
2044 A valid SSL configuration must be provided when this form is used,
2045 this can be specified either via command-line options or the
2046 <ref table=
"SSL"/> table.
2049 If
<var>port
</var> is not specified, it defaults to
6640.
2052 SSL support is an optional feature that is not always built as
2053 part of Open vSwitch.
2056 <dt><code>ptcp:
</code>[
<var>port
</var>][
<code>:
<var>ip
</var></code>]
</dt>
2059 Listens for connections on the specified TCP
<var>port
</var>.
2060 Specify
0 for
<var>port
</var> to have the kernel automatically
2061 choose an available port. If
<var>ip
</var>, which must be
2062 expressed as an IP address (not a DNS name), is specified, then
2063 connections are restricted to the specified local IP address
2064 (either IPv4 or IPv6 address). If
<var>ip
</var> is an IPv6
2065 address, wrap it in square brackets,
2066 e.g.
<code>ptcp:
6640:[::
1]
</code>. If
<var>ip
</var> is not
2067 specified then it listens only on IPv4 addresses.
2070 If
<var>port
</var> is not specified, it defaults to
6640.
2074 <p>When multiple clients are configured, the
<ref column=
"target"/>
2075 values must be unique. Duplicate
<ref column=
"target"/> values yield
2076 unspecified results.
</p>
2080 <group title=
"Client Failure Detection and Handling">
2081 <column name=
"max_backoff">
2082 Maximum number of milliseconds to wait between connection attempts.
2083 Default is implementation-specific.
2086 <column name=
"inactivity_probe">
2087 Maximum number of milliseconds of idle time on connection to the client
2088 before sending an inactivity probe message. If Open vSwitch does not
2089 communicate with the client for the specified number of seconds, it
2090 will send a probe. If a response is not received for the same
2091 additional amount of time, Open vSwitch assumes the connection has been
2092 broken and attempts to reconnect. Default is implementation-specific.
2093 A value of
0 disables inactivity probes.
2097 <group title=
"Status">
2099 Key-value pair of
<ref column=
"is_connected"/> is always updated.
2100 Other key-value pairs in the status columns may be updated depends
2101 on the
<ref column=
"target"/> type.
2105 When
<ref column=
"target"/> specifies a connection method that
2106 listens for inbound connections (e.g.
<code>ptcp:
</code> or
2107 <code>punix:
</code>), both
<ref column=
"n_connections"/> and
2108 <ref column=
"is_connected"/> may also be updated while the
2109 remaining key-value pairs are omitted.
2113 On the other hand, when
<ref column=
"target"/> specifies an
2114 outbound connection, all key-value pairs may be updated, except
2115 the above-mentioned two key-value pairs associated with inbound
2116 connection targets. They are omitted.
2119 <column name=
"is_connected">
2120 <code>true
</code> if currently connected to this client,
2121 <code>false
</code> otherwise.
2124 <column name=
"status" key=
"last_error">
2125 A human-readable description of the last error on the connection
2126 to the manager; i.e.
<code>strerror(errno)
</code>. This key
2127 will exist only if an error has occurred.
2130 <column name=
"status" key=
"state"
2131 type='{
"type":
"string",
"enum": [
"set", [
"VOID",
"BACKOFF",
"CONNECTING",
"ACTIVE",
"IDLE"]]}'
>
2133 The state of the connection to the manager:
2136 <dt><code>VOID
</code></dt>
2137 <dd>Connection is disabled.
</dd>
2139 <dt><code>BACKOFF
</code></dt>
2140 <dd>Attempting to reconnect at an increasing period.
</dd>
2142 <dt><code>CONNECTING
</code></dt>
2143 <dd>Attempting to connect.
</dd>
2145 <dt><code>ACTIVE
</code></dt>
2146 <dd>Connected, remote host responsive.
</dd>
2148 <dt><code>IDLE
</code></dt>
2149 <dd>Connection is idle. Waiting for response to keep-alive.
</dd>
2152 These values may change in the future. They are provided only for
2157 <column name=
"status" key=
"sec_since_connect"
2158 type='{
"type":
"integer",
"minInteger":
0}'
>
2159 The amount of time since this client last successfully connected
2160 to the database (in seconds). Value is empty if client has never
2161 successfully been connected.
2164 <column name=
"status" key=
"sec_since_disconnect"
2165 type='{
"type":
"integer",
"minInteger":
0}'
>
2166 The amount of time since this client last disconnected from the
2167 database (in seconds). Value is empty if client has never
2171 <column name=
"status" key=
"locks_held">
2172 Space-separated list of the names of OVSDB locks that the connection
2173 holds. Omitted if the connection does not hold any locks.
2176 <column name=
"status" key=
"locks_waiting">
2177 Space-separated list of the names of OVSDB locks that the connection is
2178 currently waiting to acquire. Omitted if the connection is not waiting
2182 <column name=
"status" key=
"locks_lost">
2183 Space-separated list of the names of OVSDB locks that the connection
2184 has had stolen by another OVSDB client. Omitted if no locks have been
2185 stolen from this connection.
