1 <?xml version=
"1.0" encoding=
"utf-8"?>
2 <database name=
"ovn-sb" title=
"OVN Southbound Database">
4 This database holds logical and physical configuration and state for the
5 Open Virtual Network (OVN) system to support virtual network abstraction.
6 For an introduction to OVN, please see
<code>ovn-architecture
</code>(
7).
10 The OVN Southbound database sits at the center of the OVN
11 architecture. It is the one component that speaks both southbound
12 directly to all the hypervisors and gateways, via
13 <code>ovn-controller
</code>/
<code>ovn-controller-vtep
</code>, and
14 northbound to the Cloud Management System, via
<code>ovn-northd
</code>:
17 <h2>Database Structure
</h2>
20 The OVN Southbound database contains classes of data with
21 different properties, as described in the sections below.
24 <h3>Physical network
</h3>
27 Physical network tables contain information about the chassis nodes in the
28 system. This contains all the information necessary to wire the overlay,
29 such as IP addresses, supported tunnel types, and security keys.
33 The amount of physical network data is small (O(n) in the number of
34 chassis) and it changes infrequently, so it can be replicated to every
39 The
<ref table=
"Chassis"/> and
<ref table=
"Encap"/> tables are the physical
43 <h3>Logical Network
</h3>
46 Logical network tables contain the topology of logical switches and
47 routers, ACLs, firewall rules, and everything needed to describe how
48 packets traverse a logical network, represented as logical datapath flows
49 (see Logical Datapath Flows, below).
53 Logical network data may be large (O(n) in the number of logical ports, ACL
54 rules, etc.). Thus, to improve scaling, each chassis should receive only
55 data related to logical networks in which that chassis participates.
59 The logical network data is ultimately controlled by the cloud management
60 system (CMS) running northbound of OVN. That CMS determines the entire OVN
61 logical configuration and therefore the logical network data at any given
62 time is a deterministic function of the CMS's configuration, although that
63 happens indirectly via the
<ref db=
"OVN_Northbound"/> database and
64 <code>ovn-northd
</code>.
68 Logical network data is likely to change more quickly than physical network
69 data. This is especially true in a container environment where containers
70 are created and destroyed (and therefore added to and deleted from logical
75 The
<ref table=
"Logical_Flow"/>,
<ref table=
"Multicast_Group"/>,
<ref
76 table=
"Address_Group"/>,
<ref table=
"DHCP_Options"/>,
<ref
77 table=
"DHCPv6_Options"/>, and
<ref table=
"DNS"/> tables contain logical
81 <h3>Logical-physical bindings
</h3>
84 These tables link logical and physical components. They show the current
85 placement of logical components (such as VMs and VIFs) onto chassis, and
86 map logical entities to the values that represent them in tunnel
91 These tables change frequently, at least every time a VM powers up or down
92 or migrates, and especially quickly in a container environment. The
93 amount of data per VM (or VIF) is small.
97 Each chassis is authoritative about the VMs and VIFs that it hosts at any
98 given time and can efficiently flood that state to a central location, so
99 the consistency needs are minimal.
103 The
<ref table=
"Port_Binding"/> and
<ref table=
"Datapath_Binding"/> tables
104 contain binding data.
107 <h3>MAC bindings
</h3>
110 The
<ref table=
"MAC_Binding"/> table tracks the bindings from IP addresses
111 to Ethernet addresses that are dynamically discovered using ARP (for IPv4)
112 and neighbor discovery (for IPv6). Usually, IP-to-MAC bindings for virtual
113 machines are statically populated into the
<ref table=
"Port_Binding"/>
114 table, so
<ref table=
"MAC_Binding"/> is primarily used to discover bindings
115 on physical networks.
118 <h2>Common Columns
</h2>
121 Some tables contain a special column named
<code>external_ids
</code>. This
122 column has the same form and purpose each place that it appears, so we
123 describe it here to save space later.
127 <dt><code>external_ids
</code>: map of string-string pairs
</dt>
129 Key-value pairs for use by the software that manages the OVN Southbound
130 database rather than by
131 <code>ovn-controller
</code>/
<code>ovn-controller-vtep
</code>. In
132 particular,
<code>ovn-northd
</code> can use key-value pairs in this
133 column to relate entities in the southbound database to higher-level
134 entities (such as entities in the OVN Northbound database). Individual
135 key-value pairs in this column may be documented in some cases to aid
136 in understanding and troubleshooting, but the reader should not mistake
137 such documentation as comprehensive.
141 <table name=
"SB_Global" title=
"Southbound configuration">
143 Southbound configuration for an OVN system. This table must have exactly
147 <group title=
"Status">
148 This column allow a client to track the overall configuration state of
151 <column name=
"nb_cfg">
152 Sequence number for the configuration. When a CMS or
153 <code>ovn-nbctl
</code> updates the northbound database, it increments
154 the
<code>nb_cfg
</code> column in the
<code>NB_Global
</code> table in
155 the northbound database. In turn, when
<code>ovn-northd
</code> updates
156 the southbound database to bring it up to date with these changes, it
157 updates this column to the same value.
161 <group title=
"Common Columns">
162 <column name=
"external_ids">
163 See
<em>External IDs
</em> at the beginning of this document.
166 <group title=
"Connection Options">
167 <column name=
"connections">
168 Database clients to which the Open vSwitch database server should
169 connect or on which it should listen, along with options for how these
170 connections should be configured. See the
<ref table=
"Connection"/>
171 table for more information.
174 Global SSL configuration.
179 <table name=
"Chassis" title=
"Physical Network Hypervisor and Gateway Information">
181 Each row in this table represents a hypervisor or gateway (a chassis) in
182 the physical network. Each chassis, via
183 <code>ovn-controller
</code>/
<code>ovn-controller-vtep
</code>, adds
184 and updates its own row, and keeps a copy of the remaining rows to
185 determine how to reach other hypervisors.
189 When a chassis shuts down gracefully, it should remove its own row.
190 (This is not critical because resources hosted on the chassis are equally
191 unreachable regardless of whether the row is present.) If a chassis
192 shuts down permanently without removing its row, some kind of manual or
193 automatic cleanup is eventually needed; we can devise a process for that
198 OVN does not prescribe a particular format for chassis names.
199 ovn-controller populates this column using
<ref key=
"system-id"
200 table=
"Open_vSwitch" column=
"external_ids" db=
"Open_vSwitch"/>
201 in the Open_vSwitch database's
<ref table=
"Open_vSwitch"
202 db=
"Open_vSwitch"/> table. ovn-controller-vtep populates this
203 column with
<ref table=
"Physical_Switch" column=
"name"
204 db=
"hardware_vtep"/> in the hardware_vtep database's
205 <ref table=
"Physical_Switch" db=
"hardware_vtep"/> table.
208 <column name=
"hostname">
209 The hostname of the chassis, if applicable. ovn-controller will populate
210 this column with the hostname of the host it is running on.
211 ovn-controller-vtep will leave this column empty.
214 <column name=
"nb_cfg">
215 Sequence number for the configuration. When
<code>ovn-controller
</code>
216 updates the configuration of a chassis from the contents of the
217 southbound database, it copies
<ref table=
"SB_Global" column=
"nb_cfg"/>
218 from the
<ref table=
"SB_Global"/> table into this column.
221 <column name=
"external_ids" key=
"ovn-bridge-mappings">
222 <code>ovn-controller
</code> populates this key with the set of bridge
223 mappings it has been configured to use. Other applications should treat
224 this key as read-only. See
<code>ovn-controller
</code>(
8) for more
228 <column name=
"external_ids" key=
"datapath-type">
229 <code>ovn-controller
</code> populates this key with the datapath type
230 configured in the
<ref table=
"Bridge" column=
"datapath_type"/> column of
231 the Open_vSwitch database's
<ref table=
"Bridge" db=
"Open_vSwitch"/>
232 table. Other applications should treat this key as read-only. See
233 <code>ovn-controller
</code>(
8) for more information.
236 <column name=
"external_ids" key=
"iface-types">
237 <code>ovn-controller
</code> populates this key with the interface types
238 configured in the
<ref table=
"Open_vSwitch" column=
"iface_types"/> column
239 of the Open_vSwitch database's
<ref table=
"Open_vSwitch"
240 db=
"Open_vSwitch"/> table. Other applications should treat this key as
241 read-only. See
<code>ovn-controller
</code>(
8) for more information.
244 <column name=
"external_ids" key=
"ovn-cms-options">
245 <code>ovn-controller
</code> populates this key with the set of options
246 configured in the
<ref table=
"Open_vSwitch"
247 column=
"external_ids:ovn-cms-options"/> column of the Open_vSwitch
248 database's
<ref table=
"Open_vSwitch" db=
"Open_vSwitch"/> table.
249 See
<code>ovn-controller
</code>(
8) for more information.
252 <group title=
"Common Columns">
253 The overall purpose of these columns is described under
<code>Common
254 Columns
</code> at the beginning of this document.
256 <column name=
"external_ids"/>
259 <group title=
"Encapsulation Configuration">
261 OVN uses encapsulation to transmit logical dataplane packets
265 <column name=
"encaps">
266 Points to supported encapsulation configurations to transmit
267 logical dataplane packets to this chassis. Each entry is a
<ref
268 table=
"Encap"/> record that describes the configuration.
272 <group title=
"Gateway Configuration">
274 A
<dfn>gateway
</dfn> is a chassis that forwards traffic between the
275 OVN-managed part of a logical network and a physical VLAN, extending a
276 tunnel-based logical network into a physical network. Gateways are
277 typically dedicated nodes that do not host VMs and will be controlled
278 by
<code>ovn-controller-vtep
</code>.
281 <column name=
"vtep_logical_switches">
282 Stores all VTEP logical switch names connected by this gateway
283 chassis. The
<ref table=
"Port_Binding"/> table entry with
284 <ref column=
"options" table=
"Port_Binding"/>:
<code>vtep-physical-switch
</code>
285 equal
<ref table=
"Chassis"/> <ref column=
"name" table=
"Chassis"/>, and
286 <ref column=
"options" table=
"Port_Binding"/>:
<code>vtep-logical-switch
</code>
287 value in
<ref table=
"Chassis"/>
288 <ref column=
"vtep_logical_switches" table=
"Chassis"/>, will be
289 associated with this
<ref table=
"Chassis"/>.
294 <table name=
"Encap" title=
"Encapsulation Types">
296 The
<ref column=
"encaps" table=
"Chassis"/> column in the
<ref
297 table=
"Chassis"/> table refers to rows in this table to identify
298 how OVN may transmit logical dataplane packets to this chassis.
299 Each chassis, via
<code>ovn-controller
</code>(
8) or
300 <code>ovn-controller-vtep
</code>(
8), adds and updates its own rows
301 and keeps a copy of the remaining rows to determine how to reach
306 The encapsulation to use to transmit packets to this chassis.
307 Hypervisors must use either
<code>geneve
</code> or
308 <code>stt
</code>. Gateways may use
<code>vxlan
</code>,
309 <code>geneve
</code>, or
<code>stt
</code>.
312 <column name=
"options">
314 Options for configuring the encapsulation. Currently, the only
315 option that has been defined is
<code>csum
</code>.
319 <code>csum
</code> indicates that encapsulation checksums can be
320 transmitted and received with reasonable performance. It is a hint
321 to senders transmitting data to this chassis that they should use
322 checksums to protect OVN metadata.
<code>ovn-controller
</code>
323 populates this key with the value defined in
324 <ref table=
"Open_vSwitch" column=
"external_ids:ovn-encap-csum"/> column
325 of the Open_vSwitch database's
<ref table=
"Open_vSwitch"
326 db=
"Open_vSwitch"/> table. Other applications should treat this key as
327 read-only. See
<code>ovn-controller
</code>(
8) for more information.
331 In terms of performance, this actually significantly increases
332 throughput in most common cases when running on Linux based hosts
333 without NICs supporting encapsulation hardware offload (around
60% for
334 bulk traffic). The reason is that generally all NICs are capable of
335 offloading transmitted and received TCP/UDP checksums (viewed as
336 ordinary data packets and not as tunnels). The benefit comes on the
337 receive side where the validated outer checksum can be used to
338 additionally validate an inner checksum (such as TCP), which in turn
339 allows aggregation of packets to be more efficiently handled by the
344 Not all devices see such a benefit. The most notable exception is
345 hardware VTEPs. These devices are designed to not buffer entire
346 packets in their switching engines and are therefore unable to
347 efficiently compute or validate full packet checksums. In addition
348 certain versions of the Linux kernel are not able to fully take
349 advantage of encapsulation NIC offloads in the presence of checksums.
350 (This is actually a pretty narrow corner case though - earlier
351 versions of Linux don't support encapsulation offloads at all and
352 later versions support both offloads and checksums well.)
356 <code>csum
</code> defaults to
<code>false
</code> for hardware VTEPs and
357 <code>true
</code> for all other cases.
