Skip to content

Instantly share code, notes, and snippets.

@velp

velp/architecture.md

Last active October 18, 2025 12:47
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save velp/55d8a4345e39d9dc04175bc3ec8e2cad to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save velp/55d8a4345e39d9dc04175bc3ec8e2cad to your computer and use it in GitHub Desktop.
Download ZIP
OVN Troubleshooting
Raw
commands.md

Neutron Network → OVN Logical Switch

# openstack network show 644c25c6-7d1b-41af-a98a-0cda8266f05c
+---------------------------+--------------------------------------+
| Field                     | Value                                |
+---------------------------+--------------------------------------+
| admin_state_up            | UP                                   |
| availability_zone_hints   | nova                                 |
| availability_zones        | nova                                 |
| created_at                | 2024-11-18T16:53:41Z                 |
| description               |                                      |
| dns_domain                |                                      |
| id                        | 644c25c6-7d1b-41af-a98a-0cda8266f05c |
| ipv4_address_scope        | None                                 |
| ipv6_address_scope        | None                                 |
| is_default                | None                                 |
| is_vlan_transparent       | False                                |
| mtu                       | 8900                                 |
| name                      | test-tenant-net                      |
| port_security_enabled     | True                                 |
| project_id                | 746bac71ba45426aa2880ca39df03090     |
| provider:network_type     | vxlan                                |
| provider:physical_network | None                                 |
| provider:segmentation_id  | 810                                  |
| qos_policy_id             | None                                 |
| revision_number           | 2                                    |
| router:external           | Internal                             |
| segments                  | None                                 |
| shared                    | False                                |
| status                    | ACTIVE                               |
| subnets                   | 35ee45b5-d534-4523-98a9-fcf8a9e8f2fc |
| tags                      |                                      |
| updated_at                | 2024-11-18T16:53:42Z                 |
+---------------------------+--------------------------------------+

# ovn-nbctl find Logical_Switch name=neutron-644c25c6-7d1b-41af-a98a-0cda8266f05c
_uuid               : e2ecef5f-43c2-4389-81ff-604e202aef66
acls                : []
copp                : []
dns_records         : [36263ec2-9d68-4283-b026-5feec3a3a17e]
external_ids        : {"neutron:availability_zone_hints"=nova, "neutron:mtu"="8900", "neutron:network_name"=test-tenant-net, "neutron:provnet-network-type"=vxlan, "neutron:revision_number"="2"}
forwarding_groups   : []
load_balancer       : []
load_balancer_group : []
name                : neutron-644c25c6-7d1b-41af-a98a-0cda8266f05c
other_config        : {mcast_flood_unregistered="false", mcast_snoop="false", vlan-passthru="false"}
ports               : [0d95953a-5ad5-47ff-817c-ae5ee1ada141, 3224e008-bd67-45e7-a631-535c306b278a, 3631936b-3c31-4721-af8c-ba870da41eb4, f69f9a74-9cea-49ab-ba15-35a49595d01c]
qos_rules           : []

Neutron Network Ports → OVN Logical Switch Ports

# openstack port list --network 644c25c6-7d1b-41af-a98a-0cda8266f05c
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+
| ID                                   | Name | MAC Address       | Fixed IP Addresses                                                           | Status |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+
| 1d0d2011-894a-4164-8e71-1bd8cd919b41 |      | fa:16:3e:d9:bf:6a | ip_address='192.168.1.2', subnet_id='35ee45b5-d534-4523-98a9-fcf8a9e8f2fc'   | DOWN   |
| 2887c855-a6a4-461c-aaa5-3a43f2482bba |      | fa:16:3e:bb:2c:4d | ip_address='192.168.1.172', subnet_id='35ee45b5-d534-4523-98a9-fcf8a9e8f2fc' | ACTIVE |
| 7d7a2175-a7b0-4e89-836a-33bfde5506fd |      | fa:16:3e:ec:5b:fc | ip_address='192.168.1.133', subnet_id='35ee45b5-d534-4523-98a9-fcf8a9e8f2fc' | ACTIVE |
| e6326e7c-313c-4c9e-a8d7-0e9db8bca229 |      | fa:16:3e:07:2d:81 | ip_address='192.168.1.1', subnet_id='35ee45b5-d534-4523-98a9-fcf8a9e8f2fc'   | ACTIVE |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+