2188 <column name=
"status" key=
"n_connections"
2189 type='{
"type":
"integer",
"minInteger":
2}'
>
2190 When
<ref column=
"target"/> specifies a connection method that
2191 listens for inbound connections (e.g.
<code>ptcp:
</code> or
2192 <code>pssl:
</code>) and more than one connection is actually active,
2193 the value is the number of active connections. Otherwise, this
2194 key-value pair is omitted.
2197 <column name=
"status" key=
"bound_port" type='{
"type":
"integer"}'
>
2198 When
<ref column=
"target"/> is
<code>ptcp:
</code> or
2199 <code>pssl:
</code>, this is the TCP port on which the OVSDB server is
2200 listening. (This is particularly useful when
<ref
2201 column=
"target"/> specifies a port of
0, allowing the kernel to
2202 choose any available port.)
2206 <group title=
"Common Columns">
2207 The overall purpose of these columns is described under
<code>Common
2208 Columns
</code> at the beginning of this document.
2210 <column name=
"external_ids"/>
2211 <column name=
"other_config"/>
2214 <table name=
"DNS" title=
"Native DNS resolution">
2216 Each row in this table stores the DNS records. The
2217 <ref table=
"Logical_Switch"/> table's
<ref table=
"Logical_Switch"
2218 column=
"dns_records"/> references these records.
2221 <column name=
"records">
2222 Key-value pair of DNS records with
<code>DNS query name
</code> as the key
2223 and value as a string of IP address(es) separated by comma or space.
2225 <p><b>Example:
</b> "vm1.ovn.org" =
"10.0.0.4 aef0::4"</p>
2228 <column name=
"external_ids">
2229 See
<em>External IDs
</em> at the beginning of this document.
2233 SSL configuration for ovn-nb database access.
2235 <column name=
"private_key">
2236 Name of a PEM file containing the private key used as the switch's
2237 identity for SSL connections to the controller.
2240 <column name=
"certificate">
2241 Name of a PEM file containing a certificate, signed by the
2242 certificate authority (CA) used by the controller and manager,
2243 that certifies the switch's private key, identifying a trustworthy
2247 <column name=
"ca_cert">
2248 Name of a PEM file containing the CA certificate used to verify
2249 that the switch is connected to a trustworthy controller.
2252 <column name=
"bootstrap_ca_cert">
2253 If set to
<code>true
</code>, then Open vSwitch will attempt to
2254 obtain the CA certificate from the controller on its first SSL
2255 connection and save it to the named PEM file. If it is successful,
2256 it will immediately drop the connection and reconnect, and from then
2257 on all SSL connections must be authenticated by a certificate signed
2258 by the CA certificate thus obtained.
<em>This option exposes the
2259 SSL connection to a man-in-the-middle attack obtaining the initial
2260 CA certificate.
</em> It may still be useful for bootstrapping.
2263 <column name=
"ssl_protocols">
2264 List of SSL protocols to be enabled for SSL connections. The default
2265 when this option is omitted is
<code>TLSv1,TLSv1.1,TLSv1.2
</code>.
2268 <column name=
"ssl_ciphers">
2269 List of ciphers (in OpenSSL cipher string format) to be supported
2270 for SSL connections. The default when this option is omitted is
2271 <code>HIGH:!aNULL:!MD5
</code>.
2274 <group title=
"Common Columns">
2275 The overall purpose of these columns is described under
<code>Common
2276 Columns
</code> at the beginning of this document.
2278 <column name=
"external_ids"/>
2281 <table name=
"Gateway_Chassis">
2283 Association of one or more chassis to a logical router port. The traffic
2284 going out through an specific router port will be redirected to a
2285 chassis, or a set of them in high availability configurations.
2286 A single
<ref table=
"Gateway_Chassis"/> is equivalent to setting
2287 <ref column=
"options" key=
"redirect-chassis"/>. Using
2288 <ref table=
"Gateway_Chassis"/> allows associating multiple prioritized
2289 chassis with a single logical router port.
2292 <column name=
"name">
2294 Name of the
<ref table=
"Gateway_Chassis"/>.
2297 A suggested, but not required naming convention is
2298 <code>${port_name}_${chassis_name}
</code>.
2302 <column name=
"chassis_name">
2304 Name of the chassis that we want to redirect traffic through for the
2305 associated logical router port. The value must match the
2306 <ref db=
"OVN_Southbound" table=
"Chassis" column=
"name"/> column
2307 of the
<ref db=
"OVN_Southbound" table=
"Chassis"/> table in the
2308 <ref db=
"OVN_Southbound"/> database.
2312 <column name=
"priority">
2314 This is the priority of a chassis among all
2315 <ref table=
"Gateway_Chassis"/> belonging to the same logical router
2320 <column name=
"options">
2321 Reserved for future use.
2324 <group title=
"Common Columns">
2325 <column name=
"external_ids">
2326 See
<em>External IDs
</em> at the beginning of this document.
projects / ovs.git / blob