362 The IPv4 address of the encapsulation tunnel endpoint.
364 <column name=
"chassis_name">
365 The name of the chassis that created this encap.
369 <table name=
"Address_Set" title=
"Address Sets">
371 See the documentation for the
<ref table=
"Address_Set"
372 db=
"OVN_Northbound"/> table in the
<ref db=
"OVN_Northbound"/> database
376 <column name=
"name"/>
377 <column name=
"addresses"/>
380 <table name=
"Logical_Flow" title=
"Logical Network Flows">
382 Each row in this table represents one logical flow.
383 <code>ovn-northd
</code> populates this table with logical flows
384 that implement the L2 and L3 topologies specified in the
385 <ref db=
"OVN_Northbound"/> database. Each hypervisor, via
386 <code>ovn-controller
</code>, translates the logical flows into
387 OpenFlow flows specific to its hypervisor and installs them into
392 Logical flows are expressed in an OVN-specific format, described here. A
393 logical datapath flow is much like an OpenFlow flow, except that the
394 flows are written in terms of logical ports and logical datapaths instead
395 of physical ports and physical datapaths. Translation between logical
396 and physical flows helps to ensure isolation between logical datapaths.
397 (The logical flow abstraction also allows the OVN centralized
398 components to do less work, since they do not have to separately
399 compute and push out physical flows to each chassis.)
403 The default action when no flow matches is to drop packets.
406 <p><em>Architectural Logical Life Cycle of a Packet
</em></p>
409 This following description focuses on the life cycle of a packet through
410 a logical datapath, ignoring physical details of the implementation.
411 Please refer to
<em>Architectural Physical Life Cycle of a Packet
</em> in
412 <code>ovn-architecture
</code>(
7) for the physical information.
416 The description here is written as if OVN itself executes these steps,
417 but in fact OVN (that is,
<code>ovn-controller
</code>) programs Open
418 vSwitch, via OpenFlow and OVSDB, to execute them on its behalf.
422 At a high level, OVN passes each packet through the logical datapath's
423 logical ingress pipeline, which may output the packet to one or more
424 logical port or logical multicast groups. For each such logical output
425 port, OVN passes the packet through the datapath's logical egress
426 pipeline, which may either drop the packet or deliver it to the
427 destination. Between the two pipelines, outputs to logical multicast
428 groups are expanded into logical ports, so that the egress pipeline only
429 processes a single logical output port at a time. Between the two
430 pipelines is also where, when necessary, OVN encapsulates a packet in a
431 tunnel (or tunnels) to transmit to remote hypervisors.
435 In more detail, to start, OVN searches the
<ref table=
"Logical_Flow"/>
436 table for a row with correct
<ref column=
"logical_datapath"/>, a
<ref
437 column=
"pipeline"/> of
<code>ingress
</code>, a
<ref column=
"table_id"/>
438 of
0, and a
<ref column=
"match"/> that is true for the packet. If none
439 is found, OVN drops the packet. If OVN finds more than one, it chooses
440 the match with the highest
<ref column=
"priority"/>. Then OVN executes
441 each of the actions specified in the row's
<ref table=
"actions"/> column,
442 in the order specified. Some actions, such as those to modify packet
443 headers, require no further details. The
<code>next
</code> and
444 <code>output
</code> actions are special.
448 The
<code>next
</code> action causes the above process to be repeated
449 recursively, except that OVN searches for
<ref column=
"table_id"/> of
1
450 instead of
0. Similarly, any
<code>next
</code> action in a row found in
451 that table would cause a further search for a
<ref column=
"table_id"/> of
452 2, and so on. When recursive processing completes, flow control returns
453 to the action following
<code>next
</code>.
457 The
<code>output
</code> action also introduces recursion. Its effect
458 depends on the current value of the
<code>outport
</code> field. Suppose
459 <code>outport
</code> designates a logical port. First, OVN compares
460 <code>inport
</code> to
<code>outport
</code>; if they are equal, it treats
461 the
<code>output
</code> as a no-op by default. In the common
462 case, where they are different, the packet enters the egress
463 pipeline. This transition to the egress pipeline discards
464 register data, e.g.
<code>reg0
</code> ...
<code>reg9
</code> and
465 connection tracking state, to achieve uniform behavior regardless
466 of whether the egress pipeline is on a different hypervisor
467 (because registers aren't preserve across tunnel encapsulation).
471 To execute the egress pipeline, OVN again searches the
<ref
472 table=
"Logical_Flow"/> table for a row with correct
<ref
473 column=
"logical_datapath"/>, a
<ref column=
"table_id"/> of
0, a
<ref
474 column=
"match"/> that is true for the packet, but now looking for a
<ref
475 column=
"pipeline"/> of
<code>egress
</code>. If no matching row is found,
476 the output becomes a no-op. Otherwise, OVN executes the actions for the
477 matching flow (which is chosen from multiple, if necessary, as already
482 In the
<code>egress
</code> pipeline, the
<code>next
</code> action acts as
483 already described, except that it, of course, searches for
484 <code>egress
</code> flows. The
<code>output
</code> action, however, now
485 directly outputs the packet to the output port (which is now fixed,
486 because
<code>outport
</code> is read-only within the egress pipeline).
490 The description earlier assumed that
<code>outport
</code> referred to a
491 logical port. If it instead designates a logical multicast group, then
492 the description above still applies, with the addition of fan-out from
493 the logical multicast group to each logical port in the group. For each
494 member of the group, OVN executes the logical pipeline as described, with
495 the logical output port replaced by the group member.
498 <p><em>Pipeline Stages
</em></p>
501 <code>ovn-northd
</code> populates the
<ref table=
"Logical_Flow"/> table
502 with the logical flows described in detail in
<code>ovn-northd
</code>(
8).
505 <column name=
"logical_datapath">
506 The logical datapath to which the logical flow belongs.
509 <column name=
"pipeline">
511 The primary flows used for deciding on a packet's destination are the
512 <code>ingress
</code> flows. The
<code>egress
</code> flows implement
513 ACLs. See
<em>Logical Life Cycle of a Packet
</em>, above, for details.
517 <column name=
"table_id">
518 The stage in the logical pipeline, analogous to an OpenFlow table number.
521 <column name=
"priority">
522 The flow's priority. Flows with numerically higher priority take
523 precedence over those with lower. If two logical datapath flows with the
524 same priority both match, then the one actually applied to the packet is
528 <column name=
"match">
530 A matching expression. OVN provides a superset of OpenFlow matching
531 capabilities, using a syntax similar to Boolean expressions in a
532 programming language.
536 The most important components of match expression are
537 <dfn>comparisons
</dfn> between
<dfn>symbols
</dfn> and
538 <dfn>constants
</dfn>, e.g.
<code>ip4.dst ==
192.168.0.1</code>,
539 <code>ip.proto ==
6</code>,
<code>arp.op ==
1</code>,
<code>eth.type ==
540 0x800</code>. The logical AND operator
<code>&&</code> and
541 logical OR operator
<code>||
</code> can combine comparisons into a
546 Matching expressions also support parentheses for grouping, the logical
547 NOT prefix operator
<code>!
</code>, and literals
<code>0</code> and
548 <code>1</code> to express ``false'' or ``true,'' respectively. The
549 latter is useful by itself as a catch-all expression that matches every
554 Match expressions also support a kind of function syntax. The
555 following functions are supported:
559 <dt><code>is_chassis_resident(
<var>lport
</var>)
</code></dt>
561 Evaluates to true on a chassis on which logical port
<var>lport
</var>
562 (a quoted string) resides, and to false elsewhere. This function was
563 introduced in OVN
2.7.
567 <p><em>Symbols
</em></p>
570 <em>Type
</em>. Symbols have
<dfn>integer
</dfn> or
<dfn>string
</dfn>
571 type. Integer symbols have a
<dfn>width
</dfn> in bits.
575 <em>Kinds
</em>. There are three kinds of symbols:
581 <dfn>Fields
</dfn>. A field symbol represents a packet header or
582 metadata field. For example, a field
583 named
<code>vlan.tci
</code> might represent the VLAN TCI field in a
588 A field symbol can have integer or string type. Integer fields can
589 be nominal or ordinal (see
<em>Level of Measurement
</em>,
596 <dfn>Subfields
</dfn>. A subfield represents a subset of bits from
597 a larger field. For example, a field
<code>vlan.vid
</code> might
598 be defined as an alias for
<code>vlan.tci[
0.
.11]
</code>. Subfields
599 are provided for syntactic convenience, because it is always
600 possible to instead refer to a subset of bits from a field
605 Only ordinal fields (see
<em>Level of Measurement
</em>,
606 below) may have subfields. Subfields are always ordinal.
612 <dfn>Predicates
</dfn>. A predicate is shorthand for a Boolean
613 expression. Predicates may be used much like
1-bit fields. For
614 example,
<code>ip4
</code> might expand to
<code>eth.type ==
615 0x800</code>. Predicates are provided for syntactic convenience,
616 because it is always possible to instead specify the underlying
621 A predicate whose expansion refers to any nominal field or
622 predicate (see
<em>Level of Measurement
</em>, below) is nominal;
623 other predicates have Boolean level of measurement.
629 <em>Level of Measurement
</em>. See
630 http://en.wikipedia.org/wiki/Level_of_measurement for the statistical
631 concept on which this classification is based. There are three
638 <dfn>Ordinal
</dfn>. In statistics, ordinal values can be ordered
639 on a scale. OVN considers a field (or subfield) to be ordinal if
640 its bits can be examined individually. This is true for the
641 OpenFlow fields that OpenFlow or Open vSwitch makes ``maskable.''
645 Any use of a ordinal field may specify a single bit or a range of
646 bits, e.g.
<code>vlan.tci[
13.
.15]
</code> refers to the PCP field
647 within the VLAN TCI, and
<code>eth.dst[
40]
</code> refers to the
648 multicast bit in the Ethernet destination address.
652 OVN supports all the usual arithmetic relations (
<code>==
</code>,
653 <code>!=
</code>,
<code><</code>,
<code><=
</code>,
654 <code>></code>, and
<code>>=
</code>) on ordinal fields and
655 their subfields, because OVN can implement these in OpenFlow and
656 Open vSwitch as collections of bitwise tests.
662 <dfn>Nominal
</dfn>. In statistics, nominal values cannot be
663 usefully compared except for equality. This is true of OpenFlow
664 port numbers, Ethernet types, and IP protocols are examples: all of
665 these are just identifiers assigned arbitrarily with no deeper
666 meaning. In OpenFlow and Open vSwitch, bits in these fields
667 generally aren't individually addressable.
671 OVN only supports arithmetic tests for equality on nominal fields,
672 because OpenFlow and Open vSwitch provide no way for a flow to
673 efficiently implement other comparisons on them. (A test for
674 inequality can be sort of built out of two flows with different
675 priorities, but OVN matching expressions always generate flows with
680 String fields are always nominal.
686 <dfn>Boolean
</dfn>. A nominal field that has only two values,
0
687 and
1, is somewhat exceptional, since it is easy to support both
688 equality and inequality tests on such a field: either one can be
689 implemented as a test for
0 or
1.
693 Only predicates (see above) have a Boolean level of measurement.
697 This isn't a standard level of measurement.
703 <em>Prerequisites
</em>. Any symbol can have prerequisites, which are
704 additional condition implied by the use of the symbol. For example,
705 For example,
<code>icmp4.type
</code> symbol might have prerequisite
706 <code>icmp4
</code>, which would cause an expression
<code>icmp4.type ==
707 0</code> to be interpreted as
<code>icmp4.type ==
0 &&
708 icmp4
</code>, which would in turn expand to
<code>icmp4.type ==
0
709 && eth.type ==
0x800 && ip4.proto ==
1</code> (assuming
710 <code>icmp4
</code> is a predicate defined as suggested under
711 <em>Types
</em> above).
714 <p><em>Relational operators
</em></p>
717 All of the standard relational operators
<code>==
</code>,
718 <code>!=
</code>,
<code><</code>,
<code><=
</code>,
719 <code>></code>, and
<code>>=
</code> are supported. Nominal
720 fields support only
<code>==
</code> and
<code>!=
</code>, and only in a
721 positive sense when outer
<code>!
</code> are taken into account,
722 e.g. given string field
<code>inport
</code>,
<code>inport ==
723 "eth0"</code> and
<code>!(inport !=
"eth0")
</code> are acceptable, but
724 not
<code>inport !=
"eth0"</code>.
728 The implementation of
<code>==
</code> (or
<code>!=
</code> when it is
729 negated), is more efficient than that of the other relational
733 <p><em>Constants
</em></p>
736 Integer constants may be expressed in decimal, hexadecimal prefixed by
737 <code>0x
</code>, or as dotted-quad IPv4 addresses, IPv6 addresses in
738 their standard forms, or Ethernet addresses as colon-separated hex
739 digits. A constant in any of these forms may be followed by a slash
740 and a second constant (the mask) in the same form, to form a masked
741 constant. IPv4 and IPv6 masks may be given as integers, to express
746 String constants have the same syntax as quoted strings in JSON (thus,
747 they are Unicode strings).
751 Some operators support sets of constants written inside curly braces
752 <code>{
</code> ...
<code>}
</code>. Commas between elements of a set,
753 and after the last elements, are optional. With
<code>==
</code>,
754 ``
<code><var>field
</var> == {
<var>constant1
</var>,
755 <var>constant2
</var>,
</code> ...
<code>}
</code>'' is syntactic sugar
756 for ``
<code><var>field
</var> ==
<var>constant1
</var> ||
757 <var>field
</var> ==
<var>constant2
</var> ||
</code>...