# ovn-nbctl show neutron-644c25c6-7d1b-41af-a98a-0cda8266f05c
switch e2ecef5f-43c2-4389-81ff-604e202aef66 (neutron-644c25c6-7d1b-41af-a98a-0cda8266f05c) (aka test-tenant-net)
    port 2887c855-a6a4-461c-aaa5-3a43f2482bba
        addresses: ["fa:16:3e:bb:2c:4d 192.168.1.172"]
    port 7d7a2175-a7b0-4e89-836a-33bfde5506fd
        addresses: ["fa:16:3e:ec:5b:fc 192.168.1.133"]
    port e6326e7c-313c-4c9e-a8d7-0e9db8bca229
        type: router
        router-port: lrp-e6326e7c-313c-4c9e-a8d7-0e9db8bca229
    port 1d0d2011-894a-4164-8e71-1bd8cd919b41
        type: localport
        addresses: ["fa:16:3e:d9:bf:6a 192.168.1.2"]

Neutron Network Port (compute) → OVN Logical Switch Port

# openstack port show 7d7a2175-a7b0-4e89-836a-33bfde5506fd
+-------------------------+------------------------------------------------------------------------------------------------------------+
| Field                   | Value                                                                                                      |
+-------------------------+------------------------------------------------------------------------------------------------------------+
| admin_state_up          | UP                                                                                                         |
| allowed_address_pairs   |                                                                                                            |
| binding_host_id         | worker-1.dev.cloudification.io                                                                             |
| binding_profile         |                                                                                                            |
| binding_vif_details     | bound_drivers.0='ovn', bridge_name='br-int', connectivity='l2', datapath_type='system', port_filter='True' |
| binding_vif_type        | ovs                                                                                                        |
| binding_vnic_type       | normal                                                                                                     |
| created_at              | 2025-10-09T16:27:04Z                                                                                       |
| data_plane_status       | None                                                                                                       |
| description             |                                                                                                            |
| device_id               | 21cf7aba-a3b5-4f0a-86a1-08324b8fde72                                                                       |
| device_owner            | compute:nova                                                                                               |
| device_profile          | None                                                                                                       |
| dns_assignment          | fqdn='test-vm-1.openstack.svc.dev.cloudification.io.', hostname='test-vm-1', ip_address='192.168.1.133'    |
| dns_domain              |                                                                                                            |
| dns_name                | test-vm-1                                                                                                  |
| extra_dhcp_opts         |                                                                                                            |
| fixed_ips               | ip_address='192.168.1.133', subnet_id='35ee45b5-d534-4523-98a9-fcf8a9e8f2fc'                               |
| hardware_offload_type   | None                                                                                                       |
| hints                   |                                                                                                            |
| id                      | 7d7a2175-a7b0-4e89-836a-33bfde5506fd                                                                       |
| ip_allocation           | None                                                                                                       |
| mac_address             | fa:16:3e:ec:5b:fc                                                                                          |
| name                    |                                                                                                            |
| network_id              | 644c25c6-7d1b-41af-a98a-0cda8266f05c                                                                       |
| numa_affinity_policy    | None                                                                                                       |
| port_security_enabled   | True                                                                                                       |
| project_id              | 746bac71ba45426aa2880ca39df03090                                                                           |
| propagate_uplink_status | None                                                                                                       |
| resource_request        | None                                                                                                       |
| revision_number         | 5                                                                                                          |
| qos_network_policy_id   | None                                                                                                       |
| qos_policy_id           | None                                                                                                       |
| security_group_ids      | c87e2120-f641-4c36-b5fd-8faaf9e8b972                                                                       |
| status                  | ACTIVE                                                                                                     |
| tags                    |                                                                                                            |
| trunk_details           | None                                                                                                       |
| updated_at              | 2025-10-09T16:27:18Z                                                                                       |
+-------------------------+------------------------------------------------------------------------------------------------------------+


