ovn-nb(5) Open vSwitch Manual ovn-nb(5) NAME ovn-nb - OVN_Northbound database schema This database is the interface between OVN and the cloud management system (CMS), such as OpenStack, running above it. The CMS produces almost all of the contents of the database. The ovn-northd program monitors the database contents, transforms it, and stores it into the OVN_Southbound database. We generally speak of ``the’’ CMS, but one can imagine scenarios in which multiple CMSes manage different parts of an OVN deployment. External IDs Each of the tables in this database contains a special column, named external_ids. This column has the same form and purpose each place it appears. external_ids: map of string-string pairs Key-value pairs for use by the CMS. The CMS might use certain pairs, for example, to identify entities in its own configuration that correspond to those in this data‐ base. TABLE SUMMARY The following list summarizes the purpose of each of the tables in the OVN_Northbound database. Each table is described in more detail on a later page. Table Purpose Logical_Switch L2 logical switch Logical_Port L2 logical switch port ACL Access Control List (ACL) rule Logical_Router L3 logical router Logical_Router_Port L3 logical router port Logical_Switch TABLE Each row represents one L2 logical switch. Summary: name string ports set of Logical_Ports acls set of ACLs Common Columns: external_ids map of string-string pairs Details: name: string A name for the logical switch. This name has no special meaning or purpose other than to provide convenience for human interac‐ tion with the ovn-nb database. There is no requirement for the name to be unique. The logical switch’s UUID should be used as the unique identifier. ports: set of Logical_Ports The logical ports connected to the logical switch. It is an error for multiple logical switches to include the same logical port. acls: set of ACLs Access control rules that apply to packets within the logical switch. Common Columns: external_ids: map of string-string pairs See External IDs at the beginning of this document. Logical_Port TABLE A port within an L2 logical switch. Summary: Core Features: name string (must be unique within table) type string Options: options map of string-string pairs Options for router ports: options : router-port optional string, containing an uuid Options for localnet ports: options : network_name optional string Options for vtep ports: options : vtep-physical-switch optional string options : vtep-logical-switch optional string Containers: parent_name optional string tag optional integer, in range 1 to 4,095 Port State: up optional boolean enabled optional boolean Addressing: addresses set of strings port_security set of strings Common Columns: external_ids map of string-string pairs Details: Core Features: name: string (must be unique within table) The logical port name. For entities (VMs or containers) that are spawned in the hyper‐ visor, the name used here must match those used in the exter‐ nal_ids:iface-id in the Open_vSwitch database’s Interface table, because hypervisors use external_ids:iface-id as a lookup key to identify the network interface of that entity. For containers that share a VIF within a VM, the name can be any unique identifier. See Containers, below, for more information. type: string Specify a type for this logical port. Logical ports can be used to model other types of connectivity into an OVN logical switch. The following types are defined: (empty string) A VM (or VIF) interface. router A connection to a logical router. localnet A connection to a locally accessible network from each ovn-controller instance. A logical switch can only have a single localnet port attached and at most one regular logical port. This is used to model direct connectivity to an existing network. vtep A port to a logical switch on a VTEP gateway. Options: options: map of string-string pairs This column provides key/value settings specific to the logical port type. The type-specific options are described individually below. Options for router ports: These options apply when type is router. A given logical switch may have at most one logical port of type router. (This is not a significant restriction because logical routers may be connected into arbitrary topologies.) options : router-port: optional string, containing an uuid Required. The UUID of the Logical_Router_Port to which this logical switch port is connected. Options for localnet ports: These options apply when type is localnet. options : network_name: optional string Required. The name of the network to which the localnet port is connected. Each hypervisor, via ovn-controller, uses its local configuration to determine exactly how to connect to this locally accessible network. Options for vtep ports: These options apply when type is vtep. options : vtep-physical-switch: optional string Required. The name of the VTEP gateway. options : vtep-logical-switch: optional string Required. A logical switch name connected by the VTEP gateway. Containers: When a large number of containers are nested within a VM, it may be too expensive to dedicate a VIF to each container. OVN can use VLAN tags to support such cases. Each container is assigned a VLAN ID and each packet that passes between the hypervisor and the VM is tagged with the appropriate ID for the container. Such VLAN IDs never appear on a physical wire, even inside a tunnel, so they need not be unique except relative to a single VM on a hypervisor. These columns are used for VIFs that represent nested containers using shared VIFs. For VMs and for containers that have dedicated VIFs, they are empty. parent_name: optional string The VM interface through which the nested container sends its network traffic. This must match the name column for some other Logical_Port. tag: optional integer, in range 1 to 4,095 The VLAN tag in the network traffic associated with a con‐ tainer’s network interface. When type is set to localnet, this can be set to indicate that the port represents a connection to a specific VLAN on a locally accessible network. The VLAN ID is used to match incoming traf‐ fic and is also added to outgoing traffic. Port State: up: optional boolean This column is populated by ovn-northd, rather than by the CMS plugin as is most of this database. When a logical port is bound to a physical location in the OVN Southbound database Binding table, ovn-northd sets this column to true; otherwise, or if the port becomes unbound later, it sets it to false. This allows the CMS to wait for a VM’s (or container’s) networking to become active before it allows the VM (or container) to start. enabled: optional boolean This column is used to administratively set port state. If this column is empty or is set to true, the port is enabled. If this column is set to false, the port is disabled. A disabled port has all ingress and egress traffic dropped. Addressing: addresses: set of strings Addresses owned by the logical port. Each element in the set must