<code></code>.
758 Similarly, ``
<code><var>field
</var> != {
<var>constant1
</var>,
759 <var>constant2
</var>,
</code>...
<code> }
</code>'' is equivalent to
760 ``
<code><var>field
</var> !=
<var>constant1
</var> &&
761 <var>field
</var> !=
<var>constant2
</var> &&
762 </code>...
<code></code>''.
766 You may refer to a set of IPv4, IPv6, or MAC addresses stored in the
767 <ref table=
"Address_Set"/> table by its
<ref column=
"name"
768 table=
"Address_Set"/>. An
<ref table=
"Address_Set"/> with a name
769 of
<code>set1
</code> can be referred to as
773 <p><em>Miscellaneous
</em></p>
776 Comparisons may name the symbol or the constant first,
777 e.g.
<code>tcp.src ==
80</code> and
<code>80 == tcp.src
</code> are both
782 Tests for a range may be expressed using a syntax like
<code>1024 <=
783 tcp.src
<=
49151</code>, which is equivalent to
<code>1024 <=
784 tcp.src
&& tcp.src
<=
49151</code>.
788 For a one-bit field or predicate, a mention of its name is equivalent
789 to
<code><var>symobl
</var> ==
1</code>, e.g.
<code>vlan.present
</code>
790 is equivalent to
<code>vlan.present ==
1</code>. The same is true for
791 one-bit subfields, e.g.
<code>vlan.tci[
12]
</code>. There is no
792 technical limitation to implementing the same for ordinal fields of all
793 widths, but the implementation is expensive enough that the syntax
794 parser requires writing an explicit comparison against zero to make
795 mistakes less likely, e.g. in
<code>tcp.src !=
0</code> the comparison
796 against
0 is required.
800 <em>Operator precedence
</em> is as shown below, from highest to lowest.
801 There are two exceptions where parentheses are required even though the
802 table would suggest that they are not:
<code>&&</code> and
803 <code>||
</code> require parentheses when used together, and
804 <code>!
</code> requires parentheses when applied to a relational
805 expression. Thus, in
<code>(eth.type ==
0x800 || eth.type ==
0x86dd)
806 && ip.proto ==
6</code> or
<code>!(arp.op ==
1)
</code>, the
807 parentheses are mandatory.
811 <li><code>()
</code></li>
812 <li><code>== !=
< <=
> >=
</code></li>
813 <li><code>!
</code></li>
814 <li><code>&& ||
</code></li>
818 <em>Comments
</em> may be introduced by
<code>//
</code>, which extends
819 to the next new-line. Comments within a line may be bracketed by
820 <code>/*
</code> and
<code>*/
</code>. Multiline comments are not
824 <p><em>Symbols
</em></p>
827 Most of the symbols below have integer type. Only
<code>inport
</code>
828 and
<code>outport
</code> have string type.
<code>inport
</code> names a
829 logical port. Thus, its value is a
<ref column=
"logical_port"/> name
830 from the
<ref table=
"Port_Binding"/> table.
<code>outport
</code> may
831 name a logical port, as
<code>inport
</code>, or a logical multicast
832 group defined in the
<ref table=
"Multicast_Group"/> table. For both
833 symbols, only names within the flow's logical datapath may be used.
837 The
<code>reg
</code><var>X
</var> symbols are
32-bit integers.
838 The
<code>xxreg
</code><var>X
</var> symbols are
128-bit integers,
839 which overlay four of the
32-bit registers:
<code>xxreg0
</code>
840 overlays
<code>reg0
</code> through
<code>reg3
</code>, with
841 <code>reg0
</code> supplying the most-significant bits of
842 <code>xxreg0
</code> and
<code>reg3
</code> the least-signficant.
843 <code>xxreg1
</code> similarly overlays
<code>reg4
</code> through
848 <li><code>reg0
</code>...
<code>reg9
</code></li>
849 <li><code>xxreg0
</code> <code>xxreg1
</code></li>
850 <li><code>inport
</code> <code>outport
</code></li>
851 <li><code>flags.loopback
</code></li>
852 <li><code>eth.src
</code> <code>eth.dst
</code> <code>eth.type
</code></li>
853 <li><code>vlan.tci
</code> <code>vlan.vid
</code> <code>vlan.pcp
</code> <code>vlan.present
</code></li>
854 <li><code>ip.proto
</code> <code>ip.dscp
</code> <code>ip.ecn
</code> <code>ip.ttl
</code> <code>ip.frag
</code></li>
855 <li><code>ip4.src
</code> <code>ip4.dst
</code></li>
856 <li><code>ip6.src
</code> <code>ip6.dst
</code> <code>ip6.label
</code></li>
857 <li><code>arp.op
</code> <code>arp.spa
</code> <code>arp.tpa
</code> <code>arp.sha
</code> <code>arp.tha
</code></li>
858 <li><code>tcp.src
</code> <code>tcp.dst
</code> <code>tcp.flags
</code></li>
859 <li><code>udp.src
</code> <code>udp.dst
</code></li>
860 <li><code>sctp.src
</code> <code>sctp.dst
</code></li>
861 <li><code>icmp4.type
</code> <code>icmp4.code
</code></li>
862 <li><code>icmp6.type
</code> <code>icmp6.code
</code></li>
863 <li><code>nd.target
</code> <code>nd.sll
</code> <code>nd.tll
</code></li>
864 <li><code>ct_mark
</code> <code>ct_label
</code></li>
867 <code>ct_state
</code>, which has several Boolean subfields. The
868 <code>ct_next
</code> action initializes the following subfields:
872 <code>ct.trk
</code>: Always set to true by
<code>ct_next
</code>
873 to indicate that connection tracking has taken place. All other
874 <code>ct
</code> subfields have
<code>ct.trk
</code> as a
877 <li><code>ct.new
</code>: True for a new flow
</li>
878 <li><code>ct.est
</code>: True for an established flow
</li>
879 <li><code>ct.rel
</code>: True for a related flow
</li>
880 <li><code>ct.rpl
</code>: True for a reply flow
</li>
881 <li><code>ct.inv
</code>: True for a connection entry in a bad state
</li>
884 The
<code>ct_dnat
</code>,
<code>ct_snat
</code>, and
885 <code>ct_lb
</code> actions initialize the following subfields:
889 <code>ct.dnat
</code>: True for a packet whose destination IP
890 address has been changed.
893 <code>ct.snat
</code>: True for a packet whose source IP
894 address has been changed.
901 The following predicates are supported:
905 <li><code>eth.bcast
</code> expands to
<code>eth.dst == ff:ff:ff:ff:ff:ff
</code></li>
906 <li><code>eth.mcast
</code> expands to
<code>eth.dst[
40]
</code></li>
907 <li><code>vlan.present
</code> expands to
<code>vlan.tci[
12]
</code></li>
908 <li><code>ip4
</code> expands to
<code>eth.type ==
0x800</code></li>
909 <li><code>ip4.mcast
</code> expands to
<code>ip4.dst[
28.
.31] ==
0xe</code></li>
910 <li><code>ip6
</code> expands to
<code>eth.type ==
0x86dd</code></li>
911 <li><code>ip
</code> expands to
<code>ip4 || ip6
</code></li>
912 <li><code>icmp4
</code> expands to
<code>ip4
&& ip.proto ==
1</code></li>
913 <li><code>icmp6
</code> expands to
<code>ip6
&& ip.proto ==
58</code></li>
914 <li><code>icmp
</code> expands to
<code>icmp4 || icmp6
</code></li>
915 <li><code>ip.is_frag
</code> expands to
<code>ip.frag[
0]
</code></li>
916 <li><code>ip.later_frag
</code> expands to
<code>ip.frag[
1]
</code></li>
917 <li><code>ip.first_frag
</code> expands to
<code>ip.is_frag
&& !ip.later_frag
</code></li>
918 <li><code>arp
</code> expands to
<code>eth.type ==
0x806</code></li>
919 <li><code>nd
</code> expands to
<code>icmp6.type == {
135,
136}
&& icmp6.code ==
0 && ip.ttl ==
255</code></li>
920 <li><code>nd_ns
</code> expands to
<code>icmp6.type ==
135 && icmp6.code ==
0 && ip.ttl ==
255</code></li>
921 <li><code>nd_na
</code> expands to
<code>icmp6.type ==
136 && icmp6.code ==
0 && ip.ttl ==
255</code></li>
922 <li><code>nd_rs
</code> expands to
<code>icmp6.type ==
133 &&
923 icmp6.code ==
0 && ip.ttl ==
255</code></li>
924 <li><code>nd_ra
</code> expands to
<code>icmp6.type ==
134 &&
925 icmp6.code ==
0 && ip.ttl ==
255</code></li>
926 <li><code>tcp
</code> expands to
<code>ip.proto ==
6</code></li>
927 <li><code>udp
</code> expands to
<code>ip.proto ==
17</code></li>
928 <li><code>sctp
</code> expands to
<code>ip.proto ==
132</code></li>
932 <column name=
"actions">
934 Logical datapath actions, to be executed when the logical flow
935 represented by this row is the highest-priority match.
939 Actions share lexical syntax with the
<ref column=
"match"/> column. An
940 empty set of actions (or one that contains just white space or
941 comments), or a set of actions that consists of just
942 <code>drop;
</code>, causes the matched packets to be dropped.
943 Otherwise, the column should contain a sequence of actions, each
944 terminated by a semicolon.
948 The following actions are defined:
952 <dt><code>output;
</code></dt>
955 In the ingress pipeline, this action executes the
956 <code>egress
</code> pipeline as a subroutine. If
957 <code>outport
</code> names a logical port, the egress pipeline
958 executes once; if it is a multicast group, the egress pipeline runs
959 once for each logical port in the group.
963 In the egress pipeline, this action performs the actual
964 output to the
<code>outport
</code> logical port. (In the egress
965 pipeline,
<code>outport
</code> never names a multicast group.)
969 By default, output to the input port is implicitly dropped,
970 that is,
<code>output
</code> becomes a no-op if
971 <code>outport
</code> ==
<code>inport
</code>. Occasionally
972 it may be useful to override this behavior, e.g. to send an
973 ARP reply to an ARP request; to do so, use
974 <code>flags.loopback =
1</code> to allow the packet to
975 "hair-pin" back to the input port.
979 <dt><code>next;
</code></dt>
980 <dt><code>next(
<var>table
</var>);
</code></dt>
981 <dt><code>next(pipeline=
<var>pipeline
</var>, table=
<var>table
</var>);
</code></dt>
983 Executes the given logical datapath
<var>table
</var> in
984 <var>pipeline
</var> as a subroutine. The default
<var>table
</var> is
985 just after the current one. If
<var>pipeline
</var> is specified, it
986 may be
<code>ingress
</code> or
<code>egress
</code>; the default
987 <var>pipeline
</var> is the one currently executing. Actions in the
988 ingress pipeline may not use
<code>next
</code> to jump into the
989 egress pipeline (use the
<code>output
</code> instead), but
990 transitions in the opposite direction are allowed.
993 <dt><code><var>field
</var> =
<var>constant
</var>;
</code></dt>
996 Sets data or metadata field
<var>field
</var> to constant value
997 <var>constant
</var>, e.g.
<code>outport =
"vif0";
</code> to set the
998 logical output port. To set only a subset of bits in a field,
999 specify a subfield for
<var>field
</var> or a masked
1000 <var>constant
</var>, e.g. one may use
<code>vlan.pcp[
2] =
1;
</code>
1001 or
<code>vlan.pcp =
4/
4;
</code> to set the most sigificant bit of
1006 Assigning to a field with prerequisites implicitly adds those
1007 prerequisites to
<ref column=
"match"/>; thus, for example, a flow
1008 that sets
<code>tcp.dst
</code> applies only to TCP flows,
1009 regardless of whether its
<ref column=
"match"/> mentions any TCP
1014 Not all fields are modifiable (e.g.
<code>eth.type
</code> and
1015 <code>ip.proto
</code> are read-only), and not all modifiable fields
1016 may be partially modified (e.g.
<code>ip.ttl
</code> must assigned
1017 as a whole). The
<code>outport
</code> field is modifiable in the
1018 <code>ingress
</code> pipeline but not in the
<code>egress
</code>
1023 <dt><code><var>field1
</var> =
<var>field2
</var>;
</code></dt>
1026 Sets data or metadata field
<var>field1
</var> to the value of data
1027 or metadata field
<var>field2
</var>, e.g.
<code>reg0 =
1028 ip4.src;
</code> copies
<code>ip4.src
</code> into
<code>reg0
</code>.
1029 To modify only a subset of a field's bits, specify a subfield for
1030 <var>field1
</var> or
<var>field2
</var> or both, e.g.
<code>vlan.pcp
1031 = reg0[
0.
.2];
</code> copies the least-significant bits of
1032 <code>reg0
</code> into the VLAN PCP.
1036 <var>field1
</var> and
<var>field2
</var> must be the same type,
1037 either both string or both integer fields. If they are both
1038 integer fields, they must have the same width.
1042 If
<var>field1
</var> or
<var>field2
</var> has prerequisites, they
1043 are added implicitly to
<ref column=
"match"/>. It is possible to
1044 write an assignment with contradictory prerequisites, such as
1045 <code>ip4.src = ip6.src[
0.