# ovn-nbctl list Logical_Switch_Port 7d7a2175-a7b0-4e89-836a-33bfde5506fd
_uuid               : 3224e008-bd67-45e7-a631-535c306b278a
addresses           : ["fa:16:3e:ec:5b:fc 192.168.1.133"]
dhcpv4_options      : bbb2c95d-1cc9-407c-9360-c7f64a7cada2
dhcpv6_options      : []
dynamic_addresses   : []
enabled             : true
external_ids        : {"neutron:cidrs"="192.168.1.133/24", "neutron:device_id"="21cf7aba-a3b5-4f0a-86a1-08324b8fde72", "neutron:device_owner"="compute:nova", "neutron:host_id"=worker-1.dev.cloudification.io, "neutron:mtu"="", "neutron:network_name"=neutron-644c25c6-7d1b-41af-a98a-0cda8266f05c, "neutron:port_capabilities"="", "neutron:port_name"="", "neutron:project_id"="746bac71ba45426aa2880ca39df03090", "neutron:revision_number"="5", "neutron:security_group_ids"="c87e2120-f641-4c36-b5fd-8faaf9e8b972", "neutron:subnet_pool_addr_scope4"="", "neutron:subnet_pool_addr_scope6"="", "neutron:vnic_type"=normal}
ha_chassis_group    : []
mirror_rules        : []
name                : "7d7a2175-a7b0-4e89-836a-33bfde5506fd"
options             : {mcast_flood_reports="true", requested-chassis=worker-1.dev.cloudification.io}
parent_name         : []
port_security       : ["fa:16:3e:ec:5b:fc 192.168.1.133"]
tag                 : []
tag_request         : []
type                : ""
up                  : true

Neutron Subnet DHCP → OVN DHCP Options

# openstack subnet show 4cb39bcb-b825-40b7-bfa7-79cf1ecf8f99
+----------------------+-------------------------------------------------------+
| Field                | Value                                                 |
+----------------------+-------------------------------------------------------+
| allocation_pools     | 192.168.0.100-192.168.0.200                           |
| cidr                 | 192.168.0.0/24                                        |
| created_at           | 2025-10-16T11:01:50Z                                  |
| description          |                                                       |
| dns_nameservers      | 8.8.8.8                                               |
| dns_publish_fixed_ip | False                                                 |
| enable_dhcp          | True                                                  |
| gateway_ip           | 192.168.0.1                                           |
| host_routes          | destination='192.168.10.0/24', gateway='192.168.0.10' |
| id                   | 4cb39bcb-b825-40b7-bfa7-79cf1ecf8f99                  |
| ip_version           | 4                                                     |
| ipv6_address_mode    | None                                                  |
| ipv6_ra_mode         | None                                                  |
| name                 | test-subnet                                           |
| network_id           | ad647201-40c9-478b-b83c-abc6582bb859                  |
| project_id           | 746bac71ba45426aa2880ca39df03090                      |
| revision_number      | 0                                                     |
| router:external      | False                                                 |
| segment_id           | None                                                  |
| service_types        |                                                       |
| subnetpool_id        | None                                                  |
| tags                 |                                                       |
| updated_at           | 2025-10-16T11:01:50Z                                  |
+----------------------+-------------------------------------------------------+