take one of the following forms: xx:xx:xx:xx:xx:xx An Ethernet address owned by the logical port. Like a physical Ethernet NIC, a logical port ordinarily has a single fixed Ethernet address. When a OVN logical switch processes a unicast Ethernet frame whose destination MAC address is in a logical port’s addresses column, it delivers it only to that port, as if a MAC learning process had learned that MAC address on the port. xx:xx:xx:xx:xx:xx a.b.c.d This form has all the effects of the previous form. It also indicates that the logical port owns the given IPv4 address. The OVN logical switch uses this information to synthe‐ size responses to ARP requests without traversing the physical network. The OVN logical router connected to the logical switch, if any, uses this information to avoid issuing ARP requests for logical switch ports. unknown This indicates that the logical port has an unknown set of Ethernet addresses. When an OVN logical switch pro‐ cesses a unicast Ethernet frame whose destination MAC address is not in any logical port’s addresses column, it delivers it to the port (or ports) whose addresses col‐ umns include unknown. port_security: set of strings A set of L2 (Ethernet) addresses from which the logical port is allowed to send packets and to which it is allowed to receive packets. If this column is empty, all addresses are permitted. Logical ports are always allowed to receive packets addressed to multicast and broadcast addresses. Each member of the set is an Ethernet address in the form xx:xx:xx:xx:xx:xx. This specification will be extended to support L3 port security. Common Columns: external_ids: map of string-string pairs See External IDs at the beginning of this document. ACL TABLE Each row in this table represents one ACL rule for a logical switch that points to it through its acls column. The action column for the highest-priority matching row in this table determines a packet’s treatment. If no row matches, packets are allowed by default. (Default-deny treatment is possible: add a rule with priority 1, 1 as match, and deny as action.) Summary: priority integer, in range 1 to 65,534 direction string, either to-lport or from-lport match string action string, one of allow-related, drop, allow, or reject log boolean Common Columns: external_ids map of string-string pairs Details: priority: integer, in range 1 to 65,534 The ACL rule’s priority. Rules with numerically higher priority take precedence over those with lower. If two ACL rules with the same priority both match, then the one actually applied to a packet is undefined. Return traffic from an allow-related flow is always allowed and cannot be changed through an ACL. direction: string, either to-lport or from-lport Direction of the traffic to which this rule should apply: · from-lport: Used to implement filters on traffic arriving from a logical port. These rules are applied to the log‐ ical switch’s ingress pipeline. · to-lport: Used to implement filters on traffic forwarded to a logical port. These rules are applied to the logi‐ cal switch’s egress pipeline. match: string The packets that the ACL should match, in the same expression language used for the match column in the OVN Southbound data‐ base’s Logical_Flow table. The outport logical port is only available in the to-lport direction (the inport is available in both directions). By default all traffic is allowed. When writing a more restric‐ tive policy, it is important to remember to allow flows such as ARP and IPv6 neighbor discovery packets. action: string, one of allow-related, drop, allow, or reject The action to take when the ACL rule matches: · allow: Forward the packet. · allow-related: Forward the packet and related traffic (e.g. inbound replies to an outbound connection). · drop: Silently drop the packet. · reject: Drop the packet, replying with a RST for TCP or ICMP unreachable message for other IP-based protocols. Not implemented--currently treated as drop log: boolean If set to true, packets that match the ACL will trigger a log message on the transport node or nodes that perform ACL process‐ ing. Logging may be combined with any action. Logging is not yet implemented. Common Columns: external_ids: map of string-string pairs See External IDs at the beginning of this document. Logical_Router TABLE Each row represents one L3 logical router. Summary: name string ports set of Logical_Router_Ports default_gw optional string Common Columns: external_ids map of string-string pairs Details: name: string A name for the logical router. This name has no special meaning or purpose other than to provide convenience for human interac‐ tion with the ovn-nb database. There is no requirement for the name to be unique. The logical router’s UUID should be used as the unique identifier. ports: set of Logical_Router_Ports The router’s ports. default_gw: optional string IP address to use as default gateway, if any. Common Columns: external_ids: map of string-string pairs See External IDs at the beginning of this document. Logical_Router_Port TABLE A port within an L3 logical router. Exactly one Logical_Router row must reference a given logical router port. Summary: name string network string mac string enabled optional boolean Attachment: peer optional Logical_Router_Port Common Columns: external_ids map of string-string pairs Details: name: string A name for the logical router port. This name has no special meaning or purpose other than to provide convenience for human interaction with the ovn-nb database. There is no requirement for the name to be unique. The logical router port’s UUID should be used as the unique identifier. network: string The IP address of the router and the netmask. For example, 192.168.0.1/24 indicates that the router’s IP address is 192.168.0.1 and that packets destined to 192.168.0.x should be routed to this port. mac: string The Ethernet address that belongs to this router port. enabled: optional boolean This column is used to administratively set port state. If this column is empty or is set to true, the port is enabled. If this column is set to false, the port is disabled. A disabled port has all ingress and egress traffic dropped. Attachment: A given router port serves one of two purposes: · To attach a logical switch to a logical router. A logi‐ cal router port of this type is referenced by exactly one Logical_Port of type router. The peer column is empty. · To connect one logical router to another. This requires a pair of logical router ports, each connected to a dif‐ ferent router. Each router port in the pair specifies the other in its peer column. No Logical_Switch refers to the router port. peer: optional Logical_Router_Port For a router port used to connect two logical routers, this identifies the other router port in the pair. For a router port attached to a logical switch, this column is empty. Common Columns: external_ids: map of string-string pairs See External IDs at the beginning of this document. Open vSwitch 2.4.90 DB Schema 1.0.0 ovn-nb(5)