.31];
</code>, but the contradiction means
1046 that a logical flow with such an assignment will never be matched.
1050 <dt><code><var>field1
</var> <-
> <var>field2
</var>;
</code></dt>
1053 Similar to
<code><var>field1
</var> =
<var>field2
</var>;
</code>
1054 except that the two values are exchanged instead of copied. Both
1055 <var>field1
</var> and
<var>field2
</var> must modifiable.
1059 <dt><code>ip.ttl--;
</code></dt>
1062 Decrements the IPv4 or IPv6 TTL. If this would make the TTL zero
1063 or negative, then processing of the packet halts; no further
1064 actions are processed. (To properly handle such cases, a
1065 higher-priority flow should match on
1066 <code>ip.ttl == {
0,
1};
</code>.)
1069 <p><b>Prerequisite:
</b> <code>ip
</code></p>
1072 <dt><code>ct_next;
</code></dt>
1075 Apply connection tracking to the flow, initializing
1076 <code>ct_state
</code> for matching in later tables.
1077 Automatically moves on to the next table, as if followed by
1082 As a side effect, IP fragments will be reassembled for matching.
1083 If a fragmented packet is output, then it will be sent with any
1084 overlapping fragments squashed. The connection tracking state is
1085 scoped by the logical port when the action is used in a flow for
1086 a logical switch, so overlapping addresses may be used. To allow
1087 traffic related to the matched flow, execute
<code>ct_commit
1088 </code>. Connection tracking state is scoped by the logical
1089 topology when the action is used in a flow for a router.
1093 It is possible to have actions follow
<code>ct_next
</code>,
1094 but they will not have access to any of its side-effects and
1095 is not generally useful.
1099 <dt><code>ct_commit;
</code></dt>
1100 <dt><code>ct_commit(ct_mark=
<var>value[/mask]
</var>);
</code></dt>
1101 <dt><code>ct_commit(ct_label=
<var>value[/mask]
</var>);
</code></dt>
1102 <dt><code>ct_commit(ct_mark=
<var>value[/mask]
</var>, ct_label=
<var>value[/mask]
</var>);
</code></dt>
1105 Commit the flow to the connection tracking entry associated with it
1106 by a previous call to
<code>ct_next
</code>. When
1107 <code>ct_mark=
<var>value[/mask]
</var></code> and/or
1108 <code>ct_label=
<var>value[/mask]
</var></code> are supplied,
1109 <code>ct_mark
</code> and/or
<code>ct_label
</code> will be set to the
1110 values indicated by
<var>value[/mask]
</var> on the connection
1111 tracking entry.
<code>ct_mark
</code> is a
32-bit field.
1112 <code>ct_label
</code> is a
128-bit field. The
<var>value[/mask]
</var>
1113 should be specified in hex string if more than
64bits are to be used.
1117 Note that if you want processing to continue in the next table,
1118 you must execute the
<code>next
</code> action after
1119 <code>ct_commit
</code>. You may also leave out
<code>next
</code>
1120 which will commit connection tracking state, and then drop the
1121 packet. This could be useful for setting
<code>ct_mark
</code>
1122 on a connection tracking entry before dropping a packet,
1127 <dt><code>ct_dnat;
</code></dt>
1128 <dt><code>ct_dnat(
<var>IP
</var>);
</code></dt>
1131 <code>ct_dnat
</code> sends the packet through the DNAT zone in
1132 connection tracking table to unDNAT any packet that was DNATed in
1133 the opposite direction. The packet is then automatically sent to
1134 to the next tables as if followed by
<code>next;
</code> action.
1135 The next tables will see the changes in the packet caused by
1136 the connection tracker.
1139 <code>ct_dnat(
<var>IP
</var>)
</code> sends the packet through the
1140 DNAT zone to change the destination IP address of the packet to
1141 the one provided inside the parentheses and commits the connection.
1142 The packet is then automatically sent to the next tables as if
1143 followed by
<code>next;
</code> action. The next tables will see
1144 the changes in the packet caused by the connection tracker.
1148 <dt><code>ct_snat;
</code></dt>
1149 <dt><code>ct_snat(
<var>IP
</var>);
</code></dt>
1152 <code>ct_snat
</code> sends the packet through the SNAT zone to
1153 unSNAT any packet that was SNATed in the opposite direction. The
1154 behavior on gateway routers differs from the behavior on a
1159 On a gateway router, if the packet needs to be sent to the next
1160 tables, then it should be followed by a
<code>next;
</code>
1161 action. The next tables will not see the changes in the packet
1162 caused by the connection tracker.
1165 On a distributed router, if the connection tracker finds a
1166 connection that was SNATed in the opposite direction, then the
1167 destination IP address of the packet is UNSNATed. The packet is
1168 automatically sent to the next tables as if followed by the
1169 <code>next;
</code> action. The next tables will see the changes
1170 in the packet caused by the connection tracker.
1174 <code>ct_snat(
<var>IP
</var>)
</code> sends the packet through the
1175 SNAT zone to change the source IP address of the packet to
1176 the one provided inside the parenthesis and commits the connection.
1177 The packet is then automatically sent to the next tables as if
1178 followed by
<code>next;
</code> action. The next tables will see the
1179 changes in the packet caused by the connection tracker.
1183 <dt><code>ct_clear;
</code></dt>
1185 Clears connection tracking state.
1188 <dt><code>clone {
<var>action
</var>;
</code>...
<code> };
</code></dt>
1190 Makes a copy of the packet being processed and executes each
1191 <code>action
</code> on the copy. Actions following the
1192 <var>clone
</var> action, if any, apply to the original, unmodified
1193 packet. This can be used as a way to ``save and restore'' the packet
1194 around a set of actions that may modify it and should not persist.
1197 <dt><code>arp {
<var>action
</var>;
</code>...
<code> };
</code></dt>
1200 Temporarily replaces the IPv4 packet being processed by an ARP
1201 packet and executes each nested
<var>action
</var> on the ARP
1202 packet. Actions following the
<var>arp
</var> action, if any, apply
1203 to the original, unmodified packet.
1207 The ARP packet that this action operates on is initialized based on
1208 the IPv4 packet being processed, as follows. These are default
1209 values that the nested actions will probably want to change:
1213 <li><code>eth.src
</code> unchanged
</li>
1214 <li><code>eth.dst
</code> unchanged
</li>
1215 <li><code>eth.type =
0x0806</code></li>
1216 <li><code>arp.op =
1</code> (ARP request)
</li>
1217 <li><code>arp.sha
</code> copied from
<code>eth.src
</code></li>
1218 <li><code>arp.spa
</code> copied from
<code>ip4.src
</code></li>
1219 <li><code>arp.tha =
00:
00:
00:
00:
00:
00</code></li>
1220 <li><code>arp.tpa
</code> copied from
<code>ip4.dst
</code></li>
1224 The ARP packet has the same VLAN header, if any, as the IP packet
1228 <p><b>Prerequisite:
</b> <code>ip4
</code></p>
1231 <dt><code>get_arp(
<var>P
</var>,
<var>A
</var>);
</code></dt>
1235 <b>Parameters
</b>: logical port string field
<var>P
</var>,
32-bit
1236 IP address field
<var>A
</var>.
1240 Looks up
<var>A
</var> in
<var>P
</var>'s mac binding table.
1241 If an entry is found, stores its Ethernet address in
1242 <code>eth.dst
</code>, otherwise stores
1243 <code>00:
00:
00:
00:
00:
00</code> in
<code>eth.dst
</code>.
1246 <p><b>Example:
</b> <code>get_arp(outport, ip4.dst);
</code></p>
1250 <code>put_arp(
<var>P
</var>,
<var>A
</var>,
<var>E
</var>);
</code>
1255 <b>Parameters
</b>: logical port string field
<var>P
</var>,
32-bit
1256 IP address field
<var>A
</var>,
48-bit Ethernet address field
1261 Adds or updates the entry for IP address
<var>A
</var> in
1262 logical port
<var>P
</var>'s mac binding table, setting its
1263 Ethernet address to
<var>E
</var>.
1266 <p><b>Example:
</b> <code>put_arp(inport, arp.spa, arp.sha);
</code></p>
1269 <dt><code>nd_ns {
<var>action
</var>;
</code>...
<code> };
</code></dt>
1272 Temporarily replaces the IPv6 packet being processed by an IPv6
1273 Neighbor Solicitation packet and executes each nested
1274 <var>action
</var> on the IPv6 NS packet. Actions following the
1275 <var>nd_ns
</var> action, if any, apply to the original, unmodified
1280 The IPv6 NS packet that this action operates on is initialized
1281 based on the IPv6 packet being processed, as follows. These are
1282 default values that the nested actions will probably want to
1287 <li><code>eth.src
</code> unchanged
</li>
1288 <li><code>eth.dst
</code> set to IPv6 multicast MAC address
</li>
1289 <li><code>eth.type =
0x86dd</code></li>
1290 <li><code>ip6.src
</code> copied from
<code>ip6.src
</code></li>
1292 <code>ip6.dst
</code> set to IPv6 Solicited-Node multicast address
1294 <li><code>icmp6.type =
135</code> (Neighbor Solicitation)
</li>
1295 <li><code>nd.target
</code> copied from
<code>ip6.dst
</code></li>
1299 The IPv6 NS packet has the same VLAN header, if any, as the IP
1303 <p><b>Prerequisite:
</b> <code>ip6
</code></p>
1307 <code>nd_na {
<var>action
</var>;
</code>...
<code> };
</code>
1312 Temporarily replaces the IPv6 neighbor solicitation packet
1313 being processed by an IPv6 neighbor advertisement (NA)
1314 packet and executes each nested
<var>action
</var> on the NA
1315 packet. Actions following the
<code>nd_na
</code> action,
1316 if any, apply to the original, unmodified packet.
1320 The NA packet that this action operates on is initialized based on
1321 the IPv6 packet being processed, as follows. These are default
1322 values that the nested actions will probably want to change:
1326 <li><code>eth.dst
</code> exchanged with
<code>eth.src
</code></li>
1327 <li><code>eth.type =
0x86dd</code></li>
1328 <li><code>ip6.dst
</code> copied from
<code>ip6.src
</code></li>
1329 <li><code>ip6.src
</code> copied from
<code>nd.target
</code></li>
1330 <li><code>icmp6.type =
136</code> (Neighbor Advertisement)
</li>
1331 <li><code>nd.target
</code> unchanged
</li>
1332 <li><code>nd.sll =
00:
00:
00:
00:
00:
00</code></li>
1333 <li><code>nd.tll
</code> copied from
<code>eth.dst
</code></li>
1337 The ND packet has the same VLAN header, if any, as the IPv6 packet
1342 <b>Prerequisite:
</b> <code>nd_ns
</code>
1346 <dt><code>get_nd(
<var>P
</var>,
<var>A
</var>);
</code></dt>
1350 <b>Parameters
</b>: logical port string field
<var>P
</var>,
128-bit
1351 IPv6 address field
<var>A
</var>.
1355 Looks up
<var>A
</var> in
<var>P
</var>'s mac binding table.
1356 If an entry is found, stores its Ethernet address in
1357 <code>eth.dst
</code>, otherwise stores
1358 <code>00:
00:
00:
00:
00:
00</code> in
<code>eth.dst
</code>.
1361 <p><b>Example:
</b> <code>get_nd(outport, ip6.dst);
</code></p>
1365 <code>put_nd(
<var>P
</var>,
<var>A
</var>,
<var>E
</var>);
</code>
1370 <b>Parameters
</b>: logical port string field
<var>P
</var>,
1371 128-bit IPv6 address field
<var>A
</var>,
48-bit Ethernet
1372 address field
<var>E
</var>.
1376 Adds or updates the entry for IPv6 address
<var>A
</var> in
1377 logical port
<var>P
</var>'s mac binding table, setting its
1378 Ethernet address to
<var>E
</var>.
1381 <p><b>Example:
</b> <code>put_nd(inport, nd.target, nd.tll);
</code></p>
1385 <code><var>R
</var> = put_dhcp_opts(
<var>D1
</var> =
<var>V1
</var>,
<var>D2
</var> =
<var>V2
</var>, ...,
<var>Dn
</var> =
<var>Vn
</var>);
</code>
1390 <b>Parameters
</b>: one or more DHCP option/value pairs, which must
1391 include an
<code>offerip
</code> option (with code
0).
1395 <b>Result
</b>: stored to a
1-bit subfield
<var>R
</var>.
1399 Valid only in the ingress pipeline.
1403 When this action is applied to a DHCP request packet (DHCPDISCOVER
1404 or DHCPREQUEST), it changes the packet into a DHCP reply (DHCPOFFER
1405 or DHCPACK, respectively), replaces the options by those specified
1406 as parameters, and stores
1 in
<var>R
</var>.
1410 When this action is applied to a non-DHCP packet or a DHCP packet
1411 that is not DHCPDISCOVER or DHCPREQUEST, it leaves the packet
1412 unchanged and stores
0 in
<var>R
</var>.