 # ovn-nbctl find DHCP_Options external_ids:subnet_id="4cb39bcb-b825-40b7-bfa7-79cf1ecf8f99"
_uuid               : c9a1ebbb-7700-43da-86d6-e67b59e9a9da
cidr                : "192.168.0.0/24"
external_ids        : {"neutron:revision_number"="0", subnet_id="4cb39bcb-b825-40b7-bfa7-79cf1ecf8f99"}
options             : {classless_static_route="{169.254.169.254/32,192.168.0.100, 192.168.10.0/24,192.168.0.10, 0.0.0.0/0,192.168.0.1}", dns_server="{8.8.8.8}", domain_name="\"openstack.svc.dev.cloudification.io\"", lease_time="43200", mtu="8900", router="192.168.0.1", server_id="192.168.0.1", server_mac="fa:16:3e:73:78:ee"}

Neutron Router → OVN Logical Router

# openstack router show 004f9483-f2dc-4d34-bfca-e63b673a1a45
+---------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field                     | Value                                                                                                                                                     |
+---------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+
| admin_state_up            | UP                                                                                                                                                        |
| availability_zone_hints   | nova                                                                                                                                                      |
| availability_zones        | nova                                                                                                                                                      |
| created_at                | 2024-11-18T16:54:00Z                                                                                                                                      |
| description               |                                                                                                                                                           |
| enable_default_route_bfd  | False                                                                                                                                                     |
| enable_default_route_ecmp | False                                                                                                                                                     |
| enable_ndp_proxy          | None                                                                                                                                                      |
| external_gateway_info     | {"network_id": "ff298c77-8827-4684-ab44-579937300b26", "external_fixed_ips": [{"subnet_id": "cb9bcbe6-70e2-4ce4-928e-0dc087737128", "ip_address":         |
|                           | "10.40.196.189"}], "enable_snat": true}                                                                                                                   |
| external_gateways         | [{'network_id': 'ff298c77-8827-4684-ab44-579937300b26', 'external_fixed_ips': [{'ip_address': '10.40.196.189', 'subnet_id':                               |
|                           | 'cb9bcbe6-70e2-4ce4-928e-0dc087737128'}]}]                                                                                                                |
| flavor_id                 | None                                                                                                                                                      |
| ha                        | True                                                                                                                                                      |
| id                        | 004f9483-f2dc-4d34-bfca-e63b673a1a45                                                                                                                      |
| interfaces_info           | [{"port_id": "e6326e7c-313c-4c9e-a8d7-0e9db8bca229", "ip_address": "192.168.1.1", "subnet_id": "35ee45b5-d534-4523-98a9-fcf8a9e8f2fc"}]                   |
| name                      | test-router                                                                                                                                               |
| project_id                | 746bac71ba45426aa2880ca39df03090                                                                                                                          |
| revision_number           | 3                                                                                                                                                         |
| routes                    |                                                                                                                                                           |
| status                    | ACTIVE                                                                                                                                                    |
| tags                      |                                                                                                                                                           |
| tenant_id                 | 746bac71ba45426aa2880ca39df03090                                                                                                                          |
| updated_at                | 2024-11-18T16:54:34Z                                                                                                                                      |
+---------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+

# openstack port list --device-id=004f9483-f2dc-4d34-bfca-e63b673a1a45
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+
| ID                                   | Name | MAC Address       | Fixed IP Addresses                                                           | Status |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+
| 81c4be90-5078-4528-b5f6-fd79705686d0 |      | fa:16:3e:9d:90:fd | ip_address='10.40.196.189', subnet_id='cb9bcbe6-70e2-4ce4-928e-0dc087737128' | ACTIVE |
| e6326e7c-313c-4c9e-a8d7-0e9db8bca229 |      | fa:16:3e:07:2d:81 | ip_address='192.168.1.1', subnet_id='35ee45b5-d534-4523-98a9-fcf8a9e8f2fc'   | ACTIVE |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+

# ovn-nbctl show neutron-004f9483-f2dc-4d34-bfca-e63b673a1a45
router 27ea4ae8-2e90-4ed1-b448-91773b73ddf5 (neutron-004f9483-f2dc-4d34-bfca-e63b673a1a45) (aka test-router)
    port lrp-81c4be90-5078-4528-b5f6-fd79705686d0
        mac: "fa:16:3e:9d:90:fd"
        networks: ["10.40.196.189/24"]
        gateway chassis: [e346011c-c566-4a84-9ec3-941b53cb7b63 e25f912a-9b41-4e8f-b461-2980e3e0cf66 48151bf1-c5f7-4718-a400-5625f2a9f924 1c380472-827c-462b-9bd8-ff7cbc74f02f c547a9da-eef0-4fd5-bd3c-3e1cbc8fad88]
    port lrp-e6326e7c-313c-4c9e-a8d7-0e9db8bca229
        mac: "fa:16:3e:07:2d:81"
        networks: ["192.168.1.1/24"]
    nat a953f61c-bf81-4da0-aaaa-e6bbc0b056eb
        external ip: "10.40.196.189"
        logical ip: "192.168.1.0/24"
        type: "snat"

Neutron Network Port (router) → OVN Logical Router Port

openstack port list --device-id=004f9483-f2dc-4d34-bfca-e63b673a1a45
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+
| ID                                   | Name | MAC Address       | Fixed IP Addresses                                                           | Status |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+
| 81c4be90-5078-4528-b5f6-fd79705686d0 |      | fa:16:3e:9d:90:fd | ip_address='10.40.196.189', subnet_id='cb9bcbe6-70e2-4ce4-928e-0dc087737128' | ACTIVE |
| e6326e7c-313c-4c9e-a8d7-0e9db8bca229 |      | fa:16:3e:07:2d:81 | ip_address='192.168.1.1', subnet_id='35ee45b5-d534-4523-98a9-fcf8a9e8f2fc'   | ACTIVE |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+

# ovn-nbctl list Logical_Router_Port lrp-e6326e7c-313c-4c9e-a8d7-0e9db8bca229
_uuid               : 90bdf7a7-4463-427a-b246-cf6020bc9c21
enabled             : []
external_ids        : {"neutron:is_ext_gw"=False, "neutron:network_name"=neutron-644c25c6-7d1b-41af-a98a-0cda8266f05c, "neutron:revision_number"="2", "neutron:router_name"="004f9483-f2dc-4d34-bfca-e63b673a1a45", "neutron:subnet_ids"="35ee45b5-d534-4523-98a9-fcf8a9e8f2fc"}
gateway_chassis     : []
ha_chassis_group    : []
ipv6_prefix         : []
ipv6_ra_configs     : {}
mac                 : "fa:16:3e:07:2d:81"
name                : lrp-e6326e7c-313c-4c9e-a8d7-0e9db8bca229
networks            : ["192.168.1.1/24"]
options             : {}
peer                : []

# ovn-nbctl list Logical_Router_Port lrp-81c4be90-5078-4528-b5f6-fd79705686d0
_uuid               : 3228083c-4f48-485a-830f-01c9122290d6
enabled             : []
external_ids        : {...}
gateway_chassis     : [2734545f-ec1d-4c7a-a278-20bb299a8b34,
                       485dbfe5-675e-417b-b916-3a1a90c3391b,
                       6ffb0338-a56b-4f9f-82eb-c43e18069151]
ha_chassis_group    : []
ipv6_prefix         : []
ipv6_ra_configs     : {}
mac                 : "fa:16:3e:9d:90:fd"
name                : lrp-81c4be90-5078-4528-b5f6-fd79705686d0
networks            : ["10.40.196.189/24"]
options             : {reside-on-redirect-chassis="true"}
peer                : []