1416 The contents of the
<ref table=
"DHCP_Option"/> table control the
1417 DHCP option names and values that this action supports.
1423 reg0[
0] = put_dhcp_opts(offerip =
10.0.0.2, router =
10.0.0.1,
1424 netmask =
255.255.255.0, dns_server = {
8.8.8.8,
7.7.7.7});
1430 <code><var>R
</var> = put_dhcpv6_opts(
<var>D1
</var> =
<var>V1
</var>,
<var>D2
</var> =
<var>V2
</var>, ...,
<var>Dn
</var> =
<var>Vn
</var>);
</code>
1435 <b>Parameters
</b>: one or more DHCPv6 option/value pairs.
1439 <b>Result
</b>: stored to a
1-bit subfield
<var>R
</var>.
1443 Valid only in the ingress pipeline.
1447 When this action is applied to a DHCPv6 request packet, it changes
1448 the packet into a DHCPv6 reply, replaces the options by those
1449 specified as parameters, and stores
1 in
<var>R
</var>.
1453 When this action is applied to a non-DHCPv6 packet or an invalid
1454 DHCPv6 request packet , it leaves the packet unchanged and stores
1459 The contents of the
<ref table=
"DHCPv6_Options"/> table control the
1460 DHCPv6 option names and values that this action supports.
1466 reg0[
3] = put_dhcpv6_opts(ia_addr = aef0::
4, server_id =
00:
00:
00:
00:
10:
02,
1467 dns_server={ae70::
1,ae70::
2});
1473 <code>set_queue(
<var>queue_number
</var>);
</code>
1478 <b>Parameters
</b>: Queue number
<var>queue_number
</var>, in the range
0 to
61440.
1482 This is a logical equivalent of the OpenFlow
<code>set_queue
</code>
1483 action. It affects packets that egress a hypervisor through a
1484 physical interface. For nonzero
<var>queue_number
</var>, it
1485 configures packet queuing to match the settings configured for the
1486 <ref table=
"Port_Binding"/> with
1487 <code>options:qdisc_queue_id
</code> matching
1488 <var>queue_number
</var>. When
<var>queue_number
</var> is zero, it
1489 resets queuing to the default strategy.
1492 <p><b>Example:
</b> <code>set_queue(
10);
</code></p>
1495 <dt><code>ct_lb;
</code></dt>
1496 <dt><code>ct_lb(
</code><var>ip
</var>[
<code>:
</code><var>port
</var>]...
<code>);
</code></dt>
1499 With one or more arguments,
<code>ct_lb
</code> commits the packet
1500 to the connection tracking table and DNATs the packet's destination
1501 IP address (and port) to the IP address or addresses (and optional
1502 ports) specified in the string. If multiple comma-separated IP
1503 addresses are specified, each is given equal weight for picking the
1504 DNAT address. Processing automatically moves on to the next table,
1505 as if
<code>next;
</code> were specified, and later tables act on
1506 the packet as modified by the connection tracker. Connection
1507 tracking state is scoped by the logical port when the action is
1508 used in a flow for a logical switch, so overlapping
1509 addresses may be used. Connection tracking state is scoped by the
1510 logical topology when the action is used in a flow for a router.
1513 Without arguments,
<code>ct_lb
</code> sends the packet to the
1514 connection tracking table to NAT the packets. If the packet is
1515 part of an established connection that was previously committed to
1516 the connection tracker via
<code>ct_lb(
</code>...
<code>)
</code>, it
1517 will automatically get DNATed to the same IP address as the first
1518 packet in that connection.
1523 <code><var>R
</var> = dns_lookup();
</code>
1528 <b>Parameters
</b>: No parameters.
1532 <b>Result
</b>: stored to a
1-bit subfield
<var>R
</var>.
1536 Valid only in the ingress pipeline.
1540 When this action is applied to a valid DNS request (a UDP packet
1541 typically directed to port
53), it attempts to resolve the query
1542 using the contents of the
<ref table=
"DNS"/> table. If it is
1543 successful, it changes the packet into a DNS reply and stores
1 in
1544 <var>R
</var>. If the action is applied to a non-DNS packet, an
1545 invalid DNS request packet, or a valid DNS request for which the
1546 <ref table=
"DNS"/> table does not supply an answer, it leaves the
1547 packet unchanged and stores
0 in
<var>R
</var>.
1551 Regardless of success, the action does not make any of the changes
1552 to the flow that are necessary to direct the packet back to the
1553 requester. The logical pipeline can implement this behavior with
1554 matches and actions in later tables.
1560 reg0[
3] = dns_lookup();
1565 <b>Prerequisite:
</b> <code>udp
</code>
1570 <code><var>R
</var> = put_nd_ra_opts(
<var>D1
</var> =
<var>V1
</var>,
<var>D2
</var> =
<var>V2
</var>, ...,
<var>Dn
</var> =
<var>Vn
</var>);
</code>
1575 <b>Parameters
</b>: The following IPv6 ND Router Advertisement
1576 option/value pairs as defined in RFC
4861.
1580 <code>addr_mode
</code>
1582 Mandatory parameter which specifies the address mode flag to
1583 be set in the RA flag options field. The value of this option
1584 is a string and the following values can be defined -
1585 "slaac",
"dhcpv6_stateful" and
"dhcpv6_stateless".
1592 Mandatory parameter which specifies the link-layer address of
1593 the interface from which the Router Advertisement is sent.
1600 Optional parameter which specifies the MTU.
1607 Optional parameter which should be specified if the addr_mode
1608 is
"slaac" or
"dhcpv6_stateless". The value should be an IPv6
1609 prefix which will be used for stateless IPv6 address
1610 configuration. This option can be defined multiple times.
1617 <b>Result
</b>: stored to a
1-bit subfield
<var>R
</var>.
1621 Valid only in the ingress pipeline.
1625 When this action is applied to an IPv6 Router solicitation request
1626 packet, it changes the packet into an IPv6 Router Advertisement
1627 reply and adds the options specified in the parameters, and stores
1632 When this action is applied to a non-IPv6 Router solicitation
1633 packet or an invalid IPv6 request packet , it leaves the packet
1634 unchanged and stores
0 in
<var>R
</var>.
1640 reg0[
3] = put_nd_ra_opts(addr_mode =
"slaac",
1641 slla =
00:
00:
00:
00:
10:
02, prefix = aef0::/
64, mtu =
1450);
1646 <dt><code>set_meter(
<var>rate
</var>);
</code></dt>
1647 <dt><code>set_meter(
<var>rate
</var>,
<var>burst
</var>);
</code></dt>
1650 <b>Parameters
</b>: rate limit int field
<var>rate
</var> in kbps,
1651 burst rate limits int field
<var>burst
</var> in kbps.
1655 This action sets the rate limit for a flow.
1658 <p><b>Example:
</b> <code>set_meter(
100,
1000);
</code></p>
1664 <code>log(
<var>key
</var>=
<var>value
</var>,
</code>...
<code>);
</code>
1669 Causes
<code>ovn-controller
</code> to log the packet on the chassis
1670 that processes it. Packet logging currently uses the same logging
1671 mechanism as other Open vSwitch and OVN messages, which means that
1672 whether and where log messages appear depends on the local logging
1673 configuration that can be configured with
<code>ovs-appctl
</code>,
1677 The
<code>log
</code> action takes zero or more of the following
1678 key-value pair arguments that control what is logged:
1681 <dt><code>name=
</code><var>string
</var></dt>
1683 An optional name for the ACL. The
<var>string
</var> is
1684 currently limited to
64 bytes.
1686 <dt><code>severity=
</code><var>level
</var></dt>
1688 Indicates the severity of the event. The
<var>level
</var> is one
1689 of following (from more to less serious):
<code>alert
</code>,
1690 <code>warning
</code>,
<code>notice
</code>,
<code>info
</code>, or
1691 <code>debug
</code>. If a severity is not provided, the default
1692 is
<code>info
</code>.
1694 <dt><code>verdict=
</code><var>value
</var></dt>
1696 The verdict for packets matching the flow. The value must be one
1697 of
<code>allow
</code>,
<code>deny
</code>, or
<code>reject
</code>.
1704 The following actions will likely be useful later, but they have not
1705 been thought out carefully.
1709 <dt><code>icmp4 {
<var>action
</var>;
</code>...
<code> };
</code></dt>
1712 Temporarily replaces the IPv4 packet being processed by an ICMPv4
1713 packet and executes each nested
<var>action
</var> on the ICMPv4
1714 packet. Actions following the
<var>icmp4
</var> action, if any,
1715 apply to the original, unmodified packet.
1719 The ICMPv4 packet that this action operates on is initialized based
1720 on the IPv4 packet being processed, as follows. These are default
1721 values that the nested actions will probably want to change.
1722 Ethernet and IPv4 fields not listed here are not changed:
1726 <li><code>ip.proto =
1</code> (ICMPv4)
</li>
1727 <li><code>ip.frag =
0</code> (not a fragment)
</li>
1728 <li><code>icmp4.type =
3</code> (destination unreachable)
</li>
1729 <li><code>icmp4.code =
1</code> (host unreachable)
</li>
1736 <p><b>Prerequisite:
</b> <code>ip4
</code></p>
1739 <dt><code>tcp_reset;
</code></dt>
1742 This action transforms the current TCP packet according to the
1743 following pseudocode:
1750 tcp.ack = tcp.seq + length(tcp.payload);
1757 Then, the action drops all TCP options and payload data, and
1758 updates the TCP checksum.
1765 <p><b>Prerequisite:
</b> <code>tcp
</code></p>
1770 <column name=
"external_ids" key=
"stage-name">
1771 Human-readable name for this flow's stage in the pipeline.
1774 <column name=
"external_ids" key=
"stage-hint" type='{
"type":
"uuid"}'
>
1775 UUID of a
<ref db=
"OVN_Northbound"/> record that caused this logical flow
1776 to be created. Currently used only for attribute of logical flows to
1777 northbound
<ref db=
"OVN_Northbound" table=
"ACL"/> records.
1780 <column name=
"external_ids" key=
"source">
1781 Source file and line number of the code that added this flow to the
1785 <group title=
"Common Columns">
1786 The overall purpose of these columns is described under
<code>Common
1787 Columns
</code> at the beginning of this document.
1789 <column name=
"external_ids"/>
1793 <table name=
"Multicast_Group" title=
"Logical Port Multicast Groups">
1795 The rows in this table define multicast groups of logical ports.
1796 Multicast groups allow a single packet transmitted over a tunnel to a
1797 hypervisor to be delivered to multiple VMs on that hypervisor, which
1798 uses bandwidth more efficiently.
1802 Each row in this table defines a logical multicast group numbered
<ref
1803 column=
"tunnel_key"/> within
<ref column=
"datapath"/>, whose logical
1804 ports are listed in the
<ref column=
"ports"/> column.
1807 <column name=
"datapath">
1808 The logical datapath in which the multicast group resides.
1811 <column name=
"tunnel_key">
1812 The value used to designate this logical egress port in tunnel
1813 encapsulations. An index forces the key to be unique within the
<ref
1814 column=
"datapath"/>. The unusual range ensures that multicast group IDs
1815 do not overlap with logical port IDs.
1818 <column name=
"name">
1820 The logical multicast group's name. An index forces the name to be
1821 unique within the
<ref column=
"datapath"/>. Logical flows in the
1822 ingress pipeline may output to the group just as for individual logical
1823 ports, by assigning the group's name to
<code>outport
</code> and
1824 executing an
<code>output
</code> action.
1828 Multicast group names and logical port names share a single namespace
1829 and thus should not overlap (but the database schema cannot enforce
1830 this). To try to avoid conflicts,
<code>ovn-northd
</code> uses names
1831 that begin with
<code>_MC_
</code>.
1835 <column name=
"ports">
1836 The logical ports included in the multicast group. All of these ports
1837 must be in the
<ref column=
"datapath"/> logical datapath (but the
1838 database schema cannot enforce this).
1842 <table name=
"Datapath_Binding" title=
"Physical-Logical Datapath Bindings">
1844 Each row in this table represents a logical datapath, which implements a
1845 logical pipeline among the ports in the
<ref table=
"Port_Binding"/> table
1846 associated with it. In practice, the pipeline in a given logical
1847 datapath implements either a logical switch or a logical router.
1851 The main purpose of a row in this table is provide a physical binding for
1852 a logical datapath. A logical datapath does not have a physical
1853 location, so its physical binding information is limited: just
<ref
1854 column=
"tunnel_key"/>. The rest of the data in this table does not
1855 affect packet forwarding.
1858 <column name=
"tunnel_key">
1859 The tunnel key value to which the logical datapath is bound.
1860 The
<code>Tunnel Encapsulation
</code> section in
1861 <code>ovn-architecture
</code>(
7) describes how tunnel keys are
1862 constructed for each supported encapsulation.
1865 <group title=
"OVN_Northbound Relationship">
1867 Each row in
<ref table=
"Datapath_Binding"/> is associated with some
1868 logical datapath.
<code>ovn-northd
</code> uses these keys to track the
1869 association of a logical datapath with concepts in the
<ref
1870 db=
"OVN_Northbound"/> database.
1873 <column name=
"external_ids" key=
"logical-switch" type='{
"type":
"uuid"}'
>
1874 For a logical datapath that represents a logical switch,
1875 <code>ovn-northd
</code> stores in this key the UUID of the
1876 corresponding
<ref table=
"Logical_Switch" db=
"OVN_Northbound"/> row in
1877 the
<ref db=
"OVN_Northbound"/> database.
1880 <column name=
"external_ids" key=
"logical-router" type='{
"type":
"uuid"}'
>
1881 For a logical datapath that represents a logical router,
1882 <code>ovn-northd
</code> stores in this key the UUID of the
1883 corresponding
<ref table=
"Logical_Router" db=
"OVN_Northbound"/> row in
1884 the
<ref db=
"OVN_Northbound"/> database.
1887 <group title=
"Naming">
1889 <code>ovn-northd
</code> copies these from the name fields in the
<ref
1890 db=
"OVN_Northbound"/> database, either from
<ref
1891 table=
"Logical_Router" db=
"OVN_Northbound" column=
"name"/> and
<ref
1892 table=
"Logical_Router" db=
"OVN_Northbound" column=
"external_ids"
1893 key=
"neutron:router_name"/> in the
<ref table=
"Logical_Router"
1894 db=
"OVN_Northbound"/> table or from
<ref table=
"Logical_Switch"
1895 db=
"OVN_Northbound" column=
"name"/> and
<ref table=
"Logical_Switch"
1896 db=
"OVN_Northbound" column=
"external_ids"
1897 key=
"neutron:network_name"/> in the
<ref table=
"Logical_Switch"
1898 db=
"OVN_Northbound"/> table.
1901 <column name=
"external_ids" key=
"name">
1902 A name for the logical datapath.
1905 <column name=
"external_ids" key=
"name2">
1906 Another name for the logical datapath.
1911 <group title=
"Common Columns">
1912 The overall purpose of these columns is described under
<code>Common
1913 Columns
</code> at the beginning of this document.
1915 <column name=
"external_ids"/>
1919 <table name=
"Port_Binding" title=
"Physical-Logical Port Bindings">
1921 Each row in this table binds a logical port to a realization. For most
1922 logical ports, this means binding to some physical location, for example
1923 by binding a logical port to a VIF that belongs to a VM running on a
1924 particular hypervisor. Other logical ports, such as logical patch ports,
1925 can be realized without a specific physical location, but their bindings
1926 are still expressed through rows in this table.
1930 For every
<code>Logical_Switch_Port
</code> record in
1931 <code>OVN_Northbound
</code> database,
<code>ovn-northd
</code>
1932 creates a record in this table.
<code>ovn-northd
</code> populates
1933 and maintains every column except the
<code>chassis
</code> column,
1934 which it leaves empty in new records.
1938 <code>ovn-controller
</code>/
<code>ovn-controller-vtep
</code>
1939 populates the
<code>chassis
</code> column for the records that
1940 identify the logical ports that are located on its hypervisor/gateway,
1941 which
<code>ovn-controller
</code>/
<code>ovn-controller-vtep
</code> in
1942 turn finds out by monitoring the local hypervisor's Open_vSwitch
1943 database, which identifies logical ports via the conventions described
1944 in
<code>IntegrationGuide.rst
</code>. (The exceptions are for
1945 <code>Port_Binding
</code> records with
<code>type
</code> of
1946 <code>l3gateway
</code>, whose locations are identified by
1947 <code>ovn-northd
</code> via the
<code>options:l3gateway-chassis
</code>
1948 column in this table.
<code>ovn-controller
</code> is still responsible
1949 to populate the
<code>chassis
</code> column.)
1953 When a chassis shuts down gracefully, it should clean up the
1954 <code>chassis
</code> column that it previously had populated.
1955 (This is not critical because resources hosted on the chassis are equally
1956 unreachable regardless of whether their rows are present.) To handle the
1957 case where a VM is shut down abruptly on one chassis, then brought up
1958 again on a different one,
1959 <code>ovn-controller
</code>/
<code>ovn-controller-vtep
</code> must
1960 overwrite the
<code>chassis
</code> column with new information.
1963 <group title=
"Core Features">
1964 <column name=
"datapath">
1965 The logical datapath to which the logical port belongs.
1968 <column name=
"logical_port">
1969 A logical port, taken from
<ref table=
"Logical_Switch_Port"
1970 column=
"name" db=
"OVN_Northbound"/> in the OVN_Northbound
1971 database's
<ref table=
"Logical_Switch_Port" db=
"OVN_Northbound"/>
1972 table. OVN does not prescribe a particular format for the
1976 <column name=
"chassis">
1977 The meaning of this column depends on the value of the
<ref column=
"type"/>
1978 column. This is the meaning for each
<ref column=
"type"/>
1981 <dt>(empty string)
</dt>
1983 The physical location of the logical port. To successfully identify a
1984 chassis, this column must be a
<ref table=
"Chassis"/> record. This is
1985 populated by
<code>ovn-controller
</code>.
1990 The physical location of the hardware_vtep gateway. To successfully
1991 identify a chassis, this column must be a
<ref table=
"Chassis"/> record.
1992 This is populated by
<code>ovn-controller-vtep
</code>.
1997 Always empty. A localnet port is realized on every chassis that has
1998 connectivity to the corresponding physical network.
2003 Always empty. A localport port is present on every chassis.
2008 The physical location of the L3 gateway. To successfully identify a
2009 chassis, this column must be a
<ref table=
"Chassis"/> record. This is
2010 populated by
<code>ovn-controller
</code> based on the value of
2011 the
<code>options:l3gateway-chassis
</code> column in this table.
2016 The physical location of this L2 gateway. To successfully identify a
2017 chassis, this column must be a
<ref table=
"Chassis"/> record.
2018 This is populated by
<code>ovn-controller
</code> based on the value
2019 of the
<code>options:l2gateway-chassis
</code> column in this table.
2025 <column name=
"gateway_chassis">
2027 A list of
<ref table=
"Gateway_Chassis"/>.
2030 This should only be populated for ports with
2031 <ref column=
"type"/> set to
<code>chassisredirect
</code>.
2032 This column defines the list of chassis used as gateways where
2033 traffic will be redirected through.
2037 <column name=
"tunnel_key">
2039 A number that represents the logical port in the key (e.g. STT key or
2040 Geneve TLV) field carried within tunnel protocol packets.
2044 The tunnel ID must be unique within the scope of a logical datapath.
2050 The Ethernet address or addresses used as a source address on the
2051 logical port, each in the form
2052 <var>xx
</var>:
<var>xx
</var>:
<var>xx
</var>:
<var>xx
</var>:
<var>xx
</var>:
<var>xx
</var>.
2053 The string
<code>unknown
</code> is also allowed to indicate that the
2054 logical port has an unknown set of (additional) source addresses.
2058 A VM interface would ordinarily have a single Ethernet address. A
2059 gateway port might initially only have
<code>unknown
</code>, and then
2060 add MAC addresses to the set as it learns new source addresses.
2064 <column name=
"type">
2066 A type for this logical port. Logical ports can be used to model other
2067 types of connectivity into an OVN logical switch. The following types
2072 <dt>(empty string)
</dt>
2073 <dd>VM (or VIF) interface.
</dd>
2075 <dt><code>patch
</code></dt>
2077 One of a pair of logical ports that act as if connected by a patch
2078 cable. Useful for connecting two logical datapaths, e.g. to connect
2079 a logical router to a logical switch or to another logical router.
2082 <dt><code>l3gateway
</code></dt>
2084 One of a pair of logical ports that act as if connected by a patch
2085 cable across multiple chassis. Useful for connecting a logical
2086 switch with a Gateway router (which is only resident on a
2087 particular chassis).
2090 <dt><code>localnet
</code></dt>
2092 A connection to a locally accessible network from each
2093 <code>ovn-controller
</code> instance. A logical switch can only
2094 have a single
<code>localnet
</code> port attached. This is used
2095 to model direct connectivity to an existing network.
2098 <dt><code>localport
</code></dt>
2100 A connection to a local VIF. Traffic that arrives on a
2101 <code>localport
</code> is never forwarded over a tunnel to another
2102 chassis. These ports are present on every chassis and have the same
2103 address in all of them. This is used to model connectivity to local
2104 services that run on every hypervisor.
2107 <dt><code>l2gateway
</code></dt>
2109 An L2 connection to a physical network. The chassis this
2110 <ref table=
"Port_Binding"/> is bound to will serve as
2111 an L2 gateway to the network named by
2112 <ref column=
"options" table=
"Port_Binding"/>:
<code>network_name
</code>.
2115 <dt><code>vtep
</code></dt>
2117 A port to a logical switch on a VTEP gateway chassis. In order to
2118 get this port correctly recognized by the OVN controller, the
<ref
2120 table=
"Port_Binding"/>:
<code>vtep-physical-switch
</code> and
<ref
2122 table=
"Port_Binding"/>:
<code>vtep-logical-switch
</code> must also
2126 <dt><code>chassisredirect
</code></dt>
2128 A logical port that represents a particular instance, bound
2129 to a specific chassis, of an otherwise distributed parent
2130 port (e.g. of type
<code>patch
</code>). A
2131 <code>chassisredirect
</code> port should never be used as an
2132 <code>inport
</code>. When an ingress pipeline sets the
2133 <code>outport
</code>, it may set the value to a logical port
2134 of type
<code>chassisredirect
</code>. This will cause the
2135 packet to be directed to a specific chassis to carry out the
2136 egress pipeline. At the beginning of the egress pipeline,
2137 the
<code>outport
</code> will be reset to the value of the
2144 <group title=
"Patch Options">
2146 These options apply to logical ports with
<ref column=
"type"/> of
2150 <column name=
"options" key=
"peer">
2151 The
<ref column=
"logical_port"/> in the
<ref table=
"Port_Binding"/>
2152 record for the other side of the patch. The named
<ref
2153 column=
"logical_port"/> must specify this
<ref column=
"logical_port"/>
2154 in its own
<code>peer
</code> option. That is, the two patch logical
2155 ports must have reversed
<ref column=
"logical_port"/> and
2156 <code>peer
</code> values.
2159 <column name=
"nat_addresses">
2160 MAC address followed by a list of SNAT and DNAT external IP
2161 addresses, followed by
2162 <code>is_chassis_resident(
"<var>lport</var>")
</code>, where
2163 <var>lport
</var> is the name of a logical port on the same chassis
2164 where the corresponding NAT rules are applied. This is used to
2165 send gratuitous ARPs for SNAT and DNAT external IP addresses via
2166 <code>localnet
</code>, from the chassis where
<var>lport
</var>
2167 resides. Example:
<code>80:fa:
5b:
06:
72:b7
158.36.44.22
2168 158.36.44.24 is_chassis_resident(
"foo1")
</code>. This would result
2169 in generation of gratuitous ARPs for IP addresses
158.36.44.22 and
2170 158.36.44.24 with a MAC address of
80:fa:
5b:
06:
72:b7 from the chassis
2171 where the logical port
"foo1" resides.
2175 <group title=
"L3 Gateway Options">
2177 These options apply to logical ports with
<ref column=
"type"/> of
2178 <code>l3gateway
</code>.
2181 <column name=
"options" key=
"peer">
2182 The
<ref column=
"logical_port"/> in the
<ref table=
"Port_Binding"/>
2183 record for the other side of the 'l3gateway' port. The named
<ref
2184 column=
"logical_port"/> must specify this
<ref column=
"logical_port"/>
2185 in its own
<code>peer
</code> option. That is, the two 'l3gateway'
2186 logical ports must have reversed
<ref column=
"logical_port"/> and
2187 <code>peer
</code> values.
2190 <column name=
"options" key=
"l3gateway-chassis">
2191 The
<code>chassis
</code> in which the port resides.
2194 <column name=
"options" key=
"nat-addresses">
2195 MAC address of the
<code>l3gateway
</code> port followed by a list of
2196 SNAT and DNAT external IP addresses. This is used to send gratuitous
2197 ARPs for SNAT and DNAT external IP addresses via
<code>localnet
</code>.
2198 Example:
<code>80:fa:
5b:
06:
72:b7
158.36.44.22 158.36.44.24</code>.
2199 This would result in generation of gratuitous ARPs for IP addresses
2200 158.36.44.22 and
158.36.44.24 with a MAC address of
80:fa:
5b:
06:
72:b7.
2201 This is used in OVS versions prior to
2.8.
2204 <column name=
"nat_addresses">
2205 MAC address of the
<code>l3gateway
</code> port followed by a list of
2206 SNAT and DNAT external IP addresses. This is used to send gratuitous
2207 ARPs for SNAT and DNAT external IP addresses via
<code>localnet
</code>.
2208 Example:
<code>80:fa:
5b:
06:
72:b7
158.36.44.22 158.36.44.24</code>.
2209 This would result in generation of gratuitous ARPs for IP addresses
2210 158.36.44.22 and
158.36.44.24 with a MAC address of
80:fa:
5b:
06:
72:b7.
2211 This is used in OVS version
2.8 and later versions.
2215 <group title=
"Localnet Options">
2217 These options apply to logical ports with
<ref column=
"type"/> of
2218 <code>localnet
</code>.
2221 <column name=
"options" key=
"network_name">
2222 Required.
<code>ovn-controller
</code> uses the configuration entry
2223 <code>ovn-bridge-mappings
</code> to determine how to connect to this
2224 network.
<code>ovn-bridge-mappings
</code> is a list of network names
2225 mapped to a local OVS bridge that provides access to that network. An
2226 example of configuring
<code>ovn-bridge-mappings
</code> would be:
2228 <pre>$ ovs-vsctl set open . external-ids:ovn-bridge-mappings=physnet1:br-eth0,physnet2:br-eth1
</pre>
2231 When a logical switch has a
<code>localnet
</code> port attached,
2232 every chassis that may have a local vif attached to that logical
2233 switch must have a bridge mapping configured to reach that
2234 <code>localnet
</code>. Traffic that arrives on a
2235 <code>localnet
</code> port is never forwarded over a tunnel to
2241 If set, indicates that the port represents a connection to a specific
2242 VLAN on a locally accessible network. The VLAN ID is used to match
2243 incoming traffic and is also added to outgoing traffic.
2247 <group title=
"L2 Gateway Options">
2249 These options apply to logical ports with
<ref column=
"type"/> of
2250 <code>l2gateway
</code>.
2253 <column name=
"options" key=
"network_name">
2254 Required.
<code>ovn-controller
</code> uses the configuration entry
2255 <code>ovn-bridge-mappings
</code> to determine how to connect to this
2256 network.
<code>ovn-bridge-mappings
</code> is a list of network names
2257 mapped to a local OVS bridge that provides access to that network. An
2258 example of configuring
<code>ovn-bridge-mappings
</code> would be:
2260 <pre>$ ovs-vsctl set open . external-ids:ovn-bridge-mappings=physnet1:br-eth0,physnet2:br-eth1
</pre>
2263 When a logical switch has a
<code>l2gateway
</code> port attached,
2264 the chassis that the
<code>l2gateway
</code> port is bound to
2265 must have a bridge mapping configured to reach the network
2266 identified by
<code>network_name
</code>.
2270 <column name=
"options" key=
"l2gateway-chassis">
2271 Required. The
<code>chassis
</code> in which the port resides.
2275 If set, indicates that the gateway is connected to a specific
2276 VLAN on the physical network. The VLAN ID is used to match
2277 incoming traffic and is also added to outgoing traffic.
2281 <group title=
"VTEP Options">
2283 These options apply to logical ports with
<ref column=
"type"/> of
2287 <column name=
"options" key=
"vtep-physical-switch">
2288 Required. The name of the VTEP gateway.
2291 <column name=
"options" key=
"vtep-logical-switch">
2292 Required. A logical switch name connected by the VTEP gateway. Must
2293 be set when
<ref column=
"type"/> is
<code>vtep
</code>.
2297 <group title=
"VMI (or VIF) Options">
2299 These options apply to logical ports with
<ref column=
"type"/> having
2303 <column name=
"options" key=
"requested-chassis">
2304 If set, identifies a specific chassis (by name or hostname) that
2305 is allowed to bind this port. Using this option will prevent
2306 thrashing between two chassis trying to bind the same port during
2307 a live migration. It can also prevent similar thrashing due to a
2308 mis-configuration, if a port is accidentally created on more than
2312 <column name=
"options" key=
"qos_max_rate">
2313 If set, indicates the maximum rate for data sent from this interface,
2314 in bit/s. The traffic will be shaped according to this limit.
2317 <column name=
"options" key=
"qos_burst">
2318 If set, indicates the maximum burst size for data sent from this
2322 <column name=
"options" key=
"qdisc_queue_id"
2323 type='{
"type":
"integer",
"minInteger":
1,
"maxInteger":
61440}'
>
2324 Indicates the queue number on the physical device. This is same as the
2325 <code>queue_id
</code> used in OpenFlow in
<code>struct
2326 ofp_action_enqueue
</code>.
2330 <group title=
"Chassis Redirect Options">
2332 These options apply to logical ports with
<ref column=
"type"/>
2333 of
<code>chassisredirect
</code>.
2336 <column name=
"options" key=
"distributed-port">
2337 The name of the distributed port for which this
2338 <code>chassisredirect
</code> port represents a particular instance.
2341 <column name=
"options" key=
"redirect-chassis">
2342 The
<code>chassis
</code> that this
<code>chassisredirect
</code> port
2343 is bound to. This is taken from
<ref table=
"Logical_Router_Port"
2344 column=
"options" key=
"redirect-chassis" db=
"OVN_Northbound"/>
2345 in the OVN_Northbound database's
<ref table=
"Logical_Router_Port"
2346 db=
"OVN_Northbound"/> table.
2350 <group title=
"Nested Containers">
2352 These columns support containers nested within a VM. Specifically,
2353 they are used when
<ref column=
"type"/> is empty and
<ref
2354 column=
"logical_port"/> identifies the interface of a container spawned
2355 inside a VM. They are empty for containers or VMs that run directly on
2359 <column name=
"parent_port">
2361 <ref table=
"Logical_Switch_Port" column=
"parent_name"
2362 db=
"OVN_Northbound"/> in the OVN_Northbound database's
2363 <ref table=
"Logical_Switch_Port" db=
"OVN_Northbound"/> table.
2368 Identifies the VLAN tag in the network traffic associated with that
2369 container's network interface.
2373 This column is used for a different purpose when
<ref column=
"type"/>
2374 is
<code>localnet
</code> (see
<code>Localnet Options
</code>, above)
2375 or
<code>l2gateway
</code> (see
<code>L2 Gateway Options
</code>, above).
2380 <group title=
"Naming">
2381 <column name=
"external_ids" key=
"name">
2383 For a logical switch port,
<code>ovn-northd
</code> copies this from
2384 <ref table=
"Logical_Switch_Port" db=
"OVN_Northbound"
2385 column=
"external_ids" key=
"neutron:port_name"/> in the
<ref
2386 table=
"Logical_Switch_Port" db=
"OVN_Northbound"/> table in the
2387 OVN_Northbound database, if it is a nonempty string.
2391 For a logical switch port,
<code>ovn-northd
</code> does not currently
2397 <group title=
"Common Columns">
2398 <column name=
"external_ids">
2400 See
<em>External IDs
</em> at the beginning of this document.
2404 The
<code>ovn-northd
</code> program populates this column with
2405 all entries into the
<ref column=
"external_ids"/> column of the
2406 <ref table=
"Logical_Switch_Port"/> table of the
2407 <ref db=
"OVN_Northbound"/> database.
2413 <table name=
"MAC_Binding" title=
"IP to MAC bindings">
2415 Each row in this table specifies a binding from an IP address to an
2416 Ethernet address that has been discovered through ARP (for IPv4) or
2417 neighbor discovery (for IPv6). This table is primarily used to discover
2418 bindings on physical networks, because IP-to-MAC bindings for virtual
2419 machines are usually populated statically into the
<ref
2420 table=
"Port_Binding"/> table.
2424 This table expresses a functional relationship:
<ref
2425 table=
"MAC_Binding"/>(
<ref column=
"logical_port"/>,
<ref column=
"ip"/>) =
2426 <ref column=
"mac"/>.
2430 In outline, the lifetime of a logical router's MAC binding looks like
2436 On hypervisor
1, a logical router determines that a packet should be
2437 forwarded to IP address
<var>A
</var> on one of its router ports. It
2438 uses its logical flow table to determine that
<var>A
</var> lacks a
2439 static IP-to-MAC binding and the
<code>get_arp
</code> action to
2440 determine that it lacks a dynamic IP-to-MAC binding.
2444 Using an OVN logical
<code>arp
</code> action, the logical router
2445 generates and sends a broadcast ARP request to the router port. It
2446 drops the IP packet.
2450 The logical switch attached to the router port delivers the ARP request
2451 to all of its ports. (It might make sense to deliver it only to ports
2452 that have no static IP-to-MAC bindings, but this could also be
2453 surprising behavior.)
2457 A host or VM on hypervisor
2 (which might be the same as hypervisor
1)
2458 attached to the logical switch owns the IP address in question. It
2459 composes an ARP reply and unicasts it to the logical router port's
2464 The logical switch delivers the ARP reply to the logical router port.
2468 The logical router flow table executes a
<code>put_arp
</code> action.
2469 To record the IP-to-MAC binding,
<code>ovn-controller
</code> adds a row
2470 to the
<ref table=
"MAC_Binding"/> table.
2474 On hypervisor
1,
<code>ovn-controller
</code> receives the updated
<ref
2475 table=
"MAC_Binding"/> table from the OVN southbound database. The next
2476 packet destined to
<var>A
</var> through the logical router is sent
2477 directly to the bound Ethernet address.
2481 <column name=
"logical_port">
2482 The logical port on which the binding was discovered.
2486 The bound IP address.
2490 The Ethernet address to which the IP is bound.
2492 <column name=
"datapath">
2493 The logical datapath to which the logical port belongs.
2497 <table name=
"DHCP_Options" title=
"DHCP Options supported by native OVN DHCP">
2499 Each row in this table stores the DHCP Options supported by native OVN
2500 DHCP.
<code>ovn-northd
</code> populates this table with the supported
2501 DHCP options.
<code>ovn-controller
</code> looks up this table to get the
2502 DHCP codes of the DHCP options defined in the
"put_dhcp_opts" action.
2503 Please refer to the RFC
2132 <code>"https://tools.ietf.org/html/rfc2132"</code>
2504 for the possible list of DHCP options that can be defined here.
2507 <column name=
"name">
2509 Name of the DHCP option.
2513 Example.
name=
"router"
2517 <column name=
"code">
2519 DHCP option code for the DHCP option as defined in the RFC
2132.
2527 <column name=
"type">
2529 Data type of the DHCP option code.
2533 <dt><code>value: bool
</code></dt>
2536 This indicates that the value of the DHCP option is a bool.
2540 Example.
"name=ip_forward_enable",
"code=19",
"type=bool".
2544 put_dhcp_opts(..., ip_forward_enable =
1,...)
2548 <dt><code>value: uint8
</code></dt>
2551 This indicates that the value of the DHCP option is an unsigned
2556 Example.
"name=default_ttl",
"code=23",
"type=uint8".
2560 put_dhcp_opts(..., default_ttl =
50,...)
2564 <dt><code>value: uint16
</code></dt>
2567 This indicates that the value of the DHCP option is an unsigned
2572 Example.
"name=mtu",
"code=26",
"type=uint16".
2576 put_dhcp_opts(..., mtu =
1450,...)
2580 <dt><code>value: uint32
</code></dt>
2583 This indicates that the value of the DHCP option is an unsigned
2588 Example.
"name=lease_time",
"code=51",
"type=uint32".
2592 put_dhcp_opts(..., lease_time =
86400,...)
2596 <dt><code>value: ipv4
</code></dt>
2599 This indicates that the value of the DHCP option is an IPv4
2600 address or addresses.
2604 Example.
"name=router",
"code=3",
"type=ipv4".
2608 put_dhcp_opts(..., router =
10.0.0.1,...)
2612 Example.
"name=dns_server",
"code=6",
"type=ipv4".
2616 put_dhcp_opts(..., dns_server = {
8.8.8.8 7.7.7.7},...)
2620 <dt><code>value: static_routes
</code></dt>
2623 This indicates that the value of the DHCP option contains a pair of
2624 IPv4 route and next hop addresses.
2628 Example.
"name=classless_static_route",
"code=121",
"type=static_routes".
2632 put_dhcp_opts(..., classless_static_route = {
30.0.0.0/
24,
10.0.0.4,
0.0.0.0/
0,
10.0.0.1}...)
2636 <dt><code>value: str
</code></dt>
2639 This indicates that the value of the DHCP option is a string.
2643 Example.
"name=host_name",
"code=12",
"type=str".
2650 <table name=
"DHCPv6_Options" title=
"DHCPv6 Options supported by native OVN DHCPv6">
2652 Each row in this table stores the DHCPv6 Options supported by native OVN
2653 DHCPv6.
<code>ovn-northd
</code> populates this table with the supported
2654 DHCPv6 options.
<code>ovn-controller
</code> looks up this table to get
2655 the DHCPv6 codes of the DHCPv6 options defined in the
2656 <code>put_dhcpv6_opts
</code> action. Please refer to RFC
3315 and RFC
2657 3646 for the list of DHCPv6 options that can be defined here.
2660 <column name=
"name">
2662 Name of the DHCPv6 option.
2666 Example.
name=
"ia_addr"
2670 <column name=
"code">
2672 DHCPv6 option code for the DHCPv6 option as defined in the appropriate
2681 <column name=
"type">
2683 Data type of the DHCPv6 option code.
2687 <dt><code>value: ipv6
</code></dt>
2690 This indicates that the value of the DHCPv6 option is an IPv6
2695 Example.
"name=ia_addr",
"code=5",
"type=ipv6".
2699 put_dhcpv6_opts(..., ia_addr = ae70::
4,...)
2703 <dt><code>value: str
</code></dt>
2706 This indicates that the value of the DHCPv6 option is a string.
2710 Example.
"name=domain_search",
"code=24",
"type=str".
2714 put_dhcpv6_opts(..., domain_search = ovn.domain,...)
2718 <dt><code>value: mac
</code></dt>
2721 This indicates that the value of the DHCPv6 option is a MAC address.
2725 Example.
"name=server_id",
"code=2",
"type=mac".
2729 put_dhcpv6_opts(..., server_id =
01:
02:
03:
04L05:
06,...)
2735 <table name=
"Connection" title=
"OVSDB client connections.">
2737 Configuration for a database connection to an Open vSwitch database
2742 This table primarily configures the Open vSwitch database server
2743 (
<code>ovsdb-server
</code>).
2747 The Open vSwitch database server can initiate and maintain active
2748 connections to remote clients. It can also listen for database
2752 <group title=
"Core Features">
2753 <column name=
"target">
2754 <p>Connection methods for clients.
</p>
2756 The following connection methods are currently supported:
2759 <dt><code>ssl:
<var>ip
</var></code>[
<code>:
<var>port
</var></code>]
</dt>
2762 The specified SSL
<var>port
</var> on the host at the given
2763 <var>ip
</var>, which must be expressed as an IP address
2764 (not a DNS name). A valid SSL configuration must be provided
2765 when this form is used, this configuration can be specified
2766 via command-line options or the
<ref table=
"SSL"/> table.
2769 If
<var>port
</var> is not specified, it defaults to
6640.
2772 SSL support is an optional feature that is not always
2773 built as part of Open vSwitch.
2777 <dt><code>tcp:
<var>ip
</var></code>[
<code>:
<var>port
</var></code>]
</dt>
2780 The specified TCP
<var>port
</var> on the host at the given
2781 <var>ip
</var>, which must be expressed as an IP address (not a
2782 DNS name), where
<var>ip
</var> can be IPv4 or IPv6 address. If
2783 <var>ip
</var> is an IPv6 address, wrap it in square brackets,
2784 e.g.
<code>tcp:[::
1]:
6640</code>.
2787 If
<var>port
</var> is not specified, it defaults to
6640.
2790 <dt><code>pssl:
</code>[
<var>port
</var>][
<code>:
<var>ip
</var></code>]
</dt>
2793 Listens for SSL connections on the specified TCP
<var>port
</var>.
2794 Specify
0 for
<var>port
</var> to have the kernel automatically
2795 choose an available port. If
<var>ip
</var>, which must be
2796 expressed as an IP address (not a DNS name), is specified, then
2797 connections are restricted to the specified local IP address
2798 (either IPv4 or IPv6 address). If
<var>ip
</var> is an IPv6
2799 address, wrap in square brackets,
2800 e.g.
<code>pssl:
6640:[::
1]
</code>. If
<var>ip
</var> is not
2801 specified then it listens only on IPv4 (but not IPv6) addresses.
2802 A valid SSL configuration must be provided when this form is used,
2803 this can be specified either via command-line options or the
2804 <ref table=
"SSL"/> table.
2807 If
<var>port
</var> is not specified, it defaults to
6640.
2810 SSL support is an optional feature that is not always built as
2811 part of Open vSwitch.
2814 <dt><code>ptcp:
</code>[
<var>port
</var>][
<code>:
<var>ip
</var></code>]
</dt>
2817 Listens for connections on the specified TCP
<var>port
</var>.
2818 Specify
0 for
<var>port
</var> to have the kernel automatically
2819 choose an available port. If
<var>ip
</var>, which must be
2820 expressed as an IP address (not a DNS name), is specified, then
2821 connections are restricted to the specified local IP address
2822 (either IPv4 or IPv6 address). If
<var>ip
</var> is an IPv6
2823 address, wrap it in square brackets,
2824 e.g.
<code>ptcp:
6640:[::
1]
</code>. If
<var>ip
</var> is not
2825 specified then it listens only on IPv4 addresses.
2828 If
<var>port
</var> is not specified, it defaults to
6640.
2832 <p>When multiple clients are configured, the
<ref column=
"target"/>
2833 values must be unique. Duplicate
<ref column=
"target"/> values yield
2834 unspecified results.
</p>
2837 <column name=
"read_only">
2838 <code>true
</code> to restrict these connections to read-only
2839 transactions,
<code>false
</code> to allow them to modify the database.
2841 <column name=
"role">
2842 String containing role name for this connection entry.
2846 <group title=
"Client Failure Detection and Handling">
2847 <column name=
"max_backoff">
2848 Maximum number of milliseconds to wait between connection attempts.
2849 Default is implementation-specific.
2852 <column name=
"inactivity_probe">
2853 Maximum number of milliseconds of idle time on connection to the client
2854 before sending an inactivity probe message. If Open vSwitch does not
2855 communicate with the client for the specified number of seconds, it
2856 will send a probe. If a response is not received for the same
2857 additional amount of time, Open vSwitch assumes the connection has been
2858 broken and attempts to reconnect. Default is implementation-specific.
2859 A value of
0 disables inactivity probes.
2863 <group title=
"Status">
2865 Key-value pair of
<ref column=
"is_connected"/> is always updated.
2866 Other key-value pairs in the status columns may be updated depends
2867 on the
<ref column=
"target"/> type.
2871 When
<ref column=
"target"/> specifies a connection method that
2872 listens for inbound connections (e.g.
<code>ptcp:
</code> or
2873 <code>punix:
</code>), both
<ref column=
"n_connections"/> and
2874 <ref column=
"is_connected"/> may also be updated while the
2875 remaining key-value pairs are omitted.
2879 On the other hand, when
<ref column=
"target"/> specifies an
2880 outbound connection, all key-value pairs may be updated, except
2881 the above-mentioned two key-value pairs associated with inbound
2882 connection targets. They are omitted.
2885 <column name=
"is_connected">
2886 <code>true
</code> if currently connected to this client,
2887 <code>false
</code> otherwise.
2890 <column name=
"status" key=
"last_error">
2891 A human-readable description of the last error on the connection
2892 to the manager; i.e.
<code>strerror(errno)
</code>. This key
2893 will exist only if an error has occurred.
2896 <column name=
"status" key=
"state"
2897 type='{
"type":
"string",
"enum": [
"set", [
"VOID",
"BACKOFF",
"CONNECTING",
"ACTIVE",
"IDLE"]]}'
>
2899 The state of the connection to the manager:
2902 <dt><code>VOID
</code></dt>
2903 <dd>Connection is disabled.
</dd>
2905 <dt><code>BACKOFF
</code></dt>
2906 <dd>Attempting to reconnect at an increasing period.
</dd>
2908 <dt><code>CONNECTING
</code></dt>
2909 <dd>Attempting to connect.
</dd>
2911 <dt><code>ACTIVE
</code></dt>
2912 <dd>Connected, remote host responsive.
</dd>
2914 <dt><code>IDLE
</code></dt>
2915 <dd>Connection is idle. Waiting for response to keep-alive.
</dd>
2918 These values may change in the future. They are provided only for
2923 <column name=
"status" key=
"sec_since_connect"
2924 type='{
"type":
"integer",
"minInteger":
0}'
>
2925 The amount of time since this client last successfully connected
2926 to the database (in seconds). Value is empty if client has never
2927 successfully been connected.
2930 <column name=
"status" key=
"sec_since_disconnect"
2931 type='{
"type":
"integer",
"minInteger":
0}'
>
2932 The amount of time since this client last disconnected from the
2933 database (in seconds). Value is empty if client has never
2937 <column name=
"status" key=
"locks_held">
2938 Space-separated list of the names of OVSDB locks that the connection
2939 holds. Omitted if the connection does not hold any locks.
2942 <column name=
"status" key=
"locks_waiting">
2943 Space-separated list of the names of OVSDB locks that the connection is
2944 currently waiting to acquire. Omitted if the connection is not waiting
2948 <column name=
"status" key=
"locks_lost">
2949 Space-separated list of the names of OVSDB locks that the connection
2950 has had stolen by another OVSDB client. Omitted if no locks have been
2951 stolen from this connection.
2954 <column name=
"status" key=
"n_connections"
2955 type='{
"type":
"integer",
"minInteger":
2}'
>
2956 When
<ref column=
"target"/> specifies a connection method that
2957 listens for inbound connections (e.g.
<code>ptcp:
</code> or
2958 <code>pssl:
</code>) and more than one connection is actually active,
2959 the value is the number of active connections. Otherwise, this
2960 key-value pair is omitted.
2963 <column name=
"status" key=
"bound_port" type='{
"type":
"integer"}'
>
2964 When
<ref column=
"target"/> is
<code>ptcp:
</code> or
2965 <code>pssl:
</code>, this is the TCP port on which the OVSDB server is
2966 listening. (This is particularly useful when
<ref
2967 column=
"target"/> specifies a port of
0, allowing the kernel to
2968 choose any available port.)
2972 <group title=
"Common Columns">
2973 The overall purpose of these columns is described under
<code>Common
2974 Columns
</code> at the beginning of this document.
2976 <column name=
"external_ids"/>
2977 <column name=
"other_config"/>
2981 SSL configuration for ovn-sb database access.
2983 <column name=
"private_key">
2984 Name of a PEM file containing the private key used as the switch's
2985 identity for SSL connections to the controller.
2988 <column name=
"certificate">
2989 Name of a PEM file containing a certificate, signed by the
2990 certificate authority (CA) used by the controller and manager,
2991 that certifies the switch's private key, identifying a trustworthy
2995 <column name=
"ca_cert">
2996 Name of a PEM file containing the CA certificate used to verify
2997 that the switch is connected to a trustworthy controller.
3000 <column name=
"bootstrap_ca_cert">
3001 If set to
<code>true
</code>, then Open vSwitch will attempt to
3002 obtain the CA certificate from the controller on its first SSL
3003 connection and save it to the named PEM file. If it is successful,
3004 it will immediately drop the connection and reconnect, and from then
3005 on all SSL connections must be authenticated by a certificate signed
3006 by the CA certificate thus obtained.
<em>This option exposes the
3007 SSL connection to a man-in-the-middle attack obtaining the initial
3008 CA certificate.
</em> It may still be useful for bootstrapping.
3011 <column name=
"ssl_protocols">
3012 List of SSL protocols to be enabled for SSL connections. The default
3013 when this option is omitted is
<code>TLSv1,TLSv1.1,TLSv1.2
</code>.
3016 <column name=
"ssl_ciphers">
3017 List of ciphers (in OpenSSL cipher string format) to be supported
3018 for SSL connections. The default when this option is omitted is
3019 <code>HIGH:!aNULL:!MD5
</code>.
3022 <group title=
"Common Columns">
3023 The overall purpose of these columns is described under
<code>Common
3024 Columns
</code> at the beginning of this document.
3026 <column name=
"external_ids"/>
3029 <table name=
"DNS" title=
"Native DNS resolution">
3031 Each row in this table stores the DNS records. The OVN action
3032 <code>dns_lookup
</code> uses this table for DNS resolution.
3035 <column name=
"records">
3036 Key-value pair of DNS records with
<code>DNS query name
</code> as the key
3037 and a string of IP address(es) separated by comma or space as the
3040 <p><b>Example:
</b> "vm1.ovn.org" =
"10.0.0.4 aef0::4"</p>
3043 <column name=
"datapaths">
3044 The DNS records defined in the column
<ref column=
"records"/> will be
3045 applied only to the DNS queries originating from the datapaths defined
3049 <group title=
"Common Columns">
3050 <column name=
"external_ids">
3051 See
<em>External IDs
</em> at the beginning of this document.
3056 <table name=
"RBAC_Role">
3057 Role table for role-based access controls.
3059 <column name=
"name">
3060 The role name, corresponding to the
<code>role
</code>
3061 column in the
<code>Connection
</code> table.
3064 <column name=
"permissions">
3065 A mapping of table names to rows in the
3066 <code>RBAC_Permission
</code> table.
3069 <table name=
"RBAC_Permission">
3070 Permissions table for role-based access controls.
3072 <column name=
"table">
3073 Name of table to which this row applies.
3076 <column name=
"authorization">
3077 Set of strings identifying columns and column:key pairs to be compared
3078 with client ID. At least one match is required in order to be
3079 authorized. A zero-length string is treated as a special value
3080 indicating all clients should be considered authorized.
3083 <column name=
"insert_delete">
3084 When
"true", row insertions and authorized row
3085 deletions are permitted.
3087 <column name=
"update">
3088 Set of strings identifying columns and column:key pairs that authorized
3089 clients are allowed to modify.
3092 <table name=
"Gateway_Chassis">
3094 Association of
<ref table=
"Port_Binding"/> rows of
3095 <ref table=
"Port_Binding" column=
"type"/> <code>chassisredirect
</code> to
3096 a
<ref table=
"Chassis"/>. The traffic going out through a specific
3097 <code>chassisredirect
</code> port will be redirected to a chassis,
3098 or a set of them in high availability configurations.
3101 <column name=
"name">
3103 Name of the
<ref table=
"Gateway_Chassis"/>.
3106 A suggested, but not required naming convention is
3107 <code>${port_name}_${chassis_name}
</code>.
3111 <column name=
"chassis">
3112 The
<ref table=
"Chassis"/> to which we send the traffic.
3115 <column name=
"priority">
3116 This is the priority the specific
<ref table=
"Chassis"/> among all
3117 Gateway_Chassis belonging to the same
<ref table=
"Port_Binding"/>.
3120 <column name=
"options">
3121 Reserved for future use.
3124 <group title=
"Common Columns">
3125 The overall purpose of these columns is described under
<code>Common
3126 Columns
</code> at the beginning of this document.
3128 <column name=
"external_ids"/>
projects / ovs.git / blob