Neutron HA router ports → OVN Logical Router Port priority

# ovn-nbctl list Logical_Router_Port lrp-81c4be90-5078-4528-b5f6-fd79705686d0
_uuid               : 3228083c-4f48-485a-830f-01c9122290d6
enabled             : []
external_ids        : {"neutron:is_ext_gw"=True, "neutron:network_name"=neutron-ff298c77-8827-4684-ab44-579937300b26, "neutron:revision_number"="225", "neutron:router_name"="004f9483-f2dc-4d34-bfca-e63b673a1a45", "neutron:subnet_ids"="cb9bcbe6-70e2-4ce4-928e-0dc087737128"}
gateway_chassis     : [58a0e9fb-650a-43a8-a4e8-7c88b9f95f8d, 6e702c76-f337-42fd-a4b5-17ea12930cf7, fe866b51-db22-4f18-9c01-56e4812a5493]
ha_chassis_group    : []
ipv6_prefix         : []
ipv6_ra_configs     : {}
mac                 : "fa:16:3e:9d:90:fd"
name                : lrp-81c4be90-5078-4528-b5f6-fd79705686d0
networks            : ["10.40.196.189/24"]
options             : {reside-on-redirect-chassis="true"}
peer                : []

# ovn-nbctl lrp-get-gateway-chassis lrp-81c4be90-5078-4528-b5f6-fd79705686d0
lrp-81c4be90-5078-4528-b5f6-fd79705686d0_1c380472-827c-462b-9bd8-ff7cbc74f02f     5
lrp-81c4be90-5078-4528-b5f6-fd79705686d0_c547a9da-eef0-4fd5-bd3c-3e1cbc8fad88     4
lrp-81c4be90-5078-4528-b5f6-fd79705686d0_e25f912a-9b41-4e8f-b461-2980e3e0cf66     3
lrp-81c4be90-5078-4528-b5f6-fd79705686d0_48151bf1-c5f7-4718-a400-5625f2a9f924     2
lrp-81c4be90-5078-4528-b5f6-fd79705686d0_e346011c-c566-4a84-9ec3-941b53cb7b63     1

# ovn-sbctl get Chassis 1c380472-827c-462b-9bd8-ff7cbc74f02f hostname
master-1.dev.cloudification.io

SNAT and DNAT configurations

# openstack floating ip list --floating-ip-address="10.40.196.214" -c "Floating IP Address" -c "Fixed IP Address" -c "Port"
+---------------------+------------------+--------------------------------------+
| Floating IP Address | Fixed IP Address | Port                                 |
+---------------------+------------------+--------------------------------------+
| 10.40.196.214       | 192.168.1.133    | 7d7a2175-a7b0-4e89-836a-33bfde5506fd |
+---------------------+------------------+--------------------------------------+

# openstack port list --device-id=37ec7bde-0b21-4fd7-8035-b1731b37b750 --device-owner=network:router_gateway -c "Fixed IP Addresses"
+------------------------------------------------------------------------------+
| Fixed IP Addresses                                                           |
+------------------------------------------------------------------------------+
| ip_address='10.40.196.141', subnet_id='cb9bcbe6-70e2-4ce4-928e-0dc087737128' |
+------------------------------------------------------------------------------+

# ovn-nbctl show neutron-37ec7bde-0b21-4fd7-8035-b1731b37b750
router 138c3414-d5d4-4357-8f7f-0611499b0ab4 (neutron-37ec7bde-0b21-4fd7-8035-b1731b37b750) (aka test-router)
    port lrp-f52c366e-9478-4e0e-a91a-c547068e4009
        mac: "fa:16:3e:45:3e:6b"
        networks: ["192.168.1.1/24"]
    port lrp-38eaff34-564a-4fea-a2e4-00e65e1a9cf7
        mac: "fa:16:3e:fe:c4:cf"
        networks: ["10.40.196.141/24"]
        gateway chassis: [e346011c-c566-4a84-9ec3-941b53cb7b63 e25f912a-9b41-4e8f-b461-2980e3e0cf66 48151bf1-c5f7-4718-a400-5625f2a9f924]
    nat aa03a0ce-2d19-45a7-82a4-b64aaa3475fe
        external ip: "10.40.196.214"
        logical ip: "192.168.1.133"
        type: "dnat_and_snat"
    nat e948c6a5-1e2e-43b3-9518-a2a738ef7cbe
        external ip: "10.40.196.141"
        logical ip: "192.168.1.0/24"
        type: "snat"
        
# ovn-nbctl find NAT logical_port="7d7a2175-a7b0-4e89-836a-33bfde5506fd"
2025-10-11T18:02:02Z|00001|ovsdb_idl|WARN|NAT table in OVN_Northbound database lacks gateway_port column (database needs upgrade?)
_uuid               : aa03a0ce-2d19-45a7-82a4-b64aaa3475fe
allowed_ext_ips     : []
exempted_ext_ips    : []
external_ids        : {"neutron:fip_external_mac"="fa:16:3e:ed:f6:1d", "neutron:fip_id"="c4564c9f-1e2e-43d4-a78f-c3f6e410dd79", "neutron:fip_network_id"="ff298c77-8827-4684-ab44-579937300b26", "neutron:fip_port_id"="7d7a2175-a7b0-4e89-836a-33bfde5506fd", "neutron:revision_number"="6", "neutron:router_name"=neutron-37ec7bde-0b21-4fd7-8035-b1731b37b750}
external_ip         : "10.40.196.214"
external_mac        : "fa:16:3e:ed:f6:1d"
external_port_range : ""
gateway_port        : []
logical_ip          : "192.168.1.133"
logical_port        : "7d7a2175-a7b0-4e89-836a-33bfde5506fd"
options             : {}
type                : dnat_and_snat

# ovn-nbctl find NAT external_ip="10.40.196.141"
2025-10-11T18:13:07Z|00001|ovsdb_idl|WARN|NAT table in OVN_Northbound database lacks gateway_port column (database needs upgrade?)
_uuid               : e948c6a5-1e2e-43b3-9518-a2a738ef7cbe
allowed_ext_ips     : []
exempted_ext_ips    : []
external_ids        : {}
external_ip         : "10.40.196.141"
external_mac        : []
external_port_range : ""
gateway_port        : []
logical_ip          : "192.168.1.0/24"
logical_port        : []
options             : {}
type                : snat

Neutron Security Groups→ OVN Port Groups

# openstack security group show 72017ba0-f963-4f5b-a303-e29780aff40b
+-----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field           | Value                                                                                                                                                               |
+-----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at      | 2025-01-14T10:03:52Z                                                                                                                                                |
| description     |                                                                                                                                                                     |
| id              | 72017ba0-f963-4f5b-a303-e29780aff40b                                                                                                                                |
| name            | allow-any                                                                                                                                                           |
| project_id      | 3fe90af5a09045688276746c350b50c0                                                                                                                                    |
| revision_number | 4                                                                                                                                                                   |
| rules           | created_at='2025-01-14T10:03:52Z', direction='egress', ethertype='IPv6', id='22c4e183-8cba-4ac3-bddd-942740843916', standard_attr_id='678',                         |
|                 | updated_at='2025-01-14T10:03:52Z'                                                                                                                                   |
|                 | created_at='2025-01-14T10:04:17Z', direction='ingress', ethertype='IPv4', id='3061fe9b-9490-44c8-97b1-5f026c17aadb', normalized_cidr='0.0.0.0/0', protocol='udp',   |
|                 | remote_ip_prefix='0.0.0.0/0', standard_attr_id='687', updated_at='2025-01-14T10:04:17Z'                                                                             |
|                 | created_at='2025-01-14T10:04:02Z', direction='ingress', ethertype='IPv4', id='39f618b5-5b61-4969-aee8-0777c13e988a', normalized_cidr='0.0.0.0/0', protocol='icmp',  |
|                 | remote_ip_prefix='0.0.0.0/0', standard_attr_id='681', updated_at='2025-01-14T10:04:02Z'                                                                             |
|                 | created_at='2025-01-14T10:03:52Z', direction='egress', ethertype='IPv4', id='72734c74-f1fa-4e6b-a578-dcfd13e9f6ea', standard_attr_id='675',                         |
|                 | updated_at='2025-01-14T10:03:52Z'                                                                                                                                   |
|                 | created_at='2025-01-14T10:04:09Z', direction='ingress', ethertype='IPv4', id='aaf72aef-c47c-4d2f-9304-217e0569a4fb', normalized_cidr='0.0.0.0/0', protocol='tcp',   |
|                 | remote_ip_prefix='0.0.0.0/0', standard_attr_id='684', updated_at='2025-01-14T10:04:09Z'                                                                             |
| shared          | False                                                                                                                                                               |
| stateful        | True                                                                                                                                                                |
| tags            | []                                                                                                                                                                  |
| updated_at      | 2025-01-14T10:04:17Z                                                                                                                                                |
+-----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+

# openstack security group rule list 72017ba0-f963-4f5b-a303-e29780aff40b
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| ID                                   | IP Protocol | Ethertype | IP Range  | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| 22c4e183-8cba-4ac3-bddd-942740843916 | None        | IPv6      | ::/0      |            | egress    | None                  | None                 |
| 3061fe9b-9490-44c8-97b1-5f026c17aadb | udp         | IPv4      | 0.0.0.0/0 |            | ingress   | None                  | None                 |
| 39f618b5-5b61-4969-aee8-0777c13e988a | icmp        | IPv4      | 0.0.0.0/0 |            | ingress   | None                  | None                 |
| 72734c74-f1fa-4e6b-a578-dcfd13e9f6ea | None        | IPv4      | 0.0.0.0/0 |            | egress    | None                  | None                 |
| aaf72aef-c47c-4d2f-9304-217e0569a4fb | tcp         | IPv4      | 0.0.0.0/0 |            | ingress   | None                  | None                 |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

# PG_ID=$(echo "72017ba0-f963-4f5b-a303-e29780aff40b" | sed 's/-/_/g')
# ovn-nbctl list Port_Group pg_$PG_ID
_uuid               : 8b2a2786-a996-467c-9fc8-2000f5bfa692
acls                : [0aad86c0-46e7-4102-bf7a-e2bb810f3fa5, 131ac5c6-0a24-460c-86ef-341beeafb2c5, 354a7ec4-219a-490e-b79f-17005c2b80f0, 6e455e11-cbe4-4044-a0f6-ab707c23d824, fa71250b-276d-4207-bd85-4dee457a7f0d]
external_ids        : {"neutron:security_group_id"="72017ba0-f963-4f5b-a303-e29780aff40b"}
name                : pg_72017ba0_f963_4f5b_a303_e29780aff40b
ports               : []

# ovn-nbctl acl-list 8b2a2786-a996-467c-9fc8-2000f5bfa692
from-lport  1002 (inport == @pg_72017ba0_f963_4f5b_a303_e29780aff40b && ip4) allow-related
from-lport  1002 (inport == @pg_72017ba0_f963_4f5b_a303_e29780aff40b && ip6) allow-related
  to-lport  1002 (outport == @pg_72017ba0_f963_4f5b_a303_e29780aff40b && ip4 && ip4.src == 0.0.0.0/0 && icmp4) allow-related
  to-lport  1002 (outport == @pg_72017ba0_f963_4f5b_a303_e29780aff40b && ip4 && ip4.src == 0.0.0.0/0 && tcp) allow-related
  to-lport  1002 (outport == @pg_72017ba0_f963_4f5b_a303_e29780aff40b && ip4 && ip4.src == 0.0.0.0/0 && udp) allow-related
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment