From c0ec554349016294f76cf5df9857ed09f499b425 Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Wed, 22 Apr 2026 15:10:11 +0200
Subject: [PATCH 01/33] Add OVN provider lifecycle skeleton

---
 .../main/java/com/cloud/network/Network.java  |   1 +
 .../main/java/com/cloud/network/Networks.java |   3 +-
 .../com/cloud/network/ovn/OvnProvider.java    |  33 ++
 .../com/cloud/network/ovn/OvnService.java     |  28 ++
 .../apache/cloudstack/api/ApiConstants.java   |   8 +
 .../admin/network/NetworkOfferingBaseCmd.java |   5 +-
 .../admin/vpc/CreateVPCOfferingCmd.java       |   5 +-
 .../api/command/utils/OfferingUtils.java      |   4 +
 client/pom.xml                                |   5 +
 .../service/NetworkOrchestrationService.java  |   3 +
 .../com/cloud/network/dao/OvnProviderDao.java |  24 ++
 .../cloud/network/dao/OvnProviderDaoImpl.java |  47 +++
 .../cloud/network/element/OvnProviderVO.java  | 282 +++++++++++++++++
 ...spring-engine-schema-core-daos-context.xml |   1 +
 .../META-INF/db/schema-42210to42300.sql       |  23 ++
 plugins/network-elements/ovn/pom.xml          |  32 ++
 .../api/command/AddOvnProviderCmd.java        | 125 ++++++++
 .../api/command/DeleteOvnProviderCmd.java     |  74 +++++
 .../api/command/ListOvnProvidersCmd.java      |  60 ++++
 .../api/response/OvnProviderResponse.java     | 159 ++++++++++
 .../apache/cloudstack/service/OvnElement.java | 293 ++++++++++++++++++
 .../service/OvnGuestNetworkGuru.java          |  80 +++++
 .../cloudstack/service/OvnNbClient.java       |  28 ++
 .../service/OvnProviderService.java           |  32 ++
 .../service/OvnProviderServiceImpl.java       | 175 +++++++++++
 .../cloudstack/service/OvnServiceImpl.java    |  55 ++++
 .../core/spring-ovn-core-managers-context.xml |  31 ++
 .../META-INF/cloudstack/ovn/module.properties |  21 ++
 .../cloudstack/ovn/spring-ovn-context.xml     |  39 +++
 .../api/command/AddOvnProviderCmdTest.java    |  94 ++++++
 .../api/command/DeleteOvnProviderCmdTest.java |  97 ++++++
 .../api/command/ListOvnProvidersCmdTest.java  |  82 +++++
 .../cloudstack/service/OvnElementTest.java    |  47 +++
 .../service/OvnProviderServiceImplTest.java   | 199 ++++++++++++
 .../service/OvnServiceImplTest.java           |  40 +++
 plugins/pom.xml                               |   1 +
 .../ConfigurationManagerImpl.java             |   7 +-
 .../com/cloud/network/NetworkServiceImpl.java |  22 ++
 38 files changed, 2258 insertions(+), 7 deletions(-)
 create mode 100644 api/src/main/java/com/cloud/network/ovn/OvnProvider.java
 create mode 100644 api/src/main/java/com/cloud/network/ovn/OvnService.java
 create mode 100644 engine/schema/src/main/java/com/cloud/network/dao/OvnProviderDao.java
 create mode 100644 engine/schema/src/main/java/com/cloud/network/dao/OvnProviderDaoImpl.java
 create mode 100644 engine/schema/src/main/java/com/cloud/network/element/OvnProviderVO.java
 create mode 100644 plugins/network-elements/ovn/pom.xml
 create mode 100644 plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/api/command/AddOvnProviderCmd.java
 create mode 100644 plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/api/command/DeleteOvnProviderCmd.java
 create mode 100644 plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/api/command/ListOvnProvidersCmd.java
 create mode 100644 plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/api/response/OvnProviderResponse.java
 create mode 100644 plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
 create mode 100644 plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnGuestNetworkGuru.java
 create mode 100644 plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
 create mode 100644 plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnProviderService.java
 create mode 100644 plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnProviderServiceImpl.java
 create mode 100644 plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnServiceImpl.java
 create mode 100644 plugins/network-elements/ovn/src/main/resources/META-INF/cloudstack/core/spring-ovn-core-managers-context.xml
 create mode 100644 plugins/network-elements/ovn/src/main/resources/META-INF/cloudstack/ovn/module.properties
 create mode 100644 plugins/network-elements/ovn/src/main/resources/META-INF/cloudstack/ovn/spring-ovn-context.xml
 create mode 100644 plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/api/command/AddOvnProviderCmdTest.java
 create mode 100644 plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/api/command/DeleteOvnProviderCmdTest.java
 create mode 100644 plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/api/command/ListOvnProvidersCmdTest.java
 create mode 100644 plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/service/OvnElementTest.java
 create mode 100644 plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/service/OvnProviderServiceImplTest.java
 create mode 100644 plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/service/OvnServiceImplTest.java

diff --git a/api/src/main/java/com/cloud/network/Network.java b/api/src/main/java/com/cloud/network/Network.java
index 0846306f70f9..1687702678f2 100644
--- a/api/src/main/java/com/cloud/network/Network.java
+++ b/api/src/main/java/com/cloud/network/Network.java
@@ -207,6 +207,7 @@ public static class Provider {
 
         public static final Provider Nsx = new Provider("Nsx", false);
         public static final Provider Netris = new Provider("Netris", false);
+        public static final Provider Ovn = new Provider("Ovn", false);
 
         private final String name;
         private final boolean isExternal;
diff --git a/api/src/main/java/com/cloud/network/Networks.java b/api/src/main/java/com/cloud/network/Networks.java
index 5f767686dc97..fb528b83e0d4 100644
--- a/api/src/main/java/com/cloud/network/Networks.java
+++ b/api/src/main/java/com/cloud/network/Networks.java
@@ -130,7 +130,8 @@ public <T> URI toUri(T value) {
         OpenDaylight("opendaylight", String.class),
         TUNGSTEN("tf", String.class),
         NSX("nsx", String.class),
-        Netris("netris", String.class);
+        Netris("netris", String.class),
+        OVN("ovn", String.class);
 
         private final String scheme;
         private final Class<?> type;
diff --git a/api/src/main/java/com/cloud/network/ovn/OvnProvider.java b/api/src/main/java/com/cloud/network/ovn/OvnProvider.java
new file mode 100644
index 000000000000..16bdccbeb833
--- /dev/null
+++ b/api/src/main/java/com/cloud/network/ovn/OvnProvider.java
@@ -0,0 +1,33 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.network.ovn;
+
+import org.apache.cloudstack.api.Identity;
+import org.apache.cloudstack.api.InternalIdentity;
+
+public interface OvnProvider extends InternalIdentity, Identity {
+    long getZoneId();
+    Long getHostId();
+    String getName();
+    String getNbConnection();
+    String getSbConnection();
+    String getCaCertPath();
+    String getClientCertPath();
+    String getClientPrivateKeyPath();
+    String getExternalBridge();
+    String getLocalnetName();
+}
diff --git a/api/src/main/java/com/cloud/network/ovn/OvnService.java b/api/src/main/java/com/cloud/network/ovn/OvnService.java
new file mode 100644
index 000000000000..29fad2215c66
--- /dev/null
+++ b/api/src/main/java/com/cloud/network/ovn/OvnService.java
@@ -0,0 +1,28 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.network.ovn;
+
+/**
+ * Service boundary for CloudStack's native OVN integration.
+ * Phase 1 only defines stable naming and connection validation helpers; OVN NB operations are added in later phases.
+ */
+public interface OvnService {
+    String getLogicalSwitchName(long networkId);
+    String getLogicalRouterName(long vpcId);
+    String getLogicalSwitchPortName(long nicId);
+    boolean isValidConnectionString(String connection);
+}
diff --git a/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java b/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java
index 7eae16a2a376..e7c61497c720 100644
--- a/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java
+++ b/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java
@@ -1036,6 +1036,13 @@ public class ApiConstants {
 
     public static final String NSX_PROVIDER_PORT = "nsxproviderport";
     public static final String NSX_CONTROLLER_ID = "nsxcontrollerid";
+    public static final String OVN_NB_CONNECTION = "ovnnbconnection";
+    public static final String OVN_SB_CONNECTION = "ovnsbconnection";
+    public static final String OVN_CA_CERT_PATH = "ovncacertpath";
+    public static final String OVN_CLIENT_CERT_PATH = "ovnclientcertpath";
+    public static final String OVN_CLIENT_PRIVATE_KEY_PATH = "ovnclientprivatekeypath";
+    public static final String OVN_EXTERNAL_BRIDGE = "ovnexternalbridge";
+    public static final String OVN_LOCALNET_NAME = "ovnlocalnetname";
     public static final String S3_ACCESS_KEY = "accesskey";
     public static final String SECRET_KEY = "secretkey";
     public static final String S3_END_POINT = "endpoint";
@@ -1307,6 +1314,7 @@ public class ApiConstants {
     public static final String HAS_RULES = "hasrules";
     public static final String NSX_DETAIL_KEY = "forNsx";
     public static final String NETRIS_DETAIL_KEY = "forNetris";
+    public static final String OVN_DETAIL_KEY = "forOvn";
     public static final String NETRIS_TAG = "netristag";
     public static final String NETRIS_VXLAN_ID = "netrisvxlanid";
     public static final String NETRIS_URL = "netrisurl";
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/network/NetworkOfferingBaseCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/network/NetworkOfferingBaseCmd.java
index 1c832b7217ef..c1321fc31823 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/admin/network/NetworkOfferingBaseCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/network/NetworkOfferingBaseCmd.java
@@ -55,6 +55,7 @@
 import static org.apache.cloudstack.api.command.utils.OfferingUtils.isNsxWithoutLb;
 import static org.apache.cloudstack.api.command.utils.OfferingUtils.isNetrisNatted;
 import static org.apache.cloudstack.api.command.utils.OfferingUtils.isNetrisRouted;
+import static org.apache.cloudstack.api.command.utils.OfferingUtils.isOvnProvider;
 
 public abstract class NetworkOfferingBaseCmd extends BaseCmd {
 
@@ -249,7 +250,7 @@ public Long getServiceOfferingId() {
     }
 
     public boolean isExternalNetworkProvider() {
-        return Arrays.asList("NSX", "Netris").stream()
+        return Arrays.asList("NSX", "Netris", "OVN").stream()
                 .anyMatch(s -> provider != null && s.equalsIgnoreCase(provider));
     }
 
@@ -280,7 +281,7 @@ public List<String> getSupportedServices() {
                         SourceNat.getName(),
                         PortForwarding.getName()));
             }
-            if (getNsxSupportsLbService() || (provider != null && isNetrisNatted(getProvider(), getNetworkMode()))) {
+            if (getNsxSupportsLbService() || (provider != null && (isNetrisNatted(getProvider(), getNetworkMode()) || isOvnProvider(getProvider())))) {
                 services.add(Lb.getName());
             }
             if (Boolean.TRUE.equals(forVpc)) {
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/vpc/CreateVPCOfferingCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/vpc/CreateVPCOfferingCmd.java
index 2b934a60da7a..4eb9d5f546f9 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/admin/vpc/CreateVPCOfferingCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/vpc/CreateVPCOfferingCmd.java
@@ -64,6 +64,7 @@
 import static org.apache.cloudstack.api.command.utils.OfferingUtils.isNetrisNatted;
 import static org.apache.cloudstack.api.command.utils.OfferingUtils.isNetrisRouted;
 import static org.apache.cloudstack.api.command.utils.OfferingUtils.isNsxWithoutLb;
+import static org.apache.cloudstack.api.command.utils.OfferingUtils.isOvnProvider;
 
 @APICommand(name = "createVPCOffering", description = "Creates VPC offering", responseObject = VpcOfferingResponse.class,
         requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
@@ -179,7 +180,7 @@ public String getDisplayText() {
     }
 
     public boolean isExternalNetworkProvider() {
-        return Arrays.asList("NSX", "Netris").stream()
+        return Arrays.asList("NSX", "Netris", "OVN").stream()
                 .anyMatch(s -> provider != null && s.equalsIgnoreCase(provider));
     }
 
@@ -201,7 +202,7 @@ public List<String> getSupportedServices() {
             if (NetworkOffering.NetworkMode.ROUTED.name().equalsIgnoreCase(getNetworkMode())) {
                 supportedServices.add(Gateway.getName());
             }
-            if (getNsxSupportsLbService() || isNetrisNatted(getProvider(), getNetworkMode())) {
+            if (getNsxSupportsLbService() || isNetrisNatted(getProvider(), getNetworkMode()) || isOvnProvider(getProvider())) {
                 supportedServices.add(Lb.getName());
             }
         }
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/utils/OfferingUtils.java b/api/src/main/java/org/apache/cloudstack/api/command/utils/OfferingUtils.java
index 433a37c07cde..64e770096a3e 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/utils/OfferingUtils.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/utils/OfferingUtils.java
@@ -35,4 +35,8 @@ public static boolean isNsxWithoutLb(String provider, boolean nsxSupportsLbServi
     public static boolean isNetrisRouted(String provider, String networkMode) {
         return "Netris".equalsIgnoreCase(provider) && NetworkOffering.NetworkMode.ROUTED.name().equalsIgnoreCase(networkMode);
     }
+
+    public static boolean isOvnProvider(String provider) {
+        return "Ovn".equalsIgnoreCase(provider);
+    }
 }
diff --git a/client/pom.xml b/client/pom.xml
index 7118f455ab5f..a8e4ce5fa325 100644
--- a/client/pom.xml
+++ b/client/pom.xml
@@ -306,6 +306,11 @@
             <artifactId>cloud-plugin-network-opendaylight</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.cloudstack</groupId>
+            <artifactId>cloud-plugin-network-ovn</artifactId>
+            <version>${project.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.apache.cloudstack</groupId>
             <artifactId>cloud-plugin-network-vcs</artifactId>
diff --git a/engine/api/src/main/java/org/apache/cloudstack/engine/orchestration/service/NetworkOrchestrationService.java b/engine/api/src/main/java/org/apache/cloudstack/engine/orchestration/service/NetworkOrchestrationService.java
index b7b548fb9407..50cd3ad31ec8 100644
--- a/engine/api/src/main/java/org/apache/cloudstack/engine/orchestration/service/NetworkOrchestrationService.java
+++ b/engine/api/src/main/java/org/apache/cloudstack/engine/orchestration/service/NetworkOrchestrationService.java
@@ -114,6 +114,9 @@ public interface NetworkOrchestrationService {
 
     ConfigKey<Boolean> NETRIS_ENABLED = new ConfigKey<>(Boolean.class, "netris.plugin.enable", "Advanced", "false",
             "Indicates whether to enable the Netris plugin", false, ConfigKey.Scope.Zone, null);
+
+    ConfigKey<Boolean> OVN_ENABLED = new ConfigKey<>(Boolean.class, "ovn.plugin.enable", "Advanced", "false",
+            "Indicates whether to enable the OVN plugin", false, ConfigKey.Scope.Zone, null);
     ConfigKey<Integer> NETWORK_LB_HAPROXY_MAX_CONN = new ConfigKey<>(
                     "Network",
                     Integer.class,
diff --git a/engine/schema/src/main/java/com/cloud/network/dao/OvnProviderDao.java b/engine/schema/src/main/java/com/cloud/network/dao/OvnProviderDao.java
new file mode 100644
index 000000000000..dda7c70a0551
--- /dev/null
+++ b/engine/schema/src/main/java/com/cloud/network/dao/OvnProviderDao.java
@@ -0,0 +1,24 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.network.dao;
+
+import com.cloud.network.element.OvnProviderVO;
+import com.cloud.utils.db.GenericDao;
+
+public interface OvnProviderDao extends GenericDao<OvnProviderVO, Long> {
+    OvnProviderVO findByZoneId(long zoneId);
+}
diff --git a/engine/schema/src/main/java/com/cloud/network/dao/OvnProviderDaoImpl.java b/engine/schema/src/main/java/com/cloud/network/dao/OvnProviderDaoImpl.java
new file mode 100644
index 000000000000..6f97b47b6ceb
--- /dev/null
+++ b/engine/schema/src/main/java/com/cloud/network/dao/OvnProviderDaoImpl.java
@@ -0,0 +1,47 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.network.dao;
+
+import com.cloud.network.element.OvnProviderVO;
+import com.cloud.utils.db.DB;
+import com.cloud.utils.db.GenericDaoBase;
+import com.cloud.utils.db.SearchBuilder;
+import com.cloud.utils.db.SearchCriteria;
+import org.springframework.stereotype.Component;
+
+@Component
+@DB()
+public class OvnProviderDaoImpl extends GenericDaoBase<OvnProviderVO, Long> implements OvnProviderDao {
+    final SearchBuilder<OvnProviderVO> allFieldsSearch;
+
+    public OvnProviderDaoImpl() {
+        super();
+        allFieldsSearch = createSearchBuilder();
+        allFieldsSearch.and("id", allFieldsSearch.entity().getId(), SearchCriteria.Op.EQ);
+        allFieldsSearch.and("uuid", allFieldsSearch.entity().getUuid(), SearchCriteria.Op.EQ);
+        allFieldsSearch.and("zone_id", allFieldsSearch.entity().getZoneId(), SearchCriteria.Op.EQ);
+        allFieldsSearch.and("nb_connection", allFieldsSearch.entity().getNbConnection(), SearchCriteria.Op.EQ);
+        allFieldsSearch.done();
+    }
+
+    @Override
+    public OvnProviderVO findByZoneId(long zoneId) {
+        SearchCriteria<OvnProviderVO> sc = allFieldsSearch.create();
+        sc.setParameters("zone_id", zoneId);
+        return findOneBy(sc);
+    }
+}
diff --git a/engine/schema/src/main/java/com/cloud/network/element/OvnProviderVO.java b/engine/schema/src/main/java/com/cloud/network/element/OvnProviderVO.java
new file mode 100644
index 000000000000..959e0315ec16
--- /dev/null
+++ b/engine/schema/src/main/java/com/cloud/network/element/OvnProviderVO.java
@@ -0,0 +1,282 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.network.element;
+
+import com.cloud.network.ovn.OvnProvider;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+import java.util.Date;
+import java.util.UUID;
+
+@Entity
+@Table(name = "ovn_providers")
+public class OvnProviderVO implements OvnProvider {
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    @Column(name = "id")
+    long id;
+
+    @Column(name = "uuid")
+    private String uuid;
+
+    @Column(name = "zone_id")
+    private long zoneId;
+
+    @Column(name = "host_id")
+    private Long hostId;
+
+    @Column(name = "name")
+    private String name;
+
+    @Column(name = "nb_connection")
+    private String nbConnection;
+
+    @Column(name = "sb_connection")
+    private String sbConnection;
+
+    @Column(name = "ca_cert_path")
+    private String caCertPath;
+
+    @Column(name = "client_cert_path")
+    private String clientCertPath;
+
+    @Column(name = "client_private_key_path")
+    private String clientPrivateKeyPath;
+
+    @Column(name = "external_bridge")
+    private String externalBridge;
+
+    @Column(name = "localnet_name")
+    private String localnetName;
+
+    @Column(name = "created")
+    private Date created;
+
+    @Column(name = "removed")
+    private Date removed;
+
+    public OvnProviderVO() {
+        uuid = UUID.randomUUID().toString();
+    }
+
+    @Override
+    public long getId() {
+        return id;
+    }
+
+    public void setId(long id) {
+        this.id = id;
+    }
+
+    @Override
+    public String getUuid() {
+        return uuid;
+    }
+
+    public void setUuid(String uuid) {
+        this.uuid = uuid;
+    }
+
+    @Override
+    public long getZoneId() {
+        return zoneId;
+    }
+
+    public void setZoneId(long zoneId) {
+        this.zoneId = zoneId;
+    }
+
+    @Override
+    public Long getHostId() {
+        return hostId;
+    }
+
+    public void setHostId(Long hostId) {
+        this.hostId = hostId;
+    }
+
+    @Override
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    @Override
+    public String getNbConnection() {
+        return nbConnection;
+    }
+
+    public void setNbConnection(String nbConnection) {
+        this.nbConnection = nbConnection;
+    }
+
+    @Override
+    public String getSbConnection() {
+        return sbConnection;
+    }
+
+    public void setSbConnection(String sbConnection) {
+        this.sbConnection = sbConnection;
+    }
+
+    @Override
+    public String getCaCertPath() {
+        return caCertPath;
+    }
+
+    public void setCaCertPath(String caCertPath) {
+        this.caCertPath = caCertPath;
+    }
+
+    @Override
+    public String getClientCertPath() {
+        return clientCertPath;
+    }
+
+    public void setClientCertPath(String clientCertPath) {
+        this.clientCertPath = clientCertPath;
+    }
+
+    @Override
+    public String getClientPrivateKeyPath() {
+        return clientPrivateKeyPath;
+    }
+
+    public void setClientPrivateKeyPath(String clientPrivateKeyPath) {
+        this.clientPrivateKeyPath = clientPrivateKeyPath;
+    }
+
+    @Override
+    public String getExternalBridge() {
+        return externalBridge;
+    }
+
+    public void setExternalBridge(String externalBridge) {
+        this.externalBridge = externalBridge;
+    }
+
+    @Override
+    public String getLocalnetName() {
+        return localnetName;
+    }
+
+    public void setLocalnetName(String localnetName) {
+        this.localnetName = localnetName;
+    }
+
+    public Date getCreated() {
+        return created;
+    }
+
+    public void setCreated(Date created) {
+        this.created = created;
+    }
+
+    public Date getRemoved() {
+        return removed;
+    }
+
+    public void setRemoved(Date removed) {
+        this.removed = removed;
+    }
+
+    public static final class Builder {
+        private long zoneId;
+        private Long hostId;
+        private String name;
+        private String nbConnection;
+        private String sbConnection;
+        private String caCertPath;
+        private String clientCertPath;
+        private String clientPrivateKeyPath;
+        private String externalBridge;
+        private String localnetName;
+
+        public Builder setZoneId(long zoneId) {
+            this.zoneId = zoneId;
+            return this;
+        }
+
+        public Builder setHostId(Long hostId) {
+            this.hostId = hostId;
+            return this;
+        }
+
+        public Builder setName(String name) {
+            this.name = name;
+            return this;
+        }
+
+        public Builder setNbConnection(String nbConnection) {
+            this.nbConnection = nbConnection;
+            return this;
+        }
+
+        public Builder setSbConnection(String sbConnection) {
+            this.sbConnection = sbConnection;
+            return this;
+        }
+
+        public Builder setCaCertPath(String caCertPath) {
+            this.caCertPath = caCertPath;
+            return this;
+        }
+
+        public Builder setClientCertPath(String clientCertPath) {
+            this.clientCertPath = clientCertPath;
+            return this;
+        }
+
+        public Builder setClientPrivateKeyPath(String clientPrivateKeyPath) {
+            this.clientPrivateKeyPath = clientPrivateKeyPath;
+            return this;
+        }
+
+        public Builder setExternalBridge(String externalBridge) {
+            this.externalBridge = externalBridge;
+            return this;
+        }
+
+        public Builder setLocalnetName(String localnetName) {
+            this.localnetName = localnetName;
+            return this;
+        }
+
+        public OvnProviderVO build() {
+            OvnProviderVO provider = new OvnProviderVO();
+            provider.setZoneId(zoneId);
+            provider.setHostId(hostId);
+            provider.setName(name);
+            provider.setNbConnection(nbConnection);
+            provider.setSbConnection(sbConnection);
+            provider.setCaCertPath(caCertPath);
+            provider.setClientCertPath(clientCertPath);
+            provider.setClientPrivateKeyPath(clientPrivateKeyPath);
+            provider.setExternalBridge(externalBridge);
+            provider.setLocalnetName(localnetName);
+            return provider;
+        }
+    }
+}
diff --git a/engine/schema/src/main/resources/META-INF/cloudstack/core/spring-engine-schema-core-daos-context.xml b/engine/schema/src/main/resources/META-INF/cloudstack/core/spring-engine-schema-core-daos-context.xml
index edc14d9fa0cc..8467f9950fd2 100644
--- a/engine/schema/src/main/resources/META-INF/cloudstack/core/spring-engine-schema-core-daos-context.xml
+++ b/engine/schema/src/main/resources/META-INF/cloudstack/core/spring-engine-schema-core-daos-context.xml
@@ -139,6 +139,7 @@
   <bean id="ovsProviderDaoImpl" class="com.cloud.network.dao.OvsProviderDaoImpl" />
   <bean id="nsxControllerDaoImpl" class="com.cloud.network.dao.NsxProviderDaoImpl" />
   <bean id="netrisProviderDaoImpl" class="com.cloud.network.dao.NetrisProviderDaoImpl" />
+  <bean id="ovnProviderDaoImpl" class="com.cloud.network.dao.OvnProviderDaoImpl" />
   <bean id="tungstenControllerDaoImpl" class="com.cloud.network.dao.TungstenProviderDaoImpl"/>
   <bean id="physicalNetworkDaoImpl" class="com.cloud.network.dao.PhysicalNetworkDaoImpl" />
   <bean id="physicalNetworkIsolationMethodDaoImpl" class="com.cloud.network.dao.PhysicalNetworkIsolationMethodDaoImpl" />
diff --git a/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql b/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql
index 4cb9eb7cb2c4..9b032ba02d5e 100644
--- a/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql
+++ b/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql
@@ -117,3 +117,26 @@ CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.vpc_offerings','conserve_mode', 'tin
 
 --- Disable/enable NICs
 CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.nics','enabled', 'TINYINT(1) NOT NULL DEFAULT 1 COMMENT ''Indicates whether the NIC is enabled or not'' ');
+
+-- OVN Plugin
+CREATE TABLE IF NOT EXISTS `cloud`.`ovn_providers` (
+    `id` bigint unsigned NOT NULL auto_increment COMMENT 'id',
+    `uuid` varchar(40),
+    `zone_id` bigint unsigned NOT NULL COMMENT 'Zone ID',
+    `host_id` bigint unsigned COMMENT 'Optional resource host ID if OVN command routing is enabled',
+    `name` varchar(255) NOT NULL,
+    `nb_connection` varchar(255) NOT NULL COMMENT 'OVN Northbound database connection string',
+    `sb_connection` varchar(255) COMMENT 'OVN Southbound database connection string',
+    `ca_cert_path` varchar(1024) COMMENT 'OVN TLS CA certificate path',
+    `client_cert_path` varchar(1024) COMMENT 'OVN TLS client certificate path',
+    `client_private_key_path` varchar(1024) COMMENT 'OVN TLS client private key path',
+    `external_bridge` varchar(255) COMMENT 'OVN external bridge used for provider network access',
+    `localnet_name` varchar(255) COMMENT 'OVN localnet name used for provider network mapping',
+    `created` datetime NOT NULL COMMENT 'created date',
+    `removed` datetime COMMENT 'removed date if not null',
+    PRIMARY KEY (`id`),
+    CONSTRAINT `fk_ovn_providers__zone_id` FOREIGN KEY `fk_ovn_providers__zone_id` (`zone_id`) REFERENCES `data_center`(`id`) ON DELETE CASCADE,
+    CONSTRAINT `fk_ovn_providers__host_id` FOREIGN KEY `fk_ovn_providers__host_id` (`host_id`) REFERENCES `host`(`id`) ON DELETE SET NULL,
+    UNIQUE KEY `uk_ovn_providers__zone_id` (`zone_id`),
+    INDEX `i_ovn_providers__zone_id`(`zone_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
diff --git a/plugins/network-elements/ovn/pom.xml b/plugins/network-elements/ovn/pom.xml
new file mode 100644
index 000000000000..a46f7a83fa08
--- /dev/null
+++ b/plugins/network-elements/ovn/pom.xml
@@ -0,0 +1,32 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>cloud-plugin-network-ovn</artifactId>
+    <name>Apache CloudStack Plugin - OVN</name>
+
+    <parent>
+        <groupId>org.apache.cloudstack</groupId>
+        <artifactId>cloudstack-plugins</artifactId>
+        <version>4.23.0.0-SNAPSHOT</version>
+        <relativePath>../../pom.xml</relativePath>
+    </parent>
+</project>
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/api/command/AddOvnProviderCmd.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/api/command/AddOvnProviderCmd.java
new file mode 100644
index 000000000000..4d3e07229f14
--- /dev/null
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/api/command/AddOvnProviderCmd.java
@@ -0,0 +1,125 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command;
+
+import com.cloud.exception.ConcurrentOperationException;
+import com.cloud.network.ovn.OvnProvider;
+import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.OvnProviderResponse;
+import org.apache.cloudstack.api.response.ZoneResponse;
+import org.apache.cloudstack.context.CallContext;
+import org.apache.cloudstack.service.OvnProviderService;
+
+import javax.inject.Inject;
+
+@APICommand(name = AddOvnProviderCmd.APINAME, description = "Add OVN provider to CloudStack",
+        responseObject = OvnProviderResponse.class, requestHasSensitiveInfo = false,
+        responseHasSensitiveInfo = false, authorized = {RoleType.Admin}, since = "4.23.0")
+public class AddOvnProviderCmd extends BaseCmd {
+    public static final String APINAME = "addOvnProvider";
+
+    @Inject
+    OvnProviderService ovnProviderService;
+
+    @Parameter(name = ApiConstants.ZONE_ID, type = CommandType.UUID, entityType = ZoneResponse.class, required = true,
+            description = "the ID of zone")
+    private Long zoneId;
+
+    @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, required = true, description = "OVN provider name")
+    private String name;
+
+    @Parameter(name = ApiConstants.OVN_NB_CONNECTION, type = CommandType.STRING, required = true,
+            description = "OVN Northbound database connection string. Supported formats: tcp:host:6641, ssl:host:6641, unix:/path/to/ovnnb_db.sock")
+    private String nbConnection;
+
+    @Parameter(name = ApiConstants.OVN_SB_CONNECTION, type = CommandType.STRING,
+            description = "OVN Southbound database connection string for diagnostics and binding checks")
+    private String sbConnection;
+
+    @Parameter(name = ApiConstants.OVN_CA_CERT_PATH, type = CommandType.STRING, description = "OVN TLS CA certificate path")
+    private String caCertPath;
+
+    @Parameter(name = ApiConstants.OVN_CLIENT_CERT_PATH, type = CommandType.STRING, description = "OVN TLS client certificate path")
+    private String clientCertPath;
+
+    @Parameter(name = ApiConstants.OVN_CLIENT_PRIVATE_KEY_PATH, type = CommandType.STRING, description = "OVN TLS client private key path")
+    private String clientPrivateKeyPath;
+
+    @Parameter(name = ApiConstants.OVN_EXTERNAL_BRIDGE, type = CommandType.STRING, description = "OVN external bridge used for provider network access")
+    private String externalBridge;
+
+    @Parameter(name = ApiConstants.OVN_LOCALNET_NAME, type = CommandType.STRING, description = "OVN localnet name used for provider network mapping")
+    private String localnetName;
+
+    public Long getZoneId() {
+        return zoneId;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public String getNbConnection() {
+        return nbConnection;
+    }
+
+    public String getSbConnection() {
+        return sbConnection;
+    }
+
+    public String getCaCertPath() {
+        return caCertPath;
+    }
+
+    public String getClientCertPath() {
+        return clientCertPath;
+    }
+
+    public String getClientPrivateKeyPath() {
+        return clientPrivateKeyPath;
+    }
+
+    public String getExternalBridge() {
+        return externalBridge;
+    }
+
+    public String getLocalnetName() {
+        return localnetName;
+    }
+
+    @Override
+    public void execute() throws ServerApiException, ConcurrentOperationException {
+        OvnProvider provider = ovnProviderService.addProvider(this);
+        OvnProviderResponse response = ovnProviderService.createOvnProviderResponse(provider);
+        if (response == null) {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to add OVN provider");
+        }
+        response.setResponseName(getCommandName());
+        setResponseObject(response);
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        return CallContext.current().getCallingAccount().getId();
+    }
+}
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/api/command/DeleteOvnProviderCmd.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/api/command/DeleteOvnProviderCmd.java
new file mode 100644
index 000000000000..b149a62f7a4b
--- /dev/null
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/api/command/DeleteOvnProviderCmd.java
@@ -0,0 +1,74 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command;
+
+import com.cloud.exception.ConcurrentOperationException;
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.utils.exception.CloudRuntimeException;
+import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.OvnProviderResponse;
+import org.apache.cloudstack.api.response.SuccessResponse;
+import org.apache.cloudstack.service.OvnProviderService;
+
+import javax.inject.Inject;
+
+@APICommand(name = DeleteOvnProviderCmd.APINAME, description = "Delete OVN provider from CloudStack",
+        responseObject = OvnProviderResponse.class, requestHasSensitiveInfo = false,
+        responseHasSensitiveInfo = false, authorized = {RoleType.Admin}, since = "4.23.0")
+public class DeleteOvnProviderCmd extends BaseCmd {
+    public static final String APINAME = "deleteOvnProvider";
+
+    @Inject
+    private OvnProviderService ovnProviderService;
+
+    @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = OvnProviderResponse.class,
+            required = true, description = "OVN provider ID")
+    private Long id;
+
+    public Long getId() {
+        return id;
+    }
+
+    @Override
+    public void execute() throws ServerApiException, ConcurrentOperationException {
+        try {
+            boolean deleted = ovnProviderService.deleteOvnProvider(getId());
+            if (deleted) {
+                SuccessResponse response = new SuccessResponse(getCommandName());
+                response.setResponseName(getCommandName());
+                setResponseObject(response);
+                return;
+            }
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete OVN provider from zone");
+        } catch (InvalidParameterValueException e) {
+            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, e.getMessage());
+        } catch (CloudRuntimeException e) {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, e.getMessage());
+        }
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        return 0;
+    }
+}
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/api/command/ListOvnProvidersCmd.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/api/command/ListOvnProvidersCmd.java
new file mode 100644
index 000000000000..a0f3eefff9d8
--- /dev/null
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/api/command/ListOvnProvidersCmd.java
@@ -0,0 +1,60 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command;
+
+import com.cloud.exception.ConcurrentOperationException;
+import com.cloud.utils.StringUtils;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseListCmd;
+import org.apache.cloudstack.api.BaseResponse;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.ListResponse;
+import org.apache.cloudstack.api.response.OvnProviderResponse;
+import org.apache.cloudstack.api.response.ZoneResponse;
+import org.apache.cloudstack.service.OvnProviderService;
+
+import javax.inject.Inject;
+import java.util.List;
+
+@APICommand(name = ListOvnProvidersCmd.APINAME, description = "List all OVN providers added to CloudStack",
+        responseObject = OvnProviderResponse.class, requestHasSensitiveInfo = false,
+        responseHasSensitiveInfo = false, since = "4.23.0")
+public class ListOvnProvidersCmd extends BaseListCmd {
+    public static final String APINAME = "listOvnProviders";
+
+    @Inject
+    OvnProviderService ovnProviderService;
+
+    @Parameter(name = ApiConstants.ZONE_ID, description = "ID of the zone", type = CommandType.UUID, entityType = ZoneResponse.class)
+    private Long zoneId;
+
+    public Long getZoneId() {
+        return zoneId;
+    }
+
+    @Override
+    public void execute() throws ServerApiException, ConcurrentOperationException {
+        List<BaseResponse> baseResponseList = ovnProviderService.listOvnProviders(zoneId);
+        List<BaseResponse> pagingList = StringUtils.applyPagination(baseResponseList, getStartIndex(), getPageSizeVal());
+        ListResponse<BaseResponse> listResponse = new ListResponse<>();
+        listResponse.setResponses(pagingList);
+        listResponse.setResponseName(getCommandName());
+        setResponseObject(listResponse);
+    }
+}
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/api/response/OvnProviderResponse.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/api/response/OvnProviderResponse.java
new file mode 100644
index 000000000000..8782a4d92f66
--- /dev/null
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/api/response/OvnProviderResponse.java
@@ -0,0 +1,159 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.response;
+
+import com.cloud.network.ovn.OvnProvider;
+import com.cloud.serializer.Param;
+import com.google.gson.annotations.SerializedName;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseResponse;
+import org.apache.cloudstack.api.EntityReference;
+
+@EntityReference(value = {OvnProvider.class})
+public class OvnProviderResponse extends BaseResponse {
+    @SerializedName(ApiConstants.NAME)
+    @Param(description = "OVN provider name")
+    private String name;
+
+    @SerializedName(ApiConstants.UUID)
+    @Param(description = "OVN provider UUID")
+    private String uuid;
+
+    @SerializedName(ApiConstants.ZONE_ID)
+    @Param(description = "Zone ID to which the OVN provider is associated")
+    private String zoneId;
+
+    @SerializedName(ApiConstants.ZONE_NAME)
+    @Param(description = "Zone name to which the OVN provider is associated")
+    private String zoneName;
+
+    @SerializedName(ApiConstants.OVN_NB_CONNECTION)
+    @Param(description = "OVN Northbound database connection string")
+    private String nbConnection;
+
+    @SerializedName(ApiConstants.OVN_SB_CONNECTION)
+    @Param(description = "OVN Southbound database connection string")
+    private String sbConnection;
+
+    @SerializedName(ApiConstants.OVN_CA_CERT_PATH)
+    @Param(description = "OVN TLS CA certificate path")
+    private String caCertPath;
+
+    @SerializedName(ApiConstants.OVN_CLIENT_CERT_PATH)
+    @Param(description = "OVN TLS client certificate path")
+    private String clientCertPath;
+
+    @SerializedName(ApiConstants.OVN_CLIENT_PRIVATE_KEY_PATH)
+    @Param(description = "OVN TLS client private key path")
+    private String clientPrivateKeyPath;
+
+    @SerializedName(ApiConstants.OVN_EXTERNAL_BRIDGE)
+    @Param(description = "OVN external bridge used for provider network access")
+    private String externalBridge;
+
+    @SerializedName(ApiConstants.OVN_LOCALNET_NAME)
+    @Param(description = "OVN localnet name used for provider network mapping")
+    private String localnetName;
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public String getUuid() {
+        return uuid;
+    }
+
+    public void setUuid(String uuid) {
+        this.uuid = uuid;
+    }
+
+    public String getZoneId() {
+        return zoneId;
+    }
+
+    public void setZoneId(String zoneId) {
+        this.zoneId = zoneId;
+    }
+
+    public String getZoneName() {
+        return zoneName;
+    }
+
+    public void setZoneName(String zoneName) {
+        this.zoneName = zoneName;
+    }
+
+    public String getNbConnection() {
+        return nbConnection;
+    }
+
+    public void setNbConnection(String nbConnection) {
+        this.nbConnection = nbConnection;
+    }
+
+    public String getSbConnection() {
+        return sbConnection;
+    }
+
+    public void setSbConnection(String sbConnection) {
+        this.sbConnection = sbConnection;
+    }
+
+    public String getCaCertPath() {
+        return caCertPath;
+    }
+
+    public void setCaCertPath(String caCertPath) {
+        this.caCertPath = caCertPath;
+    }
+
+    public String getClientCertPath() {
+        return clientCertPath;
+    }
+
+    public void setClientCertPath(String clientCertPath) {
+        this.clientCertPath = clientCertPath;
+    }
+
+    public String getClientPrivateKeyPath() {
+        return clientPrivateKeyPath;
+    }
+
+    public void setClientPrivateKeyPath(String clientPrivateKeyPath) {
+        this.clientPrivateKeyPath = clientPrivateKeyPath;
+    }
+
+    public String getExternalBridge() {
+        return externalBridge;
+    }
+
+    public void setExternalBridge(String externalBridge) {
+        this.externalBridge = externalBridge;
+    }
+
+    public String getLocalnetName() {
+        return localnetName;
+    }
+
+    public void setLocalnetName(String localnetName) {
+        this.localnetName = localnetName;
+    }
+}
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
new file mode 100644
index 000000000000..d7521b5582d9
--- /dev/null
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
@@ -0,0 +1,293 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.service;
+
+import com.cloud.agent.api.to.LoadBalancerTO;
+import com.cloud.deploy.DeployDestination;
+import com.cloud.exception.ConcurrentOperationException;
+import com.cloud.exception.InsufficientCapacityException;
+import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.network.IpAddress;
+import com.cloud.network.Network;
+import com.cloud.network.PhysicalNetworkServiceProvider;
+import com.cloud.network.PublicIpAddress;
+import com.cloud.network.element.DhcpServiceProvider;
+import com.cloud.network.element.DnsServiceProvider;
+import com.cloud.network.element.FirewallServiceProvider;
+import com.cloud.network.element.IpDeployer;
+import com.cloud.network.element.LoadBalancingServiceProvider;
+import com.cloud.network.element.NetworkACLServiceProvider;
+import com.cloud.network.element.PortForwardingServiceProvider;
+import com.cloud.network.element.StaticNatServiceProvider;
+import com.cloud.network.element.VpcProvider;
+import com.cloud.network.lb.LoadBalancingRule;
+import com.cloud.network.rules.FirewallRule;
+import com.cloud.network.rules.LoadBalancerContainer;
+import com.cloud.network.rules.PortForwardingRule;
+import com.cloud.network.rules.StaticNat;
+import com.cloud.network.vpc.NetworkACLItem;
+import com.cloud.network.vpc.PrivateGateway;
+import com.cloud.network.vpc.StaticRouteProfile;
+import com.cloud.network.vpc.Vpc;
+import com.cloud.offering.NetworkOffering;
+import com.cloud.utils.component.AdapterBase;
+import com.cloud.vm.NicProfile;
+import com.cloud.vm.ReservationContext;
+import com.cloud.vm.VirtualMachineProfile;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+public class OvnElement extends AdapterBase implements DhcpServiceProvider, DnsServiceProvider, VpcProvider,
+        StaticNatServiceProvider, IpDeployer, PortForwardingServiceProvider, FirewallServiceProvider,
+        NetworkACLServiceProvider, LoadBalancingServiceProvider {
+
+    private final Map<Network.Service, Map<Network.Capability, String>> capabilities = initCapabilities();
+
+    protected static Map<Network.Service, Map<Network.Capability, String>> initCapabilities() {
+        Map<Network.Service, Map<Network.Capability, String>> capabilities = new HashMap<>();
+
+        Map<Network.Capability, String> dhcpCapabilities = new HashMap<>();
+        dhcpCapabilities.put(Network.Capability.DhcpAccrossMultipleSubnets, "true");
+        capabilities.put(Network.Service.Dhcp, dhcpCapabilities);
+
+        Map<Network.Capability, String> dnsCapabilities = new HashMap<>();
+        dnsCapabilities.put(Network.Capability.AllowDnsSuffixModification, "true");
+        capabilities.put(Network.Service.Dns, dnsCapabilities);
+
+        Map<Network.Capability, String> sourceNatCapabilities = new HashMap<>();
+        sourceNatCapabilities.put(Network.Capability.SupportedSourceNatTypes, "peraccount");
+        capabilities.put(Network.Service.SourceNat, sourceNatCapabilities);
+
+        capabilities.put(Network.Service.StaticNat, null);
+        capabilities.put(Network.Service.PortForwarding, null);
+        capabilities.put(Network.Service.NetworkACL, null);
+        capabilities.put(Network.Service.Gateway, null);
+
+        Map<Network.Capability, String> firewallCapabilities = new HashMap<>();
+        firewallCapabilities.put(Network.Capability.SupportedProtocols, "tcp,udp,icmp");
+        firewallCapabilities.put(Network.Capability.SupportedEgressProtocols, "tcp,udp,icmp,all");
+        firewallCapabilities.put(Network.Capability.SupportedTrafficDirection, "ingress,egress");
+        capabilities.put(Network.Service.Firewall, firewallCapabilities);
+
+        Map<Network.Capability, String> lbCapabilities = new HashMap<>();
+        lbCapabilities.put(Network.Capability.SupportedLBAlgorithms, "roundrobin,leastconn");
+        lbCapabilities.put(Network.Capability.SupportedLBIsolation, "dedicated");
+        lbCapabilities.put(Network.Capability.SupportedProtocols, "tcp,udp");
+        lbCapabilities.put(Network.Capability.LbSchemes, String.join(",", LoadBalancerContainer.Scheme.Internal.name(), LoadBalancerContainer.Scheme.Public.name()));
+        capabilities.put(Network.Service.Lb, lbCapabilities);
+
+        capabilities.put(Network.Service.Connectivity, null);
+        return capabilities;
+    }
+
+    @Override
+    public Map<Network.Service, Map<Network.Capability, String>> getCapabilities() {
+        return capabilities;
+    }
+
+    @Override
+    public Network.Provider getProvider() {
+        return Network.Provider.Ovn;
+    }
+
+    @Override
+    public boolean implement(Network network, NetworkOffering offering, DeployDestination dest, ReservationContext context)
+            throws ConcurrentOperationException, ResourceUnavailableException, InsufficientCapacityException {
+        return true;
+    }
+
+    @Override
+    public boolean prepare(Network network, NicProfile nic, VirtualMachineProfile vm, DeployDestination dest, ReservationContext context)
+            throws ConcurrentOperationException, ResourceUnavailableException, InsufficientCapacityException {
+        return true;
+    }
+
+    @Override
+    public boolean release(Network network, NicProfile nic, VirtualMachineProfile vm, ReservationContext context)
+            throws ConcurrentOperationException, ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public boolean shutdown(Network network, ReservationContext context, boolean cleanup) throws ConcurrentOperationException, ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public boolean destroy(Network network, ReservationContext context) throws ConcurrentOperationException, ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public boolean isReady(PhysicalNetworkServiceProvider provider) {
+        return true;
+    }
+
+    @Override
+    public boolean shutdownProviderInstances(PhysicalNetworkServiceProvider provider, ReservationContext context)
+            throws ConcurrentOperationException, ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public boolean canEnableIndividualServices() {
+        return true;
+    }
+
+    @Override
+    public boolean verifyServicesCombination(Set<Network.Service> services) {
+        return true;
+    }
+
+    @Override
+    public boolean addDhcpEntry(Network network, NicProfile nic, VirtualMachineProfile vm, DeployDestination dest, ReservationContext context)
+            throws ConcurrentOperationException, InsufficientCapacityException, ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public boolean configDhcpSupportForSubnet(Network network, NicProfile nic, VirtualMachineProfile vm, DeployDestination dest, ReservationContext context)
+            throws ConcurrentOperationException, InsufficientCapacityException, ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public boolean removeDhcpSupportForSubnet(Network network) throws ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public boolean setExtraDhcpOptions(Network network, long nicId, Map<Integer, String> dhcpOptions) {
+        return true;
+    }
+
+    @Override
+    public boolean removeDhcpEntry(Network network, NicProfile nic, VirtualMachineProfile vmProfile) throws ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public boolean addDnsEntry(Network network, NicProfile nic, VirtualMachineProfile vm, DeployDestination dest, ReservationContext context)
+            throws ConcurrentOperationException, InsufficientCapacityException, ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public boolean configDnsSupportForSubnet(Network network, NicProfile nic, VirtualMachineProfile vm, DeployDestination dest, ReservationContext context)
+            throws ConcurrentOperationException, InsufficientCapacityException, ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public boolean removeDnsSupportForSubnet(Network network) throws ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public boolean applyIps(Network network, List<? extends PublicIpAddress> ipAddress, Set<Network.Service> services) throws ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public IpDeployer getIpDeployer(Network network) {
+        return this;
+    }
+
+    @Override
+    public boolean applyStaticNats(Network config, List<? extends StaticNat> rules) throws ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public boolean applyPFRules(Network network, List<PortForwardingRule> rules) throws ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public boolean applyFWRules(Network network, List<? extends FirewallRule> rules) throws ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public boolean applyNetworkACLs(Network config, List<? extends NetworkACLItem> rules) throws ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public boolean reorderAclRules(Vpc vpc, List<? extends Network> networks, List<? extends NetworkACLItem> networkACLItems) {
+        return true;
+    }
+
+    @Override
+    public boolean applyLBRules(Network network, List<LoadBalancingRule> rules) throws ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public boolean validateLBRule(Network network, LoadBalancingRule rule) {
+        return true;
+    }
+
+    @Override
+    public List<LoadBalancerTO> updateHealthChecks(Network network, List<LoadBalancingRule> lbrules) {
+        return null;
+    }
+
+    @Override
+    public boolean handlesOnlyRulesInTransitionState() {
+        return false;
+    }
+
+    @Override
+    public boolean implementVpc(Vpc vpc, DeployDestination dest, ReservationContext context)
+            throws ConcurrentOperationException, ResourceUnavailableException, InsufficientCapacityException {
+        return true;
+    }
+
+    @Override
+    public boolean shutdownVpc(Vpc vpc, ReservationContext context) throws ConcurrentOperationException, ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public boolean createPrivateGateway(PrivateGateway gateway) throws ConcurrentOperationException, ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public boolean deletePrivateGateway(PrivateGateway privateGateway) throws ConcurrentOperationException, ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public boolean applyStaticRoutes(Vpc vpc, List<StaticRouteProfile> routes) throws ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public boolean applyACLItemsToPrivateGw(PrivateGateway gateway, List<? extends NetworkACLItem> rules) throws ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public boolean updateVpcSourceNatIp(Vpc vpc, IpAddress address) {
+        return true;
+    }
+}
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnGuestNetworkGuru.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnGuestNetworkGuru.java
new file mode 100644
index 000000000000..860a200689a8
--- /dev/null
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnGuestNetworkGuru.java
@@ -0,0 +1,80 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.service;
+
+import com.cloud.dc.DataCenter;
+import com.cloud.deploy.DeploymentPlan;
+import com.cloud.deploy.DeployDestination;
+import com.cloud.network.Network;
+import com.cloud.network.NetworkMigrationResponder;
+import com.cloud.network.Networks;
+import com.cloud.network.PhysicalNetwork;
+import com.cloud.network.dao.NetworkVO;
+import com.cloud.network.dao.PhysicalNetworkVO;
+import com.cloud.network.guru.GuestNetworkGuru;
+import com.cloud.offering.NetworkOffering;
+import com.cloud.user.Account;
+import com.cloud.vm.NicProfile;
+import com.cloud.vm.ReservationContext;
+import com.cloud.vm.VirtualMachineProfile;
+
+public class OvnGuestNetworkGuru extends GuestNetworkGuru implements NetworkMigrationResponder {
+    public OvnGuestNetworkGuru() {
+        super();
+        _isolationMethods = new PhysicalNetwork.IsolationMethod[] {new PhysicalNetwork.IsolationMethod("OVN")};
+    }
+
+    @Override
+    public boolean canHandle(NetworkOffering offering, DataCenter.NetworkType networkType, PhysicalNetwork physicalNetwork) {
+        return networkType == DataCenter.NetworkType.Advanced
+                && isMyTrafficType(offering.getTrafficType())
+                && isMyIsolationMethod(physicalNetwork)
+                && networkOfferingServiceMapDao.isProviderForNetworkOffering(offering.getId(), Network.Provider.Ovn);
+    }
+
+    @Override
+    public Network design(NetworkOffering offering, DeploymentPlan plan, Network userSpecified, String name, Long vpcId, Account owner) {
+        PhysicalNetworkVO physicalNetwork = _physicalNetworkDao.findById(plan.getPhysicalNetworkId());
+        DataCenter dataCenter = _dcDao.findById(plan.getDataCenterId());
+        if (!canHandle(offering, dataCenter.getNetworkType(), physicalNetwork)) {
+            logger.debug("Refusing to design this network");
+            return null;
+        }
+        NetworkVO network = (NetworkVO) super.design(offering, plan, userSpecified, name, vpcId, owner);
+        if (network == null) {
+            return null;
+        }
+        network.setBroadcastDomainType(Networks.BroadcastDomainType.OVN);
+        network.setBroadcastUri(Networks.BroadcastDomainType.OVN.toUri(String.format("cs-net-%d", network.getId())));
+        return network;
+    }
+
+    @Override
+    public boolean prepareMigration(NicProfile nic, Network network, VirtualMachineProfile vm, DeployDestination dest, ReservationContext context) {
+        return true;
+    }
+
+    @Override
+    public void rollbackMigration(NicProfile nic, Network network, VirtualMachineProfile vm, ReservationContext src, ReservationContext dst) {
+        // No OVN resources are allocated during migration preparation in Phase 1.
+    }
+
+    @Override
+    public void commitMigration(NicProfile nic, Network network, VirtualMachineProfile vm, ReservationContext src, ReservationContext dst) {
+        // No OVN resources are allocated during migration preparation in Phase 1.
+    }
+}
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
new file mode 100644
index 000000000000..390b1c2ed8d8
--- /dev/null
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
@@ -0,0 +1,28 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.service;
+
+import org.apache.commons.lang3.StringUtils;
+
+public class OvnNbClient {
+    public boolean isValidConnectionString(String connection) {
+        if (StringUtils.isBlank(connection)) {
+            return false;
+        }
+        return connection.matches("^(tcp|ssl):[^:]+:[0-9]+$") || connection.startsWith("unix:/");
+    }
+}
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnProviderService.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnProviderService.java
new file mode 100644
index 000000000000..156a56655cb9
--- /dev/null
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnProviderService.java
@@ -0,0 +1,32 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.service;
+
+import com.cloud.network.ovn.OvnProvider;
+import com.cloud.utils.component.PluggableService;
+import org.apache.cloudstack.api.BaseResponse;
+import org.apache.cloudstack.api.command.AddOvnProviderCmd;
+import org.apache.cloudstack.api.response.OvnProviderResponse;
+
+import java.util.List;
+
+public interface OvnProviderService extends PluggableService {
+    OvnProvider addProvider(AddOvnProviderCmd cmd);
+    List<BaseResponse> listOvnProviders(Long zoneId);
+    boolean deleteOvnProvider(Long providerId);
+    OvnProviderResponse createOvnProviderResponse(OvnProvider provider);
+}
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnProviderServiceImpl.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnProviderServiceImpl.java
new file mode 100644
index 000000000000..966e32136f12
--- /dev/null
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnProviderServiceImpl.java
@@ -0,0 +1,175 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.service;
+
+import com.cloud.dc.DataCenterVO;
+import com.cloud.dc.dao.DataCenterDao;
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.network.Network;
+import com.cloud.network.Networks;
+import com.cloud.network.dao.NetworkDao;
+import com.cloud.network.dao.NetworkVO;
+import com.cloud.network.dao.OvnProviderDao;
+import com.cloud.network.dao.PhysicalNetworkDao;
+import com.cloud.network.dao.PhysicalNetworkVO;
+import com.cloud.network.element.OvnProviderVO;
+import com.cloud.network.ovn.OvnProvider;
+import com.cloud.network.ovn.OvnService;
+import com.cloud.utils.db.Transaction;
+import com.cloud.utils.db.TransactionCallback;
+import com.cloud.utils.exception.CloudRuntimeException;
+import org.apache.cloudstack.api.BaseResponse;
+import org.apache.cloudstack.api.command.AddOvnProviderCmd;
+import org.apache.cloudstack.api.command.DeleteOvnProviderCmd;
+import org.apache.cloudstack.api.command.ListOvnProvidersCmd;
+import org.apache.cloudstack.api.response.OvnProviderResponse;
+import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang3.StringUtils;
+
+import javax.inject.Inject;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Objects;
+
+public class OvnProviderServiceImpl implements OvnProviderService {
+    @Inject
+    DataCenterDao dataCenterDao;
+    @Inject
+    OvnProviderDao ovnProviderDao;
+    @Inject
+    PhysicalNetworkDao physicalNetworkDao;
+    @Inject
+    NetworkDao networkDao;
+    @Inject
+    OvnService ovnService;
+
+    @Override
+    public OvnProvider addProvider(AddOvnProviderCmd cmd) {
+        validateProvider(cmd);
+        final long zoneId = cmd.getZoneId();
+        return Transaction.execute((TransactionCallback<OvnProviderVO>) status -> {
+            OvnProviderVO provider = new OvnProviderVO.Builder()
+                    .setZoneId(zoneId)
+                    .setName(cmd.getName())
+                    .setNbConnection(cmd.getNbConnection())
+                    .setSbConnection(cmd.getSbConnection())
+                    .setCaCertPath(cmd.getCaCertPath())
+                    .setClientCertPath(cmd.getClientCertPath())
+                    .setClientPrivateKeyPath(cmd.getClientPrivateKeyPath())
+                    .setExternalBridge(cmd.getExternalBridge())
+                    .setLocalnetName(cmd.getLocalnetName())
+                    .build();
+            return ovnProviderDao.persist(provider);
+        });
+    }
+
+    protected void validateProvider(AddOvnProviderCmd cmd) {
+        DataCenterVO zone = dataCenterDao.findById(cmd.getZoneId());
+        if (zone == null) {
+            throw new InvalidParameterValueException(String.format("Failed to find zone with id: %s", cmd.getZoneId()));
+        }
+        if (ovnProviderDao.findByZoneId(cmd.getZoneId()) != null) {
+            throw new InvalidParameterValueException(String.format("OVN provider already exists for zone: %s", cmd.getZoneId()));
+        }
+        if (!ovnService.isValidConnectionString(cmd.getNbConnection())) {
+            throw new InvalidParameterValueException("Invalid OVN Northbound connection string");
+        }
+        if (StringUtils.isNotBlank(cmd.getSbConnection()) && !ovnService.isValidConnectionString(cmd.getSbConnection())) {
+            throw new InvalidParameterValueException("Invalid OVN Southbound connection string");
+        }
+        if (cmd.getNbConnection().startsWith("ssl:") && (StringUtils.isAnyBlank(cmd.getCaCertPath(), cmd.getClientCertPath(), cmd.getClientPrivateKeyPath()))) {
+            throw new InvalidParameterValueException("OVN SSL connections require CA certificate, client certificate, and client private key paths");
+        }
+    }
+
+    @Override
+    public List<BaseResponse> listOvnProviders(Long zoneId) {
+        List<BaseResponse> responseList = new ArrayList<>();
+        if (zoneId != null) {
+            OvnProviderVO provider = ovnProviderDao.findByZoneId(zoneId);
+            if (provider != null) {
+                responseList.add(createOvnProviderResponse(provider));
+            }
+            return responseList;
+        }
+        for (OvnProviderVO provider : ovnProviderDao.listAll()) {
+            responseList.add(createOvnProviderResponse(provider));
+        }
+        return responseList;
+    }
+
+    @Override
+    public boolean deleteOvnProvider(Long providerId) {
+        OvnProviderVO provider = ovnProviderDao.findById(providerId);
+        if (provider == null) {
+            throw new InvalidParameterValueException(String.format("Failed to find OVN provider with id: %s", providerId));
+        }
+        validateNetworkState(provider.getZoneId());
+        ovnProviderDao.remove(providerId);
+        return true;
+    }
+
+    protected void validateNetworkState(long zoneId) {
+        List<PhysicalNetworkVO> physicalNetworks = physicalNetworkDao.listByZone(zoneId);
+        for (PhysicalNetworkVO physicalNetwork : physicalNetworks) {
+            List<NetworkVO> networks = networkDao.listByPhysicalNetwork(physicalNetwork.getId());
+            if (CollectionUtils.isNotEmpty(networks)) {
+                for (NetworkVO network : networks) {
+                    if (network.getBroadcastDomainType() == Networks.BroadcastDomainType.OVN
+                            && network.getState() != Network.State.Shutdown
+                            && network.getState() != Network.State.Destroy) {
+                        throw new CloudRuntimeException("This OVN provider cannot be deleted as there are one or more logical networks provisioned by CloudStack on it.");
+                    }
+                }
+            }
+        }
+    }
+
+    @Override
+    public OvnProviderResponse createOvnProviderResponse(OvnProvider provider) {
+        DataCenterVO zone = dataCenterDao.findById(provider.getZoneId());
+        if (Objects.isNull(zone)) {
+            throw new CloudRuntimeException(String.format("Failed to find zone with id %s", provider.getZoneId()));
+        }
+        OvnProviderResponse response = new OvnProviderResponse();
+        response.setName(provider.getName());
+        response.setUuid(provider.getUuid());
+        response.setZoneId(zone.getUuid());
+        response.setZoneName(zone.getName());
+        response.setNbConnection(provider.getNbConnection());
+        response.setSbConnection(provider.getSbConnection());
+        response.setCaCertPath(provider.getCaCertPath());
+        response.setClientCertPath(provider.getClientCertPath());
+        response.setClientPrivateKeyPath(provider.getClientPrivateKeyPath());
+        response.setExternalBridge(provider.getExternalBridge());
+        response.setLocalnetName(provider.getLocalnetName());
+        response.setObjectName("ovnProvider");
+        return response;
+    }
+
+    @Override
+    public List<Class<?>> getCommands() {
+        List<Class<?>> cmdList = new ArrayList<>();
+        if (Boolean.TRUE.equals(NetworkOrchestrationService.OVN_ENABLED.value())) {
+            cmdList.add(AddOvnProviderCmd.class);
+            cmdList.add(ListOvnProvidersCmd.class);
+            cmdList.add(DeleteOvnProviderCmd.class);
+        }
+        return cmdList;
+    }
+}
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnServiceImpl.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnServiceImpl.java
new file mode 100644
index 000000000000..d192805c5c47
--- /dev/null
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnServiceImpl.java
@@ -0,0 +1,55 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.service;
+
+import com.cloud.network.ovn.OvnService;
+import org.apache.cloudstack.framework.config.ConfigKey;
+import org.apache.cloudstack.framework.config.Configurable;
+
+public class OvnServiceImpl implements OvnService, Configurable {
+    private final OvnNbClient ovnNbClient = new OvnNbClient();
+
+    @Override
+    public String getLogicalSwitchName(long networkId) {
+        return String.format("cs-net-%d", networkId);
+    }
+
+    @Override
+    public String getLogicalRouterName(long vpcId) {
+        return String.format("cs-vpc-%d", vpcId);
+    }
+
+    @Override
+    public String getLogicalSwitchPortName(long nicId) {
+        return String.format("cs-nic-%d", nicId);
+    }
+
+    @Override
+    public boolean isValidConnectionString(String connection) {
+        return ovnNbClient.isValidConnectionString(connection);
+    }
+
+    @Override
+    public String getConfigComponentName() {
+        return OvnService.class.getSimpleName();
+    }
+
+    @Override
+    public ConfigKey<?>[] getConfigKeys() {
+        return new ConfigKey[0];
+    }
+}
diff --git a/plugins/network-elements/ovn/src/main/resources/META-INF/cloudstack/core/spring-ovn-core-managers-context.xml b/plugins/network-elements/ovn/src/main/resources/META-INF/cloudstack/core/spring-ovn-core-managers-context.xml
new file mode 100644
index 000000000000..7132803bce82
--- /dev/null
+++ b/plugins/network-elements/ovn/src/main/resources/META-INF/cloudstack/core/spring-ovn-core-managers-context.xml
@@ -0,0 +1,31 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:aop="http://www.springframework.org/schema/aop"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans
+                      http://www.springframework.org/schema/beans/spring-beans.xsd
+                      http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
+                      http://www.springframework.org/schema/context
+                      http://www.springframework.org/schema/context/spring-context.xsd">
+
+    <bean id="ovnService" class="org.apache.cloudstack.service.OvnServiceImpl"/>
+
+</beans>
diff --git a/plugins/network-elements/ovn/src/main/resources/META-INF/cloudstack/ovn/module.properties b/plugins/network-elements/ovn/src/main/resources/META-INF/cloudstack/ovn/module.properties
new file mode 100644
index 000000000000..4469dbc3a7c9
--- /dev/null
+++ b/plugins/network-elements/ovn/src/main/resources/META-INF/cloudstack/ovn/module.properties
@@ -0,0 +1,21 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+name=ovn
+parent=network
diff --git a/plugins/network-elements/ovn/src/main/resources/META-INF/cloudstack/ovn/spring-ovn-context.xml b/plugins/network-elements/ovn/src/main/resources/META-INF/cloudstack/ovn/spring-ovn-context.xml
new file mode 100644
index 000000000000..c1bd678db588
--- /dev/null
+++ b/plugins/network-elements/ovn/src/main/resources/META-INF/cloudstack/ovn/spring-ovn-context.xml
@@ -0,0 +1,39 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:aop="http://www.springframework.org/schema/aop"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans
+                      http://www.springframework.org/schema/beans/spring-beans.xsd
+                      http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
+                      http://www.springframework.org/schema/context
+                      http://www.springframework.org/schema/context/spring-context.xsd">
+
+    <bean id="Ovn" class="org.apache.cloudstack.service.OvnElement">
+        <property name="name" value="Ovn"/>
+    </bean>
+
+    <bean id="ovnGuestNetworkGuru" class="org.apache.cloudstack.service.OvnGuestNetworkGuru">
+        <property name="name" value="OvnGuestNetworkGuru"/>
+    </bean>
+
+    <bean id="ovnProviderService" class="org.apache.cloudstack.service.OvnProviderServiceImpl"/>
+
+</beans>
diff --git a/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/api/command/AddOvnProviderCmdTest.java b/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/api/command/AddOvnProviderCmdTest.java
new file mode 100644
index 000000000000..f7a72a37174c
--- /dev/null
+++ b/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/api/command/AddOvnProviderCmdTest.java
@@ -0,0 +1,94 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command;
+
+import com.cloud.exception.ConcurrentOperationException;
+import com.cloud.network.ovn.OvnProvider;
+import com.cloud.user.Account;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.OvnProviderResponse;
+import org.apache.cloudstack.context.CallContext;
+import org.apache.cloudstack.service.OvnProviderService;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.MockedStatic;
+import org.mockito.Mockito;
+import org.mockito.MockitoAnnotations;
+
+public class AddOvnProviderCmdTest {
+    @Mock
+    private OvnProviderService ovnProviderService;
+    @Mock
+    private CallContext callContext;
+
+    private MockedStatic<CallContext> callContextMockedStatic;
+
+    @InjectMocks
+    private AddOvnProviderCmd cmd;
+
+    private AutoCloseable closeable;
+
+    @Before
+    public void setup() {
+        closeable = MockitoAnnotations.openMocks(this);
+        callContextMockedStatic = Mockito.mockStatic(CallContext.class);
+        callContextMockedStatic.when(CallContext::current).thenReturn(callContext);
+    }
+
+    @After
+    public void tearDown() throws Exception {
+        callContextMockedStatic.close();
+        closeable.close();
+    }
+
+    @Test
+    public void testExecuteSuccess() throws ConcurrentOperationException {
+        OvnProvider provider = Mockito.mock(OvnProvider.class);
+        OvnProviderResponse response = Mockito.mock(OvnProviderResponse.class);
+        Mockito.when(ovnProviderService.addProvider(cmd)).thenReturn(provider);
+        Mockito.when(ovnProviderService.createOvnProviderResponse(provider)).thenReturn(response);
+
+        cmd.execute();
+
+        Mockito.verify(ovnProviderService).addProvider(cmd);
+        Mockito.verify(ovnProviderService).createOvnProviderResponse(provider);
+        Mockito.verify(response).setResponseName(cmd.getCommandName());
+        Assert.assertEquals(response, cmd.getResponseObject());
+    }
+
+    @Test(expected = ServerApiException.class)
+    public void testExecuteFailure() throws ConcurrentOperationException {
+        OvnProvider provider = Mockito.mock(OvnProvider.class);
+        Mockito.when(ovnProviderService.addProvider(cmd)).thenReturn(provider);
+        Mockito.when(ovnProviderService.createOvnProviderResponse(provider)).thenReturn(null);
+
+        cmd.execute();
+    }
+
+    @Test
+    public void testGetEntityOwnerId() {
+        Account account = Mockito.mock(Account.class);
+        Mockito.when(account.getId()).thenReturn(123L);
+        Mockito.when(callContext.getCallingAccount()).thenReturn(account);
+
+        Assert.assertEquals(123L, cmd.getEntityOwnerId());
+    }
+}
diff --git a/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/api/command/DeleteOvnProviderCmdTest.java b/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/api/command/DeleteOvnProviderCmdTest.java
new file mode 100644
index 000000000000..c497c8e1b41f
--- /dev/null
+++ b/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/api/command/DeleteOvnProviderCmdTest.java
@@ -0,0 +1,97 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command;
+
+import com.cloud.exception.ConcurrentOperationException;
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.utils.exception.CloudRuntimeException;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.SuccessResponse;
+import org.apache.cloudstack.service.OvnProviderService;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.MockitoAnnotations;
+
+import java.lang.reflect.Field;
+
+public class DeleteOvnProviderCmdTest {
+    @Mock
+    private OvnProviderService ovnProviderService;
+
+    @InjectMocks
+    private DeleteOvnProviderCmd cmd;
+
+    private AutoCloseable closeable;
+    private static final long PROVIDER_ID = 1L;
+
+    @Before
+    public void setup() throws Exception {
+        closeable = MockitoAnnotations.openMocks(this);
+        setPrivateField("id", PROVIDER_ID);
+    }
+
+    @After
+    public void tearDown() throws Exception {
+        closeable.close();
+    }
+
+    @Test
+    public void testExecuteSuccess() throws ConcurrentOperationException {
+        Mockito.when(ovnProviderService.deleteOvnProvider(PROVIDER_ID)).thenReturn(true);
+
+        cmd.execute();
+
+        Mockito.verify(ovnProviderService).deleteOvnProvider(PROVIDER_ID);
+        Assert.assertTrue(cmd.getResponseObject() instanceof SuccessResponse);
+        SuccessResponse response = (SuccessResponse) cmd.getResponseObject();
+        Assert.assertEquals(cmd.getCommandName(), response.getResponseName());
+    }
+
+    @Test(expected = ServerApiException.class)
+    public void testExecuteFailure() throws ConcurrentOperationException {
+        Mockito.when(ovnProviderService.deleteOvnProvider(PROVIDER_ID)).thenReturn(false);
+        cmd.execute();
+    }
+
+    @Test(expected = ServerApiException.class)
+    public void testExecuteInvalidParameterException() throws ConcurrentOperationException {
+        Mockito.when(ovnProviderService.deleteOvnProvider(PROVIDER_ID)).thenThrow(new InvalidParameterValueException("invalid"));
+        cmd.execute();
+    }
+
+    @Test(expected = ServerApiException.class)
+    public void testExecuteCloudRuntimeException() throws ConcurrentOperationException {
+        Mockito.when(ovnProviderService.deleteOvnProvider(PROVIDER_ID)).thenThrow(new CloudRuntimeException("runtime"));
+        cmd.execute();
+    }
+
+    @Test
+    public void testGetEntityOwnerId() {
+        Assert.assertEquals(0L, cmd.getEntityOwnerId());
+    }
+
+    private void setPrivateField(String fieldName, Object value) throws Exception {
+        Field field = DeleteOvnProviderCmd.class.getDeclaredField(fieldName);
+        field.setAccessible(true);
+        field.set(cmd, value);
+    }
+}
diff --git a/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/api/command/ListOvnProvidersCmdTest.java b/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/api/command/ListOvnProvidersCmdTest.java
new file mode 100644
index 000000000000..f1294c78fd33
--- /dev/null
+++ b/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/api/command/ListOvnProvidersCmdTest.java
@@ -0,0 +1,82 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command;
+
+import com.cloud.exception.ConcurrentOperationException;
+import org.apache.cloudstack.api.BaseResponse;
+import org.apache.cloudstack.api.response.ListResponse;
+import org.apache.cloudstack.api.response.OvnProviderResponse;
+import org.apache.cloudstack.service.OvnProviderService;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.MockitoAnnotations;
+
+import java.lang.reflect.Field;
+import java.util.Arrays;
+import java.util.List;
+
+public class ListOvnProvidersCmdTest {
+    @Mock
+    private OvnProviderService ovnProviderService;
+
+    @InjectMocks
+    private ListOvnProvidersCmd cmd;
+
+    private AutoCloseable closeable;
+    private static final long ZONE_ID = 1L;
+
+    @Before
+    public void setup() throws Exception {
+        closeable = MockitoAnnotations.openMocks(this);
+        setPrivateField("zoneId", ZONE_ID);
+    }
+
+    @After
+    public void tearDown() throws Exception {
+        closeable.close();
+    }
+
+    @Test
+    public void testExecuteSuccess() throws ConcurrentOperationException {
+        OvnProviderResponse providerResponse = Mockito.mock(OvnProviderResponse.class);
+        List<BaseResponse> providerList = Arrays.asList(providerResponse);
+        Mockito.when(ovnProviderService.listOvnProviders(ZONE_ID)).thenReturn(providerList);
+
+        cmd.execute();
+
+        Mockito.verify(ovnProviderService).listOvnProviders(ZONE_ID);
+        Assert.assertTrue(cmd.getResponseObject() instanceof ListResponse);
+        ListResponse<BaseResponse> response = (ListResponse<BaseResponse>) cmd.getResponseObject();
+        Assert.assertEquals(cmd.getCommandName(), response.getResponseName());
+    }
+
+    @Test
+    public void testGetEntityOwnerId() {
+        Assert.assertEquals(0L, cmd.getEntityOwnerId());
+    }
+
+    private void setPrivateField(String fieldName, Object value) throws Exception {
+        Field field = ListOvnProvidersCmd.class.getDeclaredField(fieldName);
+        field.setAccessible(true);
+        field.set(cmd, value);
+    }
+}
diff --git a/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/service/OvnElementTest.java b/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/service/OvnElementTest.java
new file mode 100644
index 000000000000..8007c209c228
--- /dev/null
+++ b/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/service/OvnElementTest.java
@@ -0,0 +1,47 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.service;
+
+import com.cloud.network.Network;
+import org.junit.Assert;
+import org.junit.Test;
+
+import java.util.Map;
+
+public class OvnElementTest {
+    @Test
+    public void testGetProvider() {
+        Assert.assertEquals(Network.Provider.Ovn, new OvnElement().getProvider());
+    }
+
+    @Test
+    public void testCapabilitiesIncludeInitialOvnServices() {
+        Map<Network.Service, Map<Network.Capability, String>> capabilities = new OvnElement().getCapabilities();
+
+        Assert.assertTrue(capabilities.containsKey(Network.Service.Dhcp));
+        Assert.assertTrue(capabilities.containsKey(Network.Service.Dns));
+        Assert.assertTrue(capabilities.containsKey(Network.Service.SourceNat));
+        Assert.assertTrue(capabilities.containsKey(Network.Service.StaticNat));
+        Assert.assertTrue(capabilities.containsKey(Network.Service.PortForwarding));
+        Assert.assertTrue(capabilities.containsKey(Network.Service.Firewall));
+        Assert.assertTrue(capabilities.containsKey(Network.Service.NetworkACL));
+        Assert.assertTrue(capabilities.containsKey(Network.Service.Lb));
+        Assert.assertTrue(capabilities.containsKey(Network.Service.Gateway));
+        Assert.assertTrue(capabilities.containsKey(Network.Service.Connectivity));
+        Assert.assertFalse(capabilities.containsKey(Network.Service.SecurityGroup));
+    }
+}
diff --git a/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/service/OvnProviderServiceImplTest.java b/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/service/OvnProviderServiceImplTest.java
new file mode 100644
index 000000000000..06c3ae16fdca
--- /dev/null
+++ b/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/service/OvnProviderServiceImplTest.java
@@ -0,0 +1,199 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.service;
+
+import com.cloud.dc.DataCenterVO;
+import com.cloud.dc.dao.DataCenterDao;
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.network.Network;
+import com.cloud.network.Networks;
+import com.cloud.network.dao.NetworkDao;
+import com.cloud.network.dao.NetworkVO;
+import com.cloud.network.dao.OvnProviderDao;
+import com.cloud.network.dao.PhysicalNetworkDao;
+import com.cloud.network.dao.PhysicalNetworkVO;
+import com.cloud.network.element.OvnProviderVO;
+import com.cloud.network.ovn.OvnService;
+import com.cloud.utils.db.Transaction;
+import com.cloud.utils.db.TransactionCallback;
+import com.cloud.utils.exception.CloudRuntimeException;
+import org.apache.cloudstack.api.BaseResponse;
+import org.apache.cloudstack.api.command.AddOvnProviderCmd;
+import org.apache.cloudstack.api.response.OvnProviderResponse;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.MockedStatic;
+import org.mockito.Mockito;
+import org.mockito.MockitoAnnotations;
+
+import java.lang.reflect.Field;
+import java.util.Arrays;
+import java.util.List;
+
+public class OvnProviderServiceImplTest {
+    @Mock
+    private DataCenterDao dataCenterDao;
+    @Mock
+    private OvnProviderDao ovnProviderDao;
+    @Mock
+    private PhysicalNetworkDao physicalNetworkDao;
+    @Mock
+    private NetworkDao networkDao;
+    @Mock
+    private OvnService ovnService;
+
+    @InjectMocks
+    private OvnProviderServiceImpl ovnProviderService;
+
+    private AutoCloseable closeable;
+    private MockedStatic<Transaction> transactionMockedStatic;
+
+    private static final long ZONE_ID = 1L;
+    private static final long PROVIDER_ID = 3L;
+    private static final String NAME = "test-ovn";
+    private static final String NB_CONNECTION = "tcp:127.0.0.1:6641";
+    private static final String SB_CONNECTION = "tcp:127.0.0.1:6642";
+
+    @Before
+    public void setup() {
+        closeable = MockitoAnnotations.openMocks(this);
+        transactionMockedStatic = Mockito.mockStatic(Transaction.class);
+    }
+
+    @After
+    public void tearDown() throws Exception {
+        transactionMockedStatic.close();
+        closeable.close();
+    }
+
+    @Test
+    public void testAddProviderPersistsProvider() throws Exception {
+        AddOvnProviderCmd cmd = new AddOvnProviderCmd();
+        setPrivateField(cmd, "zoneId", ZONE_ID);
+        setPrivateField(cmd, "name", NAME);
+        setPrivateField(cmd, "nbConnection", NB_CONNECTION);
+        setPrivateField(cmd, "sbConnection", SB_CONNECTION);
+
+        Mockito.when(dataCenterDao.findById(ZONE_ID)).thenReturn(Mockito.mock(DataCenterVO.class));
+        Mockito.when(ovnProviderDao.findByZoneId(ZONE_ID)).thenReturn(null);
+        Mockito.when(ovnService.isValidConnectionString(NB_CONNECTION)).thenReturn(true);
+        Mockito.when(ovnService.isValidConnectionString(SB_CONNECTION)).thenReturn(true);
+        Mockito.when(ovnProviderDao.persist(Mockito.any(OvnProviderVO.class))).thenAnswer(invocation -> invocation.getArgument(0));
+        transactionMockedStatic.when(() -> Transaction.execute(Mockito.<TransactionCallback<OvnProviderVO>>any())).thenAnswer(invocation -> {
+            TransactionCallback<OvnProviderVO> callback = invocation.getArgument(0);
+            return callback.doInTransaction(null);
+        });
+
+        OvnProviderVO provider = (OvnProviderVO) ovnProviderService.addProvider(cmd);
+
+        Assert.assertEquals(ZONE_ID, provider.getZoneId());
+        Assert.assertEquals(NAME, provider.getName());
+        Assert.assertEquals(NB_CONNECTION, provider.getNbConnection());
+        Assert.assertEquals(SB_CONNECTION, provider.getSbConnection());
+        Mockito.verify(ovnProviderDao).persist(Mockito.any(OvnProviderVO.class));
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void testAddProviderRejectsInvalidNbConnection() throws Exception {
+        AddOvnProviderCmd cmd = new AddOvnProviderCmd();
+        setPrivateField(cmd, "zoneId", ZONE_ID);
+        setPrivateField(cmd, "name", NAME);
+        setPrivateField(cmd, "nbConnection", "invalid");
+        Mockito.when(dataCenterDao.findById(ZONE_ID)).thenReturn(Mockito.mock(DataCenterVO.class));
+        Mockito.when(ovnService.isValidConnectionString("invalid")).thenReturn(false);
+
+        ovnProviderService.addProvider(cmd);
+    }
+
+    @Test
+    public void testListOvnProvidersWithZoneId() {
+        OvnProviderVO providerVO = Mockito.mock(OvnProviderVO.class);
+        Mockito.when(ovnProviderDao.findByZoneId(ZONE_ID)).thenReturn(providerVO);
+        Mockito.when(providerVO.getZoneId()).thenReturn(ZONE_ID);
+        Mockito.when(dataCenterDao.findById(ZONE_ID)).thenReturn(getZone());
+
+        List<BaseResponse> result = ovnProviderService.listOvnProviders(ZONE_ID);
+
+        Assert.assertEquals(1, result.size());
+        Assert.assertTrue(result.get(0) instanceof OvnProviderResponse);
+    }
+
+    @Test
+    public void testDeleteOvnProviderSuccess() {
+        OvnProviderVO providerVO = Mockito.mock(OvnProviderVO.class);
+        Mockito.when(providerVO.getZoneId()).thenReturn(ZONE_ID);
+        Mockito.when(ovnProviderDao.findById(PROVIDER_ID)).thenReturn(providerVO);
+        Mockito.when(physicalNetworkDao.listByZone(ZONE_ID)).thenReturn(Arrays.asList(Mockito.mock(PhysicalNetworkVO.class)));
+
+        NetworkVO network = Mockito.mock(NetworkVO.class);
+        Mockito.when(networkDao.listByPhysicalNetwork(Mockito.anyLong())).thenReturn(Arrays.asList(network));
+        Mockito.when(network.getBroadcastDomainType()).thenReturn(Networks.BroadcastDomainType.OVN);
+        Mockito.when(network.getState()).thenReturn(Network.State.Shutdown);
+
+        Assert.assertTrue(ovnProviderService.deleteOvnProvider(PROVIDER_ID));
+        Mockito.verify(ovnProviderDao).remove(PROVIDER_ID);
+    }
+
+    @Test(expected = CloudRuntimeException.class)
+    public void testDeleteOvnProviderWithActiveNetworks() {
+        OvnProviderVO providerVO = Mockito.mock(OvnProviderVO.class);
+        Mockito.when(providerVO.getZoneId()).thenReturn(ZONE_ID);
+        Mockito.when(ovnProviderDao.findById(PROVIDER_ID)).thenReturn(providerVO);
+        Mockito.when(physicalNetworkDao.listByZone(ZONE_ID)).thenReturn(Arrays.asList(Mockito.mock(PhysicalNetworkVO.class)));
+
+        NetworkVO network = Mockito.mock(NetworkVO.class);
+        Mockito.when(networkDao.listByPhysicalNetwork(Mockito.anyLong())).thenReturn(Arrays.asList(network));
+        Mockito.when(network.getBroadcastDomainType()).thenReturn(Networks.BroadcastDomainType.OVN);
+        Mockito.when(network.getState()).thenReturn(Network.State.Implemented);
+
+        ovnProviderService.deleteOvnProvider(PROVIDER_ID);
+    }
+
+    @Test
+    public void testCreateOvnProviderResponse() {
+        OvnProviderVO provider = Mockito.mock(OvnProviderVO.class);
+        Mockito.when(provider.getZoneId()).thenReturn(ZONE_ID);
+        Mockito.when(provider.getName()).thenReturn(NAME);
+        Mockito.when(provider.getNbConnection()).thenReturn(NB_CONNECTION);
+        Mockito.when(provider.getSbConnection()).thenReturn(SB_CONNECTION);
+        Mockito.when(dataCenterDao.findById(ZONE_ID)).thenReturn(getZone());
+
+        OvnProviderResponse response = ovnProviderService.createOvnProviderResponse(provider);
+
+        Assert.assertNotNull(response);
+        Assert.assertEquals(NAME, response.getName());
+        Assert.assertEquals(NB_CONNECTION, response.getNbConnection());
+        Assert.assertEquals(SB_CONNECTION, response.getSbConnection());
+    }
+
+    private DataCenterVO getZone() {
+        DataCenterVO zone = Mockito.mock(DataCenterVO.class);
+        Mockito.when(zone.getName()).thenReturn("test-zone");
+        Mockito.when(zone.getUuid()).thenReturn("zone-uuid");
+        return zone;
+    }
+
+    private void setPrivateField(Object target, String fieldName, Object value) throws Exception {
+        Field field = target.getClass().getDeclaredField(fieldName);
+        field.setAccessible(true);
+        field.set(target, value);
+    }
+}
diff --git a/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/service/OvnServiceImplTest.java b/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/service/OvnServiceImplTest.java
new file mode 100644
index 000000000000..f336756fa20e
--- /dev/null
+++ b/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/service/OvnServiceImplTest.java
@@ -0,0 +1,40 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.service;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+public class OvnServiceImplTest {
+    private final OvnServiceImpl service = new OvnServiceImpl();
+
+    @Test
+    public void testDeterministicObjectNames() {
+        Assert.assertEquals("cs-net-10", service.getLogicalSwitchName(10L));
+        Assert.assertEquals("cs-vpc-20", service.getLogicalRouterName(20L));
+        Assert.assertEquals("cs-nic-30", service.getLogicalSwitchPortName(30L));
+    }
+
+    @Test
+    public void testConnectionStringValidation() {
+        Assert.assertTrue(service.isValidConnectionString("tcp:127.0.0.1:6641"));
+        Assert.assertTrue(service.isValidConnectionString("ssl:ovn.example.com:6641"));
+        Assert.assertTrue(service.isValidConnectionString("unix:/var/run/ovn/ovnnb_db.sock"));
+        Assert.assertFalse(service.isValidConnectionString("http://127.0.0.1:6641"));
+        Assert.assertFalse(service.isValidConnectionString(null));
+    }
+}
diff --git a/plugins/pom.xml b/plugins/pom.xml
index e4904ccdf40b..324737edfbbb 100755
--- a/plugins/pom.xml
+++ b/plugins/pom.xml
@@ -107,6 +107,7 @@
         <module>network-elements/netscaler</module>
         <module>network-elements/nicira-nvp</module>
         <module>network-elements/opendaylight</module>
+        <module>network-elements/ovn</module>
         <module>network-elements/ovs</module>
         <module>network-elements/palo-alto</module>
         <module>network-elements/stratosphere-ssp</module>
diff --git a/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java b/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java
index 6da5dda967d0..df3ce4369771 100644
--- a/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java
+++ b/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java
@@ -8354,8 +8354,8 @@ private void validateProvider(NetworkOfferingVO sourceOffering,
                                   String detectedProvider, String networkMode) {
 
         detectedProvider = getExternalNetworkProvider(detectedProvider, sourceServiceProviderMap);
-        // If this is an NSX/Netris offering, prevent network mode changes
-        if (detectedProvider != null && (detectedProvider.equals("NSX") || detectedProvider.equals("Netris"))) {
+        // If this is an external provider offering, prevent network mode changes
+        if (detectedProvider != null && (detectedProvider.equals("NSX") || detectedProvider.equals("Netris") || detectedProvider.equals("OVN"))) {
             if (networkMode != null && sourceOffering.getNetworkMode() != null) {
                 if (!networkMode.equalsIgnoreCase(sourceOffering.getNetworkMode().toString())) {
                     throw new InvalidParameterValueException(
@@ -8388,6 +8388,9 @@ public static String getExternalNetworkProvider(String detectedProvider,
                 if (provider == Provider.Netris) {
                     return "Netris";
                 }
+                if (provider == Provider.Ovn) {
+                    return "OVN";
+                }
             }
         }
 
diff --git a/server/src/main/java/com/cloud/network/NetworkServiceImpl.java b/server/src/main/java/com/cloud/network/NetworkServiceImpl.java
index c9884f8c469a..daa83592401a 100644
--- a/server/src/main/java/com/cloud/network/NetworkServiceImpl.java
+++ b/server/src/main/java/com/cloud/network/NetworkServiceImpl.java
@@ -4331,6 +4331,13 @@ public PhysicalNetworkVO doInTransaction(TransactionStatus status) {
                         logger.warn("Failed to add Netris provider to physical network due to:", ex.getMessage());
                     }
 
+                    // Add OVN provider
+                    try {
+                        addOvnProviderToPhysicalNetwork(pNetwork.getId());
+                    } catch (Exception ex) {
+                        logger.warn("Failed to add OVN provider to physical network due to:", ex.getMessage());
+                    }
+
                     CallContext.current().putContextParameter(PhysicalNetwork.class, pNetwork.getUuid());
 
                     return pNetwork;
@@ -5758,6 +5765,21 @@ private PhysicalNetworkServiceProvider addNetrisProviderToPhysicalNetwork(long p
         return null;
     }
 
+    private PhysicalNetworkServiceProvider addOvnProviderToPhysicalNetwork(long physicalNetworkId) {
+        PhysicalNetworkVO pvo = _physicalNetworkDao.findById(physicalNetworkId);
+        DataCenterVO dvo = _dcDao.findById(pvo.getDataCenterId());
+        if (dvo.getNetworkType() == NetworkType.Advanced) {
+            Provider provider = Network.Provider.getProvider(Provider.Ovn.getName());
+            if (provider == null) {
+                return null;
+            }
+
+            addProviderToPhysicalNetwork(physicalNetworkId, Provider.Ovn.getName(), null, null);
+            enableProvider(Provider.Ovn.getName());
+        }
+        return null;
+    }
+
     protected boolean isNetworkSystem(Network network) {
         NetworkOffering no = _networkOfferingDao.findByIdIncludingRemoved(network.getNetworkOfferingId());
         if (no.isSystemOnly()) {

From 86ba819686c7c14695e1e9c9cacdabbef5257e49 Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Wed, 22 Apr 2026 17:54:24 +0200
Subject: [PATCH 02/33] OVN plugin: fix SSL cert enforcement and minor cleanups

Enforce TLS certificate requirement when either the Northbound or
Southbound connection uses ssl:, add a logger to the provider service
impl, drop the redundant CollectionUtils.isNotEmpty check in
validateNetworkState, and correct a stale migration comment in the
guest network guru.
---
 .../service/OvnGuestNetworkGuru.java          |  2 +-
 .../service/OvnProviderServiceImpl.java       | 22 ++++++++++---------
 2 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnGuestNetworkGuru.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnGuestNetworkGuru.java
index 860a200689a8..4f105595c693 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnGuestNetworkGuru.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnGuestNetworkGuru.java
@@ -75,6 +75,6 @@ public void rollbackMigration(NicProfile nic, Network network, VirtualMachinePro
 
     @Override
     public void commitMigration(NicProfile nic, Network network, VirtualMachineProfile vm, ReservationContext src, ReservationContext dst) {
-        // No OVN resources are allocated during migration preparation in Phase 1.
+        // No OVN resources are committed on migration in Phase 1.
     }
 }
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnProviderServiceImpl.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnProviderServiceImpl.java
index 966e32136f12..7b55eba8fbe8 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnProviderServiceImpl.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnProviderServiceImpl.java
@@ -38,8 +38,9 @@
 import org.apache.cloudstack.api.command.ListOvnProvidersCmd;
 import org.apache.cloudstack.api.response.OvnProviderResponse;
 import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
-import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 
 import javax.inject.Inject;
 import java.util.ArrayList;
@@ -47,6 +48,8 @@
 import java.util.Objects;
 
 public class OvnProviderServiceImpl implements OvnProviderService {
+    protected Logger logger = LogManager.getLogger(getClass());
+
     @Inject
     DataCenterDao dataCenterDao;
     @Inject
@@ -92,7 +95,9 @@ protected void validateProvider(AddOvnProviderCmd cmd) {
         if (StringUtils.isNotBlank(cmd.getSbConnection()) && !ovnService.isValidConnectionString(cmd.getSbConnection())) {
             throw new InvalidParameterValueException("Invalid OVN Southbound connection string");
         }
-        if (cmd.getNbConnection().startsWith("ssl:") && (StringUtils.isAnyBlank(cmd.getCaCertPath(), cmd.getClientCertPath(), cmd.getClientPrivateKeyPath()))) {
+        boolean sslRequired = cmd.getNbConnection().startsWith("ssl:")
+                || (StringUtils.isNotBlank(cmd.getSbConnection()) && cmd.getSbConnection().startsWith("ssl:"));
+        if (sslRequired && StringUtils.isAnyBlank(cmd.getCaCertPath(), cmd.getClientCertPath(), cmd.getClientPrivateKeyPath())) {
             throw new InvalidParameterValueException("OVN SSL connections require CA certificate, client certificate, and client private key paths");
         }
     }
@@ -127,14 +132,11 @@ public boolean deleteOvnProvider(Long providerId) {
     protected void validateNetworkState(long zoneId) {
         List<PhysicalNetworkVO> physicalNetworks = physicalNetworkDao.listByZone(zoneId);
         for (PhysicalNetworkVO physicalNetwork : physicalNetworks) {
-            List<NetworkVO> networks = networkDao.listByPhysicalNetwork(physicalNetwork.getId());
-            if (CollectionUtils.isNotEmpty(networks)) {
-                for (NetworkVO network : networks) {
-                    if (network.getBroadcastDomainType() == Networks.BroadcastDomainType.OVN
-                            && network.getState() != Network.State.Shutdown
-                            && network.getState() != Network.State.Destroy) {
-                        throw new CloudRuntimeException("This OVN provider cannot be deleted as there are one or more logical networks provisioned by CloudStack on it.");
-                    }
+            for (NetworkVO network : networkDao.listByPhysicalNetwork(physicalNetwork.getId())) {
+                if (network.getBroadcastDomainType() == Networks.BroadcastDomainType.OVN
+                        && network.getState() != Network.State.Shutdown
+                        && network.getState() != Network.State.Destroy) {
+                    throw new CloudRuntimeException("This OVN provider cannot be deleted as there are one or more logical networks provisioned by CloudStack on it.");
                 }
             }
         }

From a7268151ebdc2395a6f7de25b32f772e3b8cfd9e Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Sat, 25 Apr 2026 18:51:59 +0200
Subject: [PATCH 03/33] OVN plugin: add real Northbound client backed by ODL
 OVSDB library

Replaces the regex-only OvnNbClient with a real OVSDB JSON-RPC client
that opens a transient connection to the OVN Northbound endpoint, runs
an echo, and confirms the OVN_Northbound database is advertised. Both
tcp: and ssl: connection strings are supported.

Adds OvnSslContext, an ICertificateManager implementation that loads
the operator-supplied CA, client certificate and client private key
into in-memory keystores so SSL connections do not need any keystore
on disk.

OvnService grows verifyNbConnection so callers can fail fast when the
Northbound endpoint is unreachable. The ODL OVSDB library 1.18.3 is
declared as a plugin dependency with Jackson, Guava and OSGi
annotations excluded, since CloudStack already pins those.
---
 .../com/cloud/network/ovn/OvnService.java     |   8 +-
 plugins/network-elements/ovn/pom.xml          |  40 +++++
 .../cloudstack/service/OvnNbClient.java       | 157 +++++++++++++++++-
 .../cloudstack/service/OvnServiceImpl.java    |  22 ++-
 .../cloudstack/service/OvnSslContext.java     | 130 +++++++++++++++
 .../cloudstack/service/OvnNbClientTest.java   |  69 ++++++++
 .../service/OvnServiceImplTest.java           |  19 ++-
 7 files changed, 436 insertions(+), 9 deletions(-)
 create mode 100644 plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnSslContext.java
 create mode 100644 plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/service/OvnNbClientTest.java

diff --git a/api/src/main/java/com/cloud/network/ovn/OvnService.java b/api/src/main/java/com/cloud/network/ovn/OvnService.java
index 29fad2215c66..eda51162dab5 100644
--- a/api/src/main/java/com/cloud/network/ovn/OvnService.java
+++ b/api/src/main/java/com/cloud/network/ovn/OvnService.java
@@ -18,11 +18,17 @@
 
 /**
  * Service boundary for CloudStack's native OVN integration.
- * Phase 1 only defines stable naming and connection validation helpers; OVN NB operations are added in later phases.
  */
 public interface OvnService {
     String getLogicalSwitchName(long networkId);
     String getLogicalRouterName(long vpcId);
     String getLogicalSwitchPortName(long nicId);
     boolean isValidConnectionString(String connection);
+
+    /**
+     * Opens a transient connection to the OVN Northbound endpoint described by the arguments,
+     * runs an OVSDB echo and confirms the OVN_Northbound database is advertised. Throws a
+     * {@link com.cloud.utils.exception.CloudRuntimeException} on any failure, leaving no resources behind.
+     */
+    void verifyNbConnection(String nbConnection, String caCertPath, String clientCertPath, String clientPrivateKeyPath);
 }
diff --git a/plugins/network-elements/ovn/pom.xml b/plugins/network-elements/ovn/pom.xml
index a46f7a83fa08..36ae54b2858b 100644
--- a/plugins/network-elements/ovn/pom.xml
+++ b/plugins/network-elements/ovn/pom.xml
@@ -29,4 +29,44 @@
         <version>4.23.0.0-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
+
+    <properties>
+        <cs.ovsdb.library.version>1.18.3</cs.ovsdb.library.version>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.opendaylight.ovsdb</groupId>
+            <artifactId>library</artifactId>
+            <version>${cs.ovsdb.library.version}</version>
+            <exclusions>
+                <!-- CloudStack pins these via parent POM -->
+                <exclusion>
+                    <groupId>com.fasterxml.jackson.core</groupId>
+                    <artifactId>jackson-core</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>com.fasterxml.jackson.core</groupId>
+                    <artifactId>jackson-databind</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>com.fasterxml.jackson.core</groupId>
+                    <artifactId>jackson-annotations</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>com.google.guava</groupId>
+                    <artifactId>guava</artifactId>
+                </exclusion>
+                <!-- OSGi annotations only useful inside an OSGi runtime -->
+                <exclusion>
+                    <groupId>org.osgi</groupId>
+                    <artifactId>org.osgi.service.component.annotations</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.osgi</groupId>
+                    <artifactId>org.osgi.service.metatype.annotations</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+    </dependencies>
 </project>
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
index 390b1c2ed8d8..c6a46b8b55da 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
@@ -16,13 +16,168 @@
 // under the License.
 package org.apache.cloudstack.service;
 
+import com.cloud.utils.exception.CloudRuntimeException;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.opendaylight.aaa.cert.api.ICertificateManager;
+import org.opendaylight.ovsdb.lib.OvsdbClient;
+import org.opendaylight.ovsdb.lib.impl.NettyBootstrapFactoryImpl;
+import org.opendaylight.ovsdb.lib.impl.OvsdbConnectionService;
+
+import javax.annotation.PreDestroy;
+import javax.net.ssl.SSLContext;
+import java.net.InetAddress;
+import java.security.KeyStore;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 public class OvnNbClient {
+    protected static final Logger logger = LogManager.getLogger(OvnNbClient.class);
+    private static final String NORTHBOUND_DB = "OVN_Northbound";
+    private static final long DEFAULT_TIMEOUT_MS = 5_000L;
+    private static final Pattern CONN_PATTERN = Pattern.compile("^(tcp|ssl):([^:]+):([0-9]+)$");
+    private static final ICertificateManager NOOP_CERT_MANAGER = new NoopCertificateManager();
+
+    private final long timeoutMs;
+    private NettyBootstrapFactoryImpl bootstrapFactory;
+    private OvsdbConnectionService tcpConnectionService;
+
+    public OvnNbClient() {
+        this(DEFAULT_TIMEOUT_MS);
+    }
+
+    public OvnNbClient(long timeoutMs) {
+        this.timeoutMs = timeoutMs;
+    }
+
     public boolean isValidConnectionString(String connection) {
         if (StringUtils.isBlank(connection)) {
             return false;
         }
-        return connection.matches("^(tcp|ssl):[^:]+:[0-9]+$") || connection.startsWith("unix:/");
+        return CONN_PATTERN.matcher(connection).matches() || connection.startsWith("unix:/");
+    }
+
+    /**
+     * Opens a transient connection to NB, runs an echo, lists the databases, and disconnects.
+     * Throws on failure — caller treats success as proof that the NB endpoint is reachable
+     * and the supplied credentials/certificates are valid.
+     */
+    public void verifyConnection(String nbConnection, String caCertPath, String clientCertPath, String clientPrivateKeyPath) {
+        Endpoint ep = parse(nbConnection);
+        if (ep.scheme == Scheme.UNIX) {
+            throw new CloudRuntimeException("Unix-socket OVN connections are not supported by the management server client; use tcp: or ssl:");
+        }
+
+        OvsdbConnectionService service = null;
+        OvsdbClient client = null;
+        boolean closeServiceWhenDone = false;
+        try {
+            InetAddress addr = InetAddress.getByName(ep.host);
+            if (ep.scheme == Scheme.SSL) {
+                ICertificateManager cm = OvnSslContext.fromPaths(caCertPath, clientCertPath, clientPrivateKeyPath).asCertificateManager();
+                service = new OvsdbConnectionService(bootstrapFactory(), cm);
+                closeServiceWhenDone = true;
+                client = service.connectWithSsl(addr, ep.port, cm);
+            } else {
+                service = tcpService();
+                client = service.connect(addr, ep.port);
+            }
+            if (client == null) {
+                throw new CloudRuntimeException(String.format("OVN NB at %s did not accept the connection", nbConnection));
+            }
+            client.echo().get(timeoutMs, TimeUnit.MILLISECONDS);
+            List<String> dbs = client.getDatabases().get(timeoutMs, TimeUnit.MILLISECONDS);
+            if (dbs == null || !dbs.contains(NORTHBOUND_DB)) {
+                throw new CloudRuntimeException(String.format("OVN endpoint %s did not advertise %s; got %s",
+                        nbConnection, NORTHBOUND_DB, dbs));
+            }
+            logger.debug("OVN NB at {} reachable, databases={}", nbConnection, dbs);
+        } catch (CloudRuntimeException e) {
+            throw e;
+        } catch (Exception e) {
+            throw new CloudRuntimeException("Cannot reach OVN NB at " + nbConnection + ": " + e.getMessage(), e);
+        } finally {
+            if (client != null && service != null) {
+                try { service.disconnect(client); } catch (Exception ignored) { }
+            }
+            if (closeServiceWhenDone && service != null) {
+                try { service.close(); } catch (Exception ignored) { }
+            }
+        }
+    }
+
+    @PreDestroy
+    public synchronized void shutdown() {
+        if (tcpConnectionService != null) {
+            try { tcpConnectionService.close(); } catch (Exception ignored) { }
+            tcpConnectionService = null;
+        }
+        if (bootstrapFactory != null) {
+            try { bootstrapFactory.close(); } catch (Exception ignored) { }
+            bootstrapFactory = null;
+        }
+    }
+
+    private synchronized NettyBootstrapFactoryImpl bootstrapFactory() {
+        if (bootstrapFactory == null) {
+            bootstrapFactory = new NettyBootstrapFactoryImpl();
+        }
+        return bootstrapFactory;
+    }
+
+    private synchronized OvsdbConnectionService tcpService() {
+        if (tcpConnectionService == null) {
+            tcpConnectionService = new OvsdbConnectionService(bootstrapFactory(), NOOP_CERT_MANAGER);
+        }
+        return tcpConnectionService;
+    }
+
+    static Endpoint parse(String connection) {
+        if (StringUtils.isBlank(connection)) {
+            throw new CloudRuntimeException("OVN connection string is blank");
+        }
+        if (connection.startsWith("unix:/")) {
+            return new Endpoint(Scheme.UNIX, connection.substring("unix:".length()), 0);
+        }
+        Matcher m = CONN_PATTERN.matcher(connection);
+        if (!m.matches()) {
+            throw new CloudRuntimeException("Invalid OVN connection string: " + connection);
+        }
+        Scheme scheme = "ssl".equals(m.group(1)) ? Scheme.SSL : Scheme.TCP;
+        return new Endpoint(scheme, m.group(2), Integer.parseInt(m.group(3)));
+    }
+
+    enum Scheme { TCP, SSL, UNIX }
+
+    static final class Endpoint {
+        final Scheme scheme;
+        final String host;
+        final int port;
+
+        Endpoint(Scheme scheme, String host, int port) {
+            this.scheme = scheme;
+            this.host = host;
+            this.port = port;
+        }
+    }
+
+    /**
+     * The OvsdbConnectionService constructor requires a non-null ICertificateManager even for plain
+     * TCP. None of its methods are invoked along the TCP code path.
+     */
+    private static final class NoopCertificateManager implements ICertificateManager {
+        @Override public KeyStore getODLKeyStore() { return null; }
+        @Override public KeyStore getTrustKeyStore() { return null; }
+        @Override public String[] getCipherSuites() { return new String[0]; }
+        @Override public String[] getTlsProtocols() { return new String[0]; }
+        @Override public String getCertificateTrustStore(String s, String d, boolean p) { return null; }
+        @Override public String getODLKeyStoreCertificate(String s, boolean p) { return null; }
+        @Override public String genODLKeyStoreCertificateReq(String s, boolean p) { return null; }
+        @Override public SSLContext getServerContext() { return null; }
+        @Override public boolean importSslDataKeystores(String a, String b, String c, String d, String e, String[] f, String g) { return false; }
+        @Override public void exportSslDataKeystores() { }
     }
 }
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnServiceImpl.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnServiceImpl.java
index d192805c5c47..564d3990bf7a 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnServiceImpl.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnServiceImpl.java
@@ -20,8 +20,18 @@
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.framework.config.Configurable;
 
+import javax.annotation.PreDestroy;
+
 public class OvnServiceImpl implements OvnService, Configurable {
-    private final OvnNbClient ovnNbClient = new OvnNbClient();
+    private final OvnNbClient ovnNbClient;
+
+    public OvnServiceImpl() {
+        this(new OvnNbClient());
+    }
+
+    OvnServiceImpl(OvnNbClient ovnNbClient) {
+        this.ovnNbClient = ovnNbClient;
+    }
 
     @Override
     public String getLogicalSwitchName(long networkId) {
@@ -43,6 +53,11 @@ public boolean isValidConnectionString(String connection) {
         return ovnNbClient.isValidConnectionString(connection);
     }
 
+    @Override
+    public void verifyNbConnection(String nbConnection, String caCertPath, String clientCertPath, String clientPrivateKeyPath) {
+        ovnNbClient.verifyConnection(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath);
+    }
+
     @Override
     public String getConfigComponentName() {
         return OvnService.class.getSimpleName();
@@ -52,4 +67,9 @@ public String getConfigComponentName() {
     public ConfigKey<?>[] getConfigKeys() {
         return new ConfigKey[0];
     }
+
+    @PreDestroy
+    public void shutdown() {
+        ovnNbClient.shutdown();
+    }
 }
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnSslContext.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnSslContext.java
new file mode 100644
index 000000000000..02a569cdfea8
--- /dev/null
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnSslContext.java
@@ -0,0 +1,130 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.service;
+
+import com.cloud.utils.exception.CloudRuntimeException;
+import org.apache.commons.lang3.StringUtils;
+import org.opendaylight.aaa.cert.api.ICertificateManager;
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.util.Base64;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+public final class OvnSslContext {
+    private static final char[] EMPTY_PASSWORD = new char[0];
+    private static final String KEYSTORE_TYPE = "JKS";
+    private static final String CLIENT_KEY_ALIAS = "ovn-client";
+    private static final String CA_ALIAS = "ovn-ca";
+    private static final Pattern PEM_PRIVATE_KEY = Pattern.compile(
+            "-----BEGIN (?:RSA |EC )?PRIVATE KEY-----(.+?)-----END (?:RSA |EC )?PRIVATE KEY-----",
+            Pattern.DOTALL);
+
+    private final KeyStore keyStore;
+    private final KeyStore trustStore;
+
+    OvnSslContext(KeyStore keyStore, KeyStore trustStore) {
+        this.keyStore = keyStore;
+        this.trustStore = trustStore;
+    }
+
+    public static OvnSslContext fromPaths(String caCertPath, String clientCertPath, String clientPrivateKeyPath) {
+        if (StringUtils.isAnyBlank(caCertPath, clientCertPath, clientPrivateKeyPath)) {
+            throw new CloudRuntimeException("OVN SSL connection requires CA, client certificate and client private key paths");
+        }
+        try {
+            KeyStore trustStore = KeyStore.getInstance(KEYSTORE_TYPE);
+            trustStore.load(null, EMPTY_PASSWORD);
+            trustStore.setCertificateEntry(CA_ALIAS, readCertificate(caCertPath));
+
+            KeyStore keyStore = KeyStore.getInstance(KEYSTORE_TYPE);
+            keyStore.load(null, EMPTY_PASSWORD);
+            keyStore.setKeyEntry(CLIENT_KEY_ALIAS, readPrivateKey(clientPrivateKeyPath), EMPTY_PASSWORD,
+                    new Certificate[]{readCertificate(clientCertPath)});
+            return new OvnSslContext(keyStore, trustStore);
+        } catch (Exception e) {
+            throw new CloudRuntimeException("Failed to build OVN SSL context: " + e.getMessage(), e);
+        }
+    }
+
+    public ICertificateManager asCertificateManager() {
+        return new ICertificateManager() {
+            @Override public KeyStore getODLKeyStore() { return keyStore; }
+            @Override public KeyStore getTrustKeyStore() { return trustStore; }
+            @Override public String[] getCipherSuites() { return new String[0]; }
+            @Override public String[] getTlsProtocols() { return new String[]{"TLSv1.2", "TLSv1.3"}; }
+            @Override public String getCertificateTrustStore(String s, String d, boolean p) { return null; }
+            @Override public String getODLKeyStoreCertificate(String s, boolean p) { return null; }
+            @Override public String genODLKeyStoreCertificateReq(String s, boolean p) { return null; }
+            @Override public SSLContext getServerContext() { return buildContext(); }
+            @Override public boolean importSslDataKeystores(String a, String b, String c, String d, String e, String[] f, String g) { return false; }
+            @Override public void exportSslDataKeystores() { }
+        };
+    }
+
+    private SSLContext buildContext() {
+        try {
+            KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+            kmf.init(keyStore, EMPTY_PASSWORD);
+            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+            tmf.init(trustStore);
+            SSLContext ctx = SSLContext.getInstance("TLS");
+            ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
+            return ctx;
+        } catch (Exception e) {
+            throw new CloudRuntimeException("Failed to initialize OVN SSL context: " + e.getMessage(), e);
+        }
+    }
+
+    private static X509Certificate readCertificate(String path) throws IOException {
+        try (InputStream in = Files.newInputStream(Path.of(path))) {
+            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(in);
+        } catch (java.security.cert.CertificateException e) {
+            throw new IOException("Cannot parse certificate at " + path + ": " + e.getMessage(), e);
+        }
+    }
+
+    private static PrivateKey readPrivateKey(String path) throws IOException {
+        String pem = Files.readString(Path.of(path));
+        Matcher m = PEM_PRIVATE_KEY.matcher(pem);
+        if (!m.find()) {
+            throw new IOException("No PRIVATE KEY block found at " + path);
+        }
+        byte[] der = Base64.getMimeDecoder().decode(m.group(1));
+        try {
+            return java.security.KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(der));
+        } catch (Exception eRsa) {
+            try {
+                return java.security.KeyFactory.getInstance("EC").generatePrivate(new PKCS8EncodedKeySpec(der));
+            } catch (Exception eEc) {
+                throw new IOException("Cannot parse private key at " + path + " as RSA or EC: " + eEc.getMessage(), eEc);
+            }
+        }
+    }
+}
diff --git a/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/service/OvnNbClientTest.java b/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/service/OvnNbClientTest.java
new file mode 100644
index 000000000000..23949ec9a9ea
--- /dev/null
+++ b/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/service/OvnNbClientTest.java
@@ -0,0 +1,69 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.service;
+
+import com.cloud.utils.exception.CloudRuntimeException;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class OvnNbClientTest {
+    private final OvnNbClient client = new OvnNbClient();
+
+    @Test
+    public void testIsValidConnectionString() {
+        Assert.assertTrue(client.isValidConnectionString("tcp:127.0.0.1:6641"));
+        Assert.assertTrue(client.isValidConnectionString("ssl:ovn.example.com:6641"));
+        Assert.assertTrue(client.isValidConnectionString("unix:/var/run/ovn/ovnnb_db.sock"));
+        Assert.assertFalse(client.isValidConnectionString("http://1.2.3.4:6641"));
+        Assert.assertFalse(client.isValidConnectionString("tcp:1.2.3.4"));
+        Assert.assertFalse(client.isValidConnectionString(""));
+        Assert.assertFalse(client.isValidConnectionString(null));
+    }
+
+    @Test
+    public void testParseTcpEndpoint() {
+        OvnNbClient.Endpoint ep = OvnNbClient.parse("tcp:10.0.34.51:6641");
+        Assert.assertEquals(OvnNbClient.Scheme.TCP, ep.scheme);
+        Assert.assertEquals("10.0.34.51", ep.host);
+        Assert.assertEquals(6641, ep.port);
+    }
+
+    @Test
+    public void testParseSslEndpoint() {
+        OvnNbClient.Endpoint ep = OvnNbClient.parse("ssl:nb.example.com:6641");
+        Assert.assertEquals(OvnNbClient.Scheme.SSL, ep.scheme);
+        Assert.assertEquals("nb.example.com", ep.host);
+        Assert.assertEquals(6641, ep.port);
+    }
+
+    @Test
+    public void testParseUnixEndpoint() {
+        OvnNbClient.Endpoint ep = OvnNbClient.parse("unix:/var/run/ovn/ovnnb_db.sock");
+        Assert.assertEquals(OvnNbClient.Scheme.UNIX, ep.scheme);
+        Assert.assertEquals("/var/run/ovn/ovnnb_db.sock", ep.host);
+    }
+
+    @Test(expected = CloudRuntimeException.class)
+    public void testParseInvalidThrows() {
+        OvnNbClient.parse("not-a-connection-string");
+    }
+
+    @Test(expected = CloudRuntimeException.class)
+    public void testVerifyConnectionRejectsUnix() {
+        client.verifyConnection("unix:/var/run/ovn/ovnnb_db.sock", null, null, null);
+    }
+}
diff --git a/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/service/OvnServiceImplTest.java b/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/service/OvnServiceImplTest.java
index f336756fa20e..59330d2aa859 100644
--- a/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/service/OvnServiceImplTest.java
+++ b/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/service/OvnServiceImplTest.java
@@ -18,9 +18,11 @@
 
 import org.junit.Assert;
 import org.junit.Test;
+import org.mockito.Mockito;
 
 public class OvnServiceImplTest {
-    private final OvnServiceImpl service = new OvnServiceImpl();
+    private final OvnNbClient mockClient = Mockito.mock(OvnNbClient.class);
+    private final OvnServiceImpl service = new OvnServiceImpl(mockClient);
 
     @Test
     public void testDeterministicObjectNames() {
@@ -30,11 +32,16 @@ public void testDeterministicObjectNames() {
     }
 
     @Test
-    public void testConnectionStringValidation() {
+    public void testConnectionStringValidationDelegatesToClient() {
+        Mockito.when(mockClient.isValidConnectionString("tcp:127.0.0.1:6641")).thenReturn(true);
+        Mockito.when(mockClient.isValidConnectionString("bogus")).thenReturn(false);
         Assert.assertTrue(service.isValidConnectionString("tcp:127.0.0.1:6641"));
-        Assert.assertTrue(service.isValidConnectionString("ssl:ovn.example.com:6641"));
-        Assert.assertTrue(service.isValidConnectionString("unix:/var/run/ovn/ovnnb_db.sock"));
-        Assert.assertFalse(service.isValidConnectionString("http://127.0.0.1:6641"));
-        Assert.assertFalse(service.isValidConnectionString(null));
+        Assert.assertFalse(service.isValidConnectionString("bogus"));
+    }
+
+    @Test
+    public void testVerifyNbConnectionDelegatesToClient() {
+        service.verifyNbConnection("tcp:1.2.3.4:6641", null, null, null);
+        Mockito.verify(mockClient).verifyConnection("tcp:1.2.3.4:6641", null, null, null);
     }
 }

From 839af0e8b2433ab234cf01dfe2aa16dfdcd2a94e Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Sat, 25 Apr 2026 18:52:22 +0200
Subject: [PATCH 04/33] OVN plugin: health-check Northbound endpoint at
 addOvnProvider
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

addOvnProvider now opens a transient OVSDB connection during request
validation and rejects the registration with InvalidParameterValueException
if the endpoint is unreachable or does not advertise the OVN_Northbound
database. This catches typos, missing TLS material and routing problems
before persisting a broken provider row.

Also reorders the order-of-evaluation of two pre-existing tests that
constructed Mockito stubs inside thenReturn() arguments, and rewrites
AddOvnProviderCmdTest to set the service field by reflection — the
prior @InjectMocks-driven setup was ambiguous because BaseCmd has an
Object-typed _responseObject field that matched any of the @Mock fields.
---
 .../service/OvnProviderServiceImpl.java       |  6 +++++
 .../api/command/AddOvnProviderCmdTest.java    | 27 +++++++++----------
 .../service/OvnProviderServiceImplTest.java   |  9 ++++---
 3 files changed, 25 insertions(+), 17 deletions(-)

diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnProviderServiceImpl.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnProviderServiceImpl.java
index 7b55eba8fbe8..b47be9967132 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnProviderServiceImpl.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnProviderServiceImpl.java
@@ -100,6 +100,12 @@ protected void validateProvider(AddOvnProviderCmd cmd) {
         if (sslRequired && StringUtils.isAnyBlank(cmd.getCaCertPath(), cmd.getClientCertPath(), cmd.getClientPrivateKeyPath())) {
             throw new InvalidParameterValueException("OVN SSL connections require CA certificate, client certificate, and client private key paths");
         }
+        try {
+            ovnService.verifyNbConnection(cmd.getNbConnection(), cmd.getCaCertPath(), cmd.getClientCertPath(), cmd.getClientPrivateKeyPath());
+        } catch (CloudRuntimeException e) {
+            logger.warn("OVN NB health check failed for zone {}: {}", cmd.getZoneId(), e.getMessage());
+            throw new InvalidParameterValueException("OVN NB endpoint is unreachable: " + e.getMessage());
+        }
     }
 
     @Override
diff --git a/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/api/command/AddOvnProviderCmdTest.java b/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/api/command/AddOvnProviderCmdTest.java
index f7a72a37174c..cda5a7e0677c 100644
--- a/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/api/command/AddOvnProviderCmdTest.java
+++ b/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/api/command/AddOvnProviderCmdTest.java
@@ -27,36 +27,35 @@
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
-import org.mockito.InjectMocks;
-import org.mockito.Mock;
 import org.mockito.MockedStatic;
 import org.mockito.Mockito;
-import org.mockito.MockitoAnnotations;
+
+import java.lang.reflect.Field;
 
 public class AddOvnProviderCmdTest {
-    @Mock
     private OvnProviderService ovnProviderService;
-    @Mock
     private CallContext callContext;
-
     private MockedStatic<CallContext> callContextMockedStatic;
-
-    @InjectMocks
     private AddOvnProviderCmd cmd;
 
-    private AutoCloseable closeable;
-
     @Before
-    public void setup() {
-        closeable = MockitoAnnotations.openMocks(this);
+    public void setup() throws Exception {
+        ovnProviderService = Mockito.mock(OvnProviderService.class);
+        callContext = Mockito.mock(CallContext.class);
         callContextMockedStatic = Mockito.mockStatic(CallContext.class);
         callContextMockedStatic.when(CallContext::current).thenReturn(callContext);
+
+        cmd = new AddOvnProviderCmd();
+        Field svc = AddOvnProviderCmd.class.getDeclaredField("ovnProviderService");
+        svc.setAccessible(true);
+        svc.set(cmd, ovnProviderService);
     }
 
     @After
     public void tearDown() throws Exception {
-        callContextMockedStatic.close();
-        closeable.close();
+        if (callContextMockedStatic != null) {
+            callContextMockedStatic.close();
+        }
     }
 
     @Test
diff --git a/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/service/OvnProviderServiceImplTest.java b/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/service/OvnProviderServiceImplTest.java
index 06c3ae16fdca..a912fd659aad 100644
--- a/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/service/OvnProviderServiceImplTest.java
+++ b/plugins/network-elements/ovn/src/test/java/org/apache/cloudstack/service/OvnProviderServiceImplTest.java
@@ -96,6 +96,7 @@ public void testAddProviderPersistsProvider() throws Exception {
         Mockito.when(ovnProviderDao.findByZoneId(ZONE_ID)).thenReturn(null);
         Mockito.when(ovnService.isValidConnectionString(NB_CONNECTION)).thenReturn(true);
         Mockito.when(ovnService.isValidConnectionString(SB_CONNECTION)).thenReturn(true);
+        Mockito.doNothing().when(ovnService).verifyNbConnection(Mockito.eq(NB_CONNECTION), Mockito.any(), Mockito.any(), Mockito.any());
         Mockito.when(ovnProviderDao.persist(Mockito.any(OvnProviderVO.class))).thenAnswer(invocation -> invocation.getArgument(0));
         transactionMockedStatic.when(() -> Transaction.execute(Mockito.<TransactionCallback<OvnProviderVO>>any())).thenAnswer(invocation -> {
             TransactionCallback<OvnProviderVO> callback = invocation.getArgument(0);
@@ -126,9 +127,10 @@ public void testAddProviderRejectsInvalidNbConnection() throws Exception {
     @Test
     public void testListOvnProvidersWithZoneId() {
         OvnProviderVO providerVO = Mockito.mock(OvnProviderVO.class);
-        Mockito.when(ovnProviderDao.findByZoneId(ZONE_ID)).thenReturn(providerVO);
         Mockito.when(providerVO.getZoneId()).thenReturn(ZONE_ID);
-        Mockito.when(dataCenterDao.findById(ZONE_ID)).thenReturn(getZone());
+        Mockito.when(ovnProviderDao.findByZoneId(ZONE_ID)).thenReturn(providerVO);
+        DataCenterVO zone = getZone();
+        Mockito.when(dataCenterDao.findById(ZONE_ID)).thenReturn(zone);
 
         List<BaseResponse> result = ovnProviderService.listOvnProviders(ZONE_ID);
 
@@ -174,7 +176,8 @@ public void testCreateOvnProviderResponse() {
         Mockito.when(provider.getName()).thenReturn(NAME);
         Mockito.when(provider.getNbConnection()).thenReturn(NB_CONNECTION);
         Mockito.when(provider.getSbConnection()).thenReturn(SB_CONNECTION);
-        Mockito.when(dataCenterDao.findById(ZONE_ID)).thenReturn(getZone());
+        DataCenterVO zone = getZone();
+        Mockito.when(dataCenterDao.findById(ZONE_ID)).thenReturn(zone);
 
         OvnProviderResponse response = ovnProviderService.createOvnProviderResponse(provider);
 

From bd8ce97948dfe3dde31491c284c9efc950a1716c Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Mon, 27 Apr 2026 16:35:55 +0200
Subject: [PATCH 05/33] OVN plugin: create logical switches and persist system
 VM bootstrap

---
 .../java/com/cloud/vm/VirtualMachineGuru.java |   2 +-
 .../wrapper/LibvirtStartCommandWrapper.java   |  12 ++
 .../LibvirtComputingResourceTest.java         |   6 +
 .../apache/cloudstack/service/OvnElement.java |  49 +++++
 .../service/OvnGuestNetworkGuru.java          |  22 ++-
 .../cloudstack/service/OvnNbClient.java       | 167 +++++++++++++++---
 .../network/guru/OvsGuestNetworkGuru.java     |   3 +-
 .../consoleproxy/ConsoleProxyManagerImpl.java |   5 +-
 .../SecondaryStorageManagerImpl.java          |   6 +-
 .../debian/opt/cloud/bin/setup/bootstrap.sh   |  47 ++++-
 .../opt/cloud/bin/setup/cloud-early-config    |   2 +
 systemvm/debian/opt/cloud/bin/setup/common.sh |   4 +-
 12 files changed, 290 insertions(+), 35 deletions(-)

diff --git a/engine/api/src/main/java/com/cloud/vm/VirtualMachineGuru.java b/engine/api/src/main/java/com/cloud/vm/VirtualMachineGuru.java
index 76f0830f369e..cb908348072c 100644
--- a/engine/api/src/main/java/com/cloud/vm/VirtualMachineGuru.java
+++ b/engine/api/src/main/java/com/cloud/vm/VirtualMachineGuru.java
@@ -88,7 +88,7 @@ public static String getEncodedString(String certificate) {
         return Base64.getEncoder().encodeToString(certificate.replace("\n", KeyStoreUtils.CERT_NEWLINE_ENCODER).replace(" ", KeyStoreUtils.CERT_SPACE_ENCODER).getBytes(StandardCharsets.UTF_8));
     }
 
-    static void appendCertificateDetails(StringBuilder buf, Certificate certificate) {
+    public static void appendCertificateDetails(StringBuilder buf, Certificate certificate) {
         try {
             buf.append(" certificate=").append(getEncodedString(CertUtils.x509CertificateToPem(certificate.getClientCertificate())));
             buf.append(" cacertificate=").append(getEncodedString(CertUtils.x509CertificatesToPem(certificate.getCaCertificates())));
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java
index 567986465906..3e1547057f2d 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java
@@ -46,6 +46,8 @@
 import com.cloud.network.Networks.TrafficType;
 import com.cloud.resource.CommandWrapper;
 import com.cloud.resource.ResourceWrapper;
+import com.cloud.utils.Pair;
+import com.cloud.utils.ssh.SshHelper;
 import com.cloud.vm.UserVmManager;
 import com.cloud.vm.VirtualMachine;
 
@@ -131,6 +133,16 @@ public Answer execute(final StartCommand command, final LibvirtComputingResource
                     try {
                         File pemFile = new File(LibvirtComputingResource.SSHPRVKEYPATH);
                         FileUtil.scpPatchFiles(controlIp, VRScripts.CONFIG_CACHE_LOCATION, Integer.parseInt(LibvirtComputingResource.DEFAULTDOMRSSHPORT), pemFile, LibvirtComputingResource.systemVmPatchFiles, LibvirtComputingResource.BASEPATH);
+                        if (vmName.startsWith("s-") || vmName.startsWith("v-")) {
+                            Pair<Boolean, String> setupResult = SshHelper.sshExecute(controlIp, Integer.parseInt(LibvirtComputingResource.DEFAULTDOMRSSHPORT), "root", pemFile, null,
+                                    "if [ ! -x /usr/local/cloud/systemvm/_run.sh ] || [ ! -f /usr/local/cloud/systemvm/conf/cloud.jks ]; then /opt/cloud/bin/setup/cloud-early-config; fi && systemctl restart cloud.service",
+                                    10000, 10000, 600000);
+                            if (!setupResult.first()) {
+                                String errMsg = String.format("Failed to setup systemVM after copying patch files: %s", setupResult.second());
+                                logger.error(errMsg);
+                                return new StartAnswer(command, errMsg);
+                            }
+                        }
                         if (!virtRouterResource.isSystemVMSetup(vmName, controlIp)) {
                             String errMsg = "Failed to patch systemVM";
                             logger.error(errMsg);
diff --git a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResourceTest.java b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResourceTest.java
index b96295240076..b9cf1c3dd0a6 100644
--- a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResourceTest.java
+++ b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResourceTest.java
@@ -5295,6 +5295,9 @@ public void testStartCommand() throws Exception {
                     Mockito.anyString(), Mockito.anyInt(),
                     Mockito.anyString(), any(File.class), nullable(String.class), Mockito.anyString(),
                     any(String[].class), Mockito.anyString())).thenAnswer(invocation -> null);
+            sshHelperMockedStatic.when(() -> SshHelper.sshExecute(
+                    Mockito.anyString(), Mockito.anyInt(), Mockito.anyString(), any(File.class), nullable(String.class),
+                    Mockito.anyString(), Mockito.anyInt(), Mockito.anyInt(), Mockito.anyInt())).thenReturn(new Pair<>(true, ""));
 
             final LibvirtRequestWrapper wrapper = LibvirtRequestWrapper.getInstance();
             assertNotNull(wrapper);
@@ -5375,6 +5378,9 @@ public void testStartCommandIsolationEc2() throws Exception {
                     Mockito.anyString(), Mockito.anyInt(),
                     Mockito.anyString(), any(File.class), nullable(String.class), Mockito.anyString(),
                     any(String[].class), Mockito.anyString())).thenAnswer(invocation -> null);
+            sshHelperMockedStatic.when(() -> SshHelper.sshExecute(
+                    Mockito.anyString(), Mockito.anyInt(), Mockito.anyString(), any(File.class), nullable(String.class),
+                    Mockito.anyString(), Mockito.anyInt(), Mockito.anyInt(), Mockito.anyInt())).thenReturn(new Pair<>(true, ""));
             final LibvirtRequestWrapper wrapper = LibvirtRequestWrapper.getInstance();
             assertNotNull(wrapper);
 
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
index d7521b5582d9..6fe6b0023074 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
@@ -17,12 +17,14 @@
 package org.apache.cloudstack.service;
 
 import com.cloud.agent.api.to.LoadBalancerTO;
+import com.cloud.dc.DataCenter;
 import com.cloud.deploy.DeployDestination;
 import com.cloud.exception.ConcurrentOperationException;
 import com.cloud.exception.InsufficientCapacityException;
 import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.network.IpAddress;
 import com.cloud.network.Network;
+import com.cloud.network.Networks;
 import com.cloud.network.PhysicalNetworkServiceProvider;
 import com.cloud.network.PublicIpAddress;
 import com.cloud.network.element.DhcpServiceProvider;
@@ -31,6 +33,8 @@
 import com.cloud.network.element.IpDeployer;
 import com.cloud.network.element.LoadBalancingServiceProvider;
 import com.cloud.network.element.NetworkACLServiceProvider;
+import com.cloud.network.dao.OvnProviderDao;
+import com.cloud.network.element.OvnProviderVO;
 import com.cloud.network.element.PortForwardingServiceProvider;
 import com.cloud.network.element.StaticNatServiceProvider;
 import com.cloud.network.element.VpcProvider;
@@ -45,6 +49,7 @@
 import com.cloud.network.vpc.Vpc;
 import com.cloud.offering.NetworkOffering;
 import com.cloud.utils.component.AdapterBase;
+import com.cloud.utils.exception.CloudRuntimeException;
 import com.cloud.vm.NicProfile;
 import com.cloud.vm.ReservationContext;
 import com.cloud.vm.VirtualMachineProfile;
@@ -53,12 +58,17 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import javax.inject.Inject;
 
 public class OvnElement extends AdapterBase implements DhcpServiceProvider, DnsServiceProvider, VpcProvider,
         StaticNatServiceProvider, IpDeployer, PortForwardingServiceProvider, FirewallServiceProvider,
         NetworkACLServiceProvider, LoadBalancingServiceProvider {
 
     private final Map<Network.Service, Map<Network.Capability, String>> capabilities = initCapabilities();
+    private final OvnNbClient ovnNbClient = new OvnNbClient();
+
+    @Inject
+    OvnProviderDao ovnProviderDao;
 
     protected static Map<Network.Service, Map<Network.Capability, String>> initCapabilities() {
         Map<Network.Service, Map<Network.Capability, String>> capabilities = new HashMap<>();
@@ -110,6 +120,20 @@ public Network.Provider getProvider() {
     @Override
     public boolean implement(Network network, NetworkOffering offering, DeployDestination dest, ReservationContext context)
             throws ConcurrentOperationException, ResourceUnavailableException, InsufficientCapacityException {
+        if (network.getBroadcastDomainType() == Networks.BroadcastDomainType.OVN) {
+            OvnProviderVO provider = getProviderForNetwork(network);
+            String logicalSwitchName = getLogicalSwitchName(network);
+            Map<String, String> externalIds = new HashMap<>();
+            externalIds.put("cloudstack_network_id", String.valueOf(network.getId()));
+            externalIds.put("cloudstack_network_uuid", network.getUuid());
+            externalIds.put("cloudstack_zone_id", String.valueOf(network.getDataCenterId()));
+            try {
+                ovnNbClient.createLogicalSwitch(provider.getNbConnection(), provider.getCaCertPath(), provider.getClientCertPath(),
+                        provider.getClientPrivateKeyPath(), logicalSwitchName, externalIds);
+            } catch (CloudRuntimeException e) {
+                throw new ResourceUnavailableException(e.getMessage(), DataCenter.class, network.getDataCenterId());
+            }
+        }
         return true;
     }
 
@@ -127,14 +151,39 @@ public boolean release(Network network, NicProfile nic, VirtualMachineProfile vm
 
     @Override
     public boolean shutdown(Network network, ReservationContext context, boolean cleanup) throws ConcurrentOperationException, ResourceUnavailableException {
+        if (cleanup && network.getBroadcastDomainType() == Networks.BroadcastDomainType.OVN) {
+            destroy(network, context);
+        }
         return true;
     }
 
     @Override
     public boolean destroy(Network network, ReservationContext context) throws ConcurrentOperationException, ResourceUnavailableException {
+        if (network.getBroadcastDomainType() == Networks.BroadcastDomainType.OVN) {
+            OvnProviderVO provider = getProviderForNetwork(network);
+            try {
+                ovnNbClient.deleteLogicalSwitch(provider.getNbConnection(), provider.getCaCertPath(), provider.getClientCertPath(),
+                        provider.getClientPrivateKeyPath(), getLogicalSwitchName(network));
+            } catch (CloudRuntimeException e) {
+                throw new ResourceUnavailableException(e.getMessage(), DataCenter.class, network.getDataCenterId());
+            }
+        }
         return true;
     }
 
+    protected OvnProviderVO getProviderForNetwork(Network network) throws ResourceUnavailableException {
+        OvnProviderVO provider = ovnProviderDao.findByZoneId(network.getDataCenterId());
+        if (provider == null) {
+            throw new ResourceUnavailableException(String.format("No OVN provider configured for zone %s", network.getDataCenterId()),
+                    DataCenter.class, network.getDataCenterId());
+        }
+        return provider;
+    }
+
+    protected String getLogicalSwitchName(Network network) {
+        return String.format("cs-net-%d", network.getId());
+    }
+
     @Override
     public boolean isReady(PhysicalNetworkServiceProvider provider) {
         return true;
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnGuestNetworkGuru.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnGuestNetworkGuru.java
index 4f105595c693..a81b8639322e 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnGuestNetworkGuru.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnGuestNetworkGuru.java
@@ -19,6 +19,7 @@
 import com.cloud.dc.DataCenter;
 import com.cloud.deploy.DeploymentPlan;
 import com.cloud.deploy.DeployDestination;
+import com.cloud.exception.InsufficientVirtualNetworkCapacityException;
 import com.cloud.network.Network;
 import com.cloud.network.NetworkMigrationResponder;
 import com.cloud.network.Networks;
@@ -59,10 +60,25 @@ public Network design(NetworkOffering offering, DeploymentPlan plan, Network use
             return null;
         }
         network.setBroadcastDomainType(Networks.BroadcastDomainType.OVN);
-        network.setBroadcastUri(Networks.BroadcastDomainType.OVN.toUri(String.format("cs-net-%d", network.getId())));
+        // Broadcast URI is deferred to implement(); the network has no persisted ID yet here.
         return network;
     }
 
+    @Override
+    public Network implement(Network network, NetworkOffering offering, DeployDestination dest, ReservationContext context)
+            throws InsufficientVirtualNetworkCapacityException {
+        Network implemented = super.implement(network, offering, dest, context);
+        if (implemented == null) {
+            return null;
+        }
+        if (implemented instanceof NetworkVO) {
+            NetworkVO impl = (NetworkVO) implemented;
+            impl.setBroadcastDomainType(Networks.BroadcastDomainType.OVN);
+            impl.setBroadcastUri(Networks.BroadcastDomainType.OVN.toUri(String.format("cs-net-%d", network.getId())));
+        }
+        return implemented;
+    }
+
     @Override
     public boolean prepareMigration(NicProfile nic, Network network, VirtualMachineProfile vm, DeployDestination dest, ReservationContext context) {
         return true;
@@ -70,11 +86,11 @@ public boolean prepareMigration(NicProfile nic, Network network, VirtualMachineP
 
     @Override
     public void rollbackMigration(NicProfile nic, Network network, VirtualMachineProfile vm, ReservationContext src, ReservationContext dst) {
-        // No OVN resources are allocated during migration preparation in Phase 1.
+        // No OVN resources are allocated during migration preparation yet.
     }
 
     @Override
     public void commitMigration(NicProfile nic, Network network, VirtualMachineProfile vm, ReservationContext src, ReservationContext dst) {
-        // No OVN resources are committed on migration in Phase 1.
+        // No OVN resources are committed on migration yet.
     }
 }
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
index c6a46b8b55da..6e2d15667b28 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
@@ -24,12 +24,25 @@
 import org.opendaylight.ovsdb.lib.OvsdbClient;
 import org.opendaylight.ovsdb.lib.impl.NettyBootstrapFactoryImpl;
 import org.opendaylight.ovsdb.lib.impl.OvsdbConnectionService;
+import org.opendaylight.ovsdb.lib.notation.Row;
+import org.opendaylight.ovsdb.lib.operations.DefaultOperations;
+import org.opendaylight.ovsdb.lib.operations.Insert;
+import org.opendaylight.ovsdb.lib.operations.Operation;
+import org.opendaylight.ovsdb.lib.operations.OperationResult;
+import org.opendaylight.ovsdb.lib.operations.Operations;
+import org.opendaylight.ovsdb.lib.schema.ColumnSchema;
+import org.opendaylight.ovsdb.lib.schema.DatabaseSchema;
+import org.opendaylight.ovsdb.lib.schema.GenericTableSchema;
 
 import javax.annotation.PreDestroy;
 import javax.net.ssl.SSLContext;
 import java.net.InetAddress;
 import java.security.KeyStore;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 import java.util.concurrent.TimeUnit;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -37,9 +50,11 @@
 public class OvnNbClient {
     protected static final Logger logger = LogManager.getLogger(OvnNbClient.class);
     private static final String NORTHBOUND_DB = "OVN_Northbound";
+    private static final String LOGICAL_SWITCH_TABLE = "Logical_Switch";
     private static final long DEFAULT_TIMEOUT_MS = 5_000L;
     private static final Pattern CONN_PATTERN = Pattern.compile("^(tcp|ssl):([^:]+):([0-9]+)$");
     private static final ICertificateManager NOOP_CERT_MANAGER = new NoopCertificateManager();
+    private static final Operations OVSDB_OPS = new DefaultOperations();
 
     private final long timeoutMs;
     private NettyBootstrapFactoryImpl bootstrapFactory;
@@ -62,10 +77,138 @@ public boolean isValidConnectionString(String connection) {
 
     /**
      * Opens a transient connection to NB, runs an echo, lists the databases, and disconnects.
-     * Throws on failure — caller treats success as proof that the NB endpoint is reachable
+     * Throws on failure - caller treats success as proof that the NB endpoint is reachable
      * and the supplied credentials/certificates are valid.
      */
     public void verifyConnection(String nbConnection, String caCertPath, String clientCertPath, String clientPrivateKeyPath) {
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            client.echo().get(timeoutMs, TimeUnit.MILLISECONDS);
+            List<String> dbs = client.getDatabases().get(timeoutMs, TimeUnit.MILLISECONDS);
+            if (dbs == null || !dbs.contains(NORTHBOUND_DB)) {
+                throw new CloudRuntimeException(String.format("OVN endpoint %s did not advertise %s; got %s",
+                        nbConnection, NORTHBOUND_DB, dbs));
+            }
+            logger.debug("OVN NB at {} reachable, databases={}", nbConnection, dbs);
+            return null;
+        });
+    }
+
+    /**
+     * Creates a Logical_Switch with the given name and external_ids in the OVN_Northbound database
+     * exposed at {@code nbConnection}. Idempotent: if a switch with the same name already exists,
+     * the call succeeds without modifying it. Uses the native OVSDB JSON-RPC protocol.
+     */
+    public void createLogicalSwitch(String nbConnection, String caCertPath, String clientCertPath,
+                                    String clientPrivateKeyPath, String logicalSwitchName, Map<String, String> externalIds) {
+        if (StringUtils.isBlank(logicalSwitchName)) {
+            throw new CloudRuntimeException("Logical switch name is blank");
+        }
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema ls = schema.table(LOGICAL_SWITCH_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> nameCol = ls.column("name", String.class);
+
+            if (logicalSwitchExists(client, schema, ls, nameCol, logicalSwitchName)) {
+                logger.debug("Logical_Switch [{}] already exists on {} - skipping create", logicalSwitchName, nbConnection);
+                return null;
+            }
+
+            Insert<GenericTableSchema> insert = OVSDB_OPS.insert(ls)
+                    .value(nameCol, logicalSwitchName);
+            if (externalIds != null && !externalIds.isEmpty()) {
+                @SuppressWarnings({"rawtypes", "unchecked"})
+                ColumnSchema<GenericTableSchema, Map> extIdsCol = ls.column("external_ids", Map.class);
+                insert = insert.value(extIdsCol, new HashMap<>(externalIds));
+            }
+            List<OperationResult> results = client.transact(schema, Collections.<Operation>singletonList(insert))
+                    .get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("create Logical_Switch %s", logicalSwitchName));
+            logger.info("Created OVN Logical_Switch [{}] at {}", logicalSwitchName, nbConnection);
+            return null;
+        });
+    }
+
+    /**
+     * Removes a Logical_Switch by name. Idempotent: missing switch is treated as a successful no-op.
+     */
+    public void deleteLogicalSwitch(String nbConnection, String caCertPath, String clientCertPath,
+                                    String clientPrivateKeyPath, String logicalSwitchName) {
+        if (StringUtils.isBlank(logicalSwitchName)) {
+            throw new CloudRuntimeException("Logical switch name is blank");
+        }
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema ls = schema.table(LOGICAL_SWITCH_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> nameCol = ls.column("name", String.class);
+
+            if (!logicalSwitchExists(client, schema, ls, nameCol, logicalSwitchName)) {
+                logger.debug("Logical_Switch [{}] not present on {} - nothing to delete", logicalSwitchName, nbConnection);
+                return null;
+            }
+
+            Operation<GenericTableSchema> delete = OVSDB_OPS.delete(ls)
+                    .where(nameCol.opEqual(logicalSwitchName)).build();
+            List<OperationResult> results = client.transact(schema, Collections.singletonList(delete))
+                    .get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("delete Logical_Switch %s", logicalSwitchName));
+            logger.info("Deleted OVN Logical_Switch [{}] at {}", logicalSwitchName, nbConnection);
+            return null;
+        });
+    }
+
+    private boolean logicalSwitchExists(OvsdbClient client, DatabaseSchema schema,
+                                        GenericTableSchema ls, ColumnSchema<GenericTableSchema, String> nameCol,
+                                        String name) throws Exception {
+        Operation<GenericTableSchema> select = OVSDB_OPS.select(ls)
+                .column(nameCol)
+                .where(nameCol.opEqual(name)).build();
+        List<OperationResult> results = client.transact(schema, Collections.<Operation>singletonList(select))
+                .get(timeoutMs, TimeUnit.MILLISECONDS);
+        if (results == null || results.isEmpty()) {
+            return false;
+        }
+        OperationResult r = results.get(0);
+        if (r.getError() != null) {
+            throw new CloudRuntimeException("OVSDB select failed for Logical_Switch " + name + ": " + r.getError());
+        }
+        List<Row<GenericTableSchema>> rows = r.getRows();
+        return rows != null && !rows.isEmpty();
+    }
+
+    private static void assertNoError(List<OperationResult> results, String description) {
+        if (results == null) {
+            throw new CloudRuntimeException("OVSDB transact returned no result for " + description);
+        }
+        List<String> errors = new ArrayList<>();
+        for (OperationResult r : results) {
+            if (r != null && r.getError() != null) {
+                errors.add(r.getError() + ": " + r.getDetails());
+            }
+        }
+        if (!errors.isEmpty()) {
+            throw new CloudRuntimeException(String.format("OVSDB %s failed: %s", description, String.join("; ", errors)));
+        }
+    }
+
+    @PreDestroy
+    public synchronized void shutdown() {
+        if (tcpConnectionService != null) {
+            try { tcpConnectionService.close(); } catch (Exception ignored) { }
+            tcpConnectionService = null;
+        }
+        if (bootstrapFactory != null) {
+            try { bootstrapFactory.close(); } catch (Exception ignored) { }
+            bootstrapFactory = null;
+        }
+    }
+
+    @FunctionalInterface
+    private interface NbAction<T> {
+        T call(OvsdbClient client) throws Exception;
+    }
+
+    private <T> T runOn(String nbConnection, String caCertPath, String clientCertPath, String clientPrivateKeyPath,
+                        NbAction<T> action) {
         Endpoint ep = parse(nbConnection);
         if (ep.scheme == Scheme.UNIX) {
             throw new CloudRuntimeException("Unix-socket OVN connections are not supported by the management server client; use tcp: or ssl:");
@@ -88,17 +231,11 @@ public void verifyConnection(String nbConnection, String caCertPath, String clie
             if (client == null) {
                 throw new CloudRuntimeException(String.format("OVN NB at %s did not accept the connection", nbConnection));
             }
-            client.echo().get(timeoutMs, TimeUnit.MILLISECONDS);
-            List<String> dbs = client.getDatabases().get(timeoutMs, TimeUnit.MILLISECONDS);
-            if (dbs == null || !dbs.contains(NORTHBOUND_DB)) {
-                throw new CloudRuntimeException(String.format("OVN endpoint %s did not advertise %s; got %s",
-                        nbConnection, NORTHBOUND_DB, dbs));
-            }
-            logger.debug("OVN NB at {} reachable, databases={}", nbConnection, dbs);
+            return action.call(client);
         } catch (CloudRuntimeException e) {
             throw e;
         } catch (Exception e) {
-            throw new CloudRuntimeException("Cannot reach OVN NB at " + nbConnection + ": " + e.getMessage(), e);
+            throw new CloudRuntimeException("OVN NB operation against " + nbConnection + " failed: " + e.getMessage(), e);
         } finally {
             if (client != null && service != null) {
                 try { service.disconnect(client); } catch (Exception ignored) { }
@@ -109,18 +246,6 @@ public void verifyConnection(String nbConnection, String caCertPath, String clie
         }
     }
 
-    @PreDestroy
-    public synchronized void shutdown() {
-        if (tcpConnectionService != null) {
-            try { tcpConnectionService.close(); } catch (Exception ignored) { }
-            tcpConnectionService = null;
-        }
-        if (bootstrapFactory != null) {
-            try { bootstrapFactory.close(); } catch (Exception ignored) { }
-            bootstrapFactory = null;
-        }
-    }
-
     private synchronized NettyBootstrapFactoryImpl bootstrapFactory() {
         if (bootstrapFactory == null) {
             bootstrapFactory = new NettyBootstrapFactoryImpl();
diff --git a/plugins/network-elements/ovs/src/main/java/com/cloud/network/guru/OvsGuestNetworkGuru.java b/plugins/network-elements/ovs/src/main/java/com/cloud/network/guru/OvsGuestNetworkGuru.java
index 327b4eb42e52..571afa8d79ed 100644
--- a/plugins/network-elements/ovs/src/main/java/com/cloud/network/guru/OvsGuestNetworkGuru.java
+++ b/plugins/network-elements/ovs/src/main/java/com/cloud/network/guru/OvsGuestNetworkGuru.java
@@ -78,7 +78,8 @@ && isMyTrafficType(offering.getTrafficType())
             && offering.getGuestType() == Network.GuestType.Isolated
             && isMyIsolationMethod(physicalNetwork)
             && _ntwkOfferingSrvcDao.areServicesSupportedByNetworkOffering(
-                offering.getId(), Service.Connectivity)) {
+                offering.getId(), Service.Connectivity)
+            && _ntwkOfferingSrvcDao.isProviderForNetworkOffering(offering.getId(), Network.Provider.Ovs)) {
             return true;
         } else if (networkType == NetworkType.Advanced
             && offering.getGuestType() == GuestType.Shared
diff --git a/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java b/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
index b3da6af21138..b12b1b57fd65 100644
--- a/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
+++ b/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
@@ -120,7 +120,6 @@
 import com.cloud.utils.DateUtil;
 import com.cloud.utils.NumbersUtil;
 import com.cloud.utils.Pair;
-import com.cloud.utils.PasswordGenerator;
 import com.cloud.utils.StringUtils;
 import com.cloud.utils.component.ManagerBase;
 import com.cloud.utils.db.DB;
@@ -1269,7 +1268,7 @@ public boolean finalizeVirtualMachineProfile(VirtualMachineProfile profile, Depl
         if (VirtualMachine.Type.ConsoleProxy == profile.getVirtualMachine().getType()) {
             buf.append(" vncport=").append(getVncPort(datacenterId));
         }
-        buf.append(" keystore_password=").append(VirtualMachineGuru.getEncodedString(PasswordGenerator.generateRandomPassword(16)));
+        VirtualMachineGuru.appendCertificateDetails(buf, certificate);
 
         if (SystemVmEnableUserData.valueIn(dc.getId())) {
             String userDataUuid = ConsoleProxyVmUserData.valueIn(dc.getId());
@@ -1285,7 +1284,7 @@ public boolean finalizeVirtualMachineProfile(VirtualMachineProfile profile, Depl
 
         String bootArgs = buf.toString();
         if (logger.isDebugEnabled()) {
-            logger.debug("Boot Args for " + profile + ": " + bootArgs);
+            logger.debug("Boot Args for " + profile + ": " + bootArgs.replaceAll("(certificate|cacertificate|privatekey|keystore_password)=[^\\s]+", "$1=******"));
         }
 
         return true;
diff --git a/services/secondary-storage/controller/src/main/java/org/apache/cloudstack/secondarystorage/SecondaryStorageManagerImpl.java b/services/secondary-storage/controller/src/main/java/org/apache/cloudstack/secondarystorage/SecondaryStorageManagerImpl.java
index 9d4c73111595..7cdd6b2dd51f 100644
--- a/services/secondary-storage/controller/src/main/java/org/apache/cloudstack/secondarystorage/SecondaryStorageManagerImpl.java
+++ b/services/secondary-storage/controller/src/main/java/org/apache/cloudstack/secondarystorage/SecondaryStorageManagerImpl.java
@@ -137,7 +137,6 @@
 import com.cloud.utils.DateUtil;
 import com.cloud.utils.NumbersUtil;
 import com.cloud.utils.Pair;
-import com.cloud.utils.PasswordGenerator;
 import com.cloud.utils.component.ManagerBase;
 import com.cloud.utils.db.GlobalLock;
 import com.cloud.utils.db.QueryBuilder;
@@ -1233,7 +1232,7 @@ public boolean finalizeVirtualMachineProfile(VirtualMachineProfile profile, Depl
         if (StringUtils.isNotBlank(nfsVersion)) {
             buf.append(" nfsVersion=").append(nfsVersion);
         }
-        buf.append(" keystore_password=").append(VirtualMachineGuru.getEncodedString(PasswordGenerator.generateRandomPassword(16)));
+        VirtualMachineGuru.appendCertificateDetails(buf, certificate);
 
         if (SystemVmEnableUserData.valueIn(dc.getId())) {
             String userDataUuid = SecondaryStorageVmUserData.valueIn(dc.getId());
@@ -1249,7 +1248,8 @@ public boolean finalizeVirtualMachineProfile(VirtualMachineProfile profile, Depl
 
         String bootArgs = buf.toString();
         if (logger.isDebugEnabled()) {
-            logger.debug(String.format("Boot args for machine profile [%s]: [%s].", profile.toString(), bootArgs));
+            logger.debug(String.format("Boot args for machine profile [%s]: [%s].", profile.toString(),
+                    bootArgs.replaceAll("(certificate|cacertificate|privatekey|keystore_password)=[^\\s]+", "$1=******")));
         }
 
         boolean useHttpsToUpload = VolumeApiService.UseHttpsToUpload.valueIn(dc.getId());
diff --git a/systemvm/debian/opt/cloud/bin/setup/bootstrap.sh b/systemvm/debian/opt/cloud/bin/setup/bootstrap.sh
index f7c071c8cc0e..a6f452fe255f 100755
--- a/systemvm/debian/opt/cloud/bin/setup/bootstrap.sh
+++ b/systemvm/debian/opt/cloud/bin/setup/bootstrap.sh
@@ -24,6 +24,7 @@ rm -f /var/cache/cloud/enabled_svcs
 rm -f /var/cache/cloud/disabled_svcs
 
 . /lib/lsb/init-functions
+. /opt/cloud/bin/setup/common.sh
 
 log_it() {
   echo "$(date) $@" >> /var/log/cloud.log
@@ -64,16 +65,60 @@ patch_systemvm() {
     echo "Restored keystore file and certs using backup" >> $logfile
   fi
   rm -fr $backupfolder
+
+  setup_agent_keystore || return 1
+
   # Import global cacerts into 'cloud' service's keystore
   keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /usr/local/cloud/systemvm/certs/realhostip.keystore -srcstorepass changeit -deststorepass vmops.com -noprompt || true
   return 0
 }
 
+decode_boot_arg() {
+  printf '%s' "$1" | base64 -d 2>/dev/null | tr '^' '\n' | tr '~' ' '
+}
+
+setup_agent_keystore() {
+  parse_cmd_line
+
+  if [ -z "${KEYSTORE_PSSWD// }" ] || [ -z "${CERTIFICATE// }" ] || [ -z "${CACERTIFICATE// }" ]; then
+    log_it "Skipping agent keystore setup as certificate boot arguments are missing"
+    return 0
+  fi
+
+  local propsfile="/usr/local/cloud/systemvm/conf/agent.properties"
+  local ksfile="/usr/local/cloud/systemvm/conf/cloud.jks"
+  local certfile="/usr/local/cloud/systemvm/conf/cloud.crt"
+  local cacertfile="/usr/local/cloud/systemvm/conf/cloud.ca.crt"
+  local keyfile="/usr/local/cloud/systemvm/conf/cloud.key"
+  local import_script="/usr/local/cloud/systemvm/scripts/util/keystore-cert-import"
+  local ks_pass
+  local cert
+  local cacert
+  local privatekey
+
+  ks_pass=$(decode_boot_arg "$KEYSTORE_PSSWD")
+  cert=$(decode_boot_arg "$CERTIFICATE")
+  cacert=$(decode_boot_arg "$CACERTIFICATE")
+  if [ -n "${PRIVATEKEY// }" ]; then
+    privatekey=$(decode_boot_arg "$PRIVATEKEY")
+  fi
+
+  sed -i "/^keystore.passphrase=/d" "$propsfile"
+  echo "keystore.passphrase=$ks_pass" >> "$propsfile"
+
+  if [ ! -x "$import_script" ]; then
+    log_it "Unable to setup agent keystore, missing $import_script"
+    return 1
+  fi
+
+  "$import_script" "$propsfile" "$ks_pass" "$ksfile" "agent" "$certfile" "$cert" "$cacertfile" "$cacert" "$keyfile" "$privatekey"
+}
+
 patch() {
   local PATCH_MOUNT=/var/cache/cloud/
   local logfile="/var/log/patchsystemvm.log"
 
-  if [ "$TYPE" == "consoleproxy" ] || [ "$TYPE" == "secstorage" ]  && [ -f ${PATCH_MOUNT}/agent.zip ] && [ -f /var/cache/cloud/patch.required ]
+  if { [ "$TYPE" == "consoleproxy" ] || [ "$TYPE" == "secstorage" ]; } && [ -f ${PATCH_MOUNT}/agent.zip ] && [ -f /var/cache/cloud/patch.required ]
   then
     echo "Patching systemvm for cloud service with mount=$PATCH_MOUNT for type=$TYPE" >> $logfile
     patch_systemvm ${PATCH_MOUNT}/agent.zip
diff --git a/systemvm/debian/opt/cloud/bin/setup/cloud-early-config b/systemvm/debian/opt/cloud/bin/setup/cloud-early-config
index ee1e872f627c..8edeb6f896fa 100755
--- a/systemvm/debian/opt/cloud/bin/setup/cloud-early-config
+++ b/systemvm/debian/opt/cloud/bin/setup/cloud-early-config
@@ -109,6 +109,8 @@ cleanup() {
 
 start() {
   log_it "Executing cloud-early-config"
+  exec 9>/var/lock/cloud-early-config.lock
+  flock 9
 
   # Clear /tmp for file lock
   rm -f /tmp/*.lock
diff --git a/systemvm/debian/opt/cloud/bin/setup/common.sh b/systemvm/debian/opt/cloud/bin/setup/common.sh
index ef1576ab588c..7484cf8de2b0 100755
--- a/systemvm/debian/opt/cloud/bin/setup/common.sh
+++ b/systemvm/debian/opt/cloud/bin/setup/common.sh
@@ -730,9 +730,9 @@ parse_cmd_line() {
 
   for i in $CMDLINE
     do
-      # search for foo=bar pattern and cut out foo
+      # Search for foo=bar and preserve any additional '=' in encoded values.
       KEY=$(echo $i | cut -d= -f1)
-      VALUE=$(echo $i | cut -d= -f2)
+      VALUE=$(echo $i | cut -d= -f2-)
       echo -en ${COMMA} >> ${CHEF_TMP_FILE}
       # Two lines so values do not accidentally interpretted as escapes!!
       echo -n \"${KEY}\"': '\"${VALUE}\" >> ${CHEF_TMP_FILE}

From 818cf6d09a02797bd2b562b0b68b187f4bf271d0 Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Mon, 27 Apr 2026 16:44:20 +0200
Subject: [PATCH 06/33] OVN plugin: expose provider in UI and configuration

---
 .../network/CreatePhysicalNetworkCmd.java     |  2 +-
 .../orchestration/NetworkOrchestrator.java    |  2 +-
 tools/apidoc/gen_toc.py                       |  1 +
 ui/public/locales/en.json                     |  6 +++
 ui/src/config/section/infra/phynetworks.js    |  2 +-
 .../infra/network/ServiceProvidersTab.vue     | 44 +++++++++++++++++++
 .../views/infra/zone/PhysicalNetworksTab.vue  |  2 +-
 .../ZoneWizardPhysicalNetworkSetupStep.vue    |  1 +
 8 files changed, 56 insertions(+), 4 deletions(-)

diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/network/CreatePhysicalNetworkCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/network/CreatePhysicalNetworkCmd.java
index 097b8a5b5458..cf913fd2fb46 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/admin/network/CreatePhysicalNetworkCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/network/CreatePhysicalNetworkCmd.java
@@ -75,7 +75,7 @@ public class CreatePhysicalNetworkCmd extends BaseAsyncCreateCmd {
     @Parameter(name = ApiConstants.ISOLATION_METHODS,
                type = CommandType.LIST,
                collectionType = CommandType.STRING,
-               description = "The isolation method for the physical Network[VLAN/VXLAN/GRE/STT/BCF_SEGMENT/SSP/ODL/L3VPN/VCS/NSX/NETRIS]")
+               description = "The isolation method for the physical Network[VLAN/VXLAN/GRE/STT/BCF_SEGMENT/SSP/ODL/L3VPN/VCS/NSX/NETRIS/OVN]")
     private List<String> isolationMethods;
 
     @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, required = true, description = "The name of the physical Network")
diff --git a/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java b/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
index 7d455e7d6dc9..224357dca655 100644
--- a/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
+++ b/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
@@ -4939,7 +4939,7 @@ public ConfigKey<?>[] getConfigKeys() {
         return new ConfigKey<?>[]{NetworkGcWait, NetworkGcInterval, NetworkLockTimeout, DeniedRoutes,
                 GuestDomainSuffix, NetworkThrottlingRate, MinVRVersion,
                 PromiscuousMode, MacAddressChanges, ForgedTransmits, MacLearning, RollingRestartEnabled,
-                TUNGSTEN_ENABLED, NSX_ENABLED, NETRIS_ENABLED, NETWORK_LB_HAPROXY_MAX_CONN,
+                TUNGSTEN_ENABLED, NSX_ENABLED, NETRIS_ENABLED, OVN_ENABLED, NETWORK_LB_HAPROXY_MAX_CONN,
                 NETWORK_LB_HAPROXY_IDLE_TIMEOUT};
     }
 }
diff --git a/tools/apidoc/gen_toc.py b/tools/apidoc/gen_toc.py
index 292f52d809bf..bf30f473b4f2 100644
--- a/tools/apidoc/gen_toc.py
+++ b/tools/apidoc/gen_toc.py
@@ -99,6 +99,7 @@
     'addNsxController': 'NSX',
     'deleteNsxController': 'NSX',
     'NetrisProvider': 'Netris',
+    'OvnProvider': 'OVN',
     'Vpn': 'VPN',
     'Limit': 'Resource Limit',
     'Netscaler': 'Netscaler',
diff --git a/ui/public/locales/en.json b/ui/public/locales/en.json
index 4a23b454252a..27acf657aa81 100644
--- a/ui/public/locales/en.json
+++ b/ui/public/locales/en.json
@@ -1787,6 +1787,12 @@
 "label.nsx.provider.transportzone": "NSX provider transport Zone",
 "label.nsx.supports.internal.lb": "Enable NSX internal LB service",
 "label.nsx.supports.lb": "Enable NSX LB service",
+"label.ovn": "OVN",
+"label.ovn.provider": "OVN Provider",
+"label.ovnnbconnection": "OVN Northbound connection",
+"label.ovnsbconnection": "OVN Southbound connection",
+"label.ovnexternalbridge": "OVN external bridge",
+"label.ovnlocalnetname": "OVN localnet name",
 "label.num.cpu.cores": "# of CPU cores",
 "label.numanode": "NUMA node",
 "label.number": "#Rule",
diff --git a/ui/src/config/section/infra/phynetworks.js b/ui/src/config/section/infra/phynetworks.js
index 0863eff6ec0b..b0dcb61eb30d 100644
--- a/ui/src/config/section/infra/phynetworks.js
+++ b/ui/src/config/section/infra/phynetworks.js
@@ -57,7 +57,7 @@ export default {
       args: ['name', 'zoneid', 'isolationmethods', 'vlan', 'tags', 'networkspeed', 'broadcastdomainrange'],
       mapping: {
         isolationmethods: {
-          options: ['VLAN', 'VXLAN', 'GRE', 'STT', 'BCF_SEGMENT', 'SSP', 'ODL', 'L3VPN', 'VCS', 'NSX', 'NETRIS']
+          options: ['VLAN', 'VXLAN', 'GRE', 'STT', 'BCF_SEGMENT', 'SSP', 'ODL', 'L3VPN', 'VCS', 'NSX', 'NETRIS', 'OVN']
         }
       }
     },
diff --git a/ui/src/views/infra/network/ServiceProvidersTab.vue b/ui/src/views/infra/network/ServiceProvidersTab.vue
index f659ce1f0167..bc48793a275c 100644
--- a/ui/src/views/infra/network/ServiceProvidersTab.vue
+++ b/ui/src/views/infra/network/ServiceProvidersTab.vue
@@ -1113,6 +1113,50 @@ export default {
               columns: ['name', 'netrisurl', 'site', 'tenantname', 'netristag']
             }
           ]
+        },
+        {
+          title: 'Ovn',
+          details: ['name', 'state', 'id', 'physicalnetworkid', 'servicelist'],
+          actions: [
+            {
+              api: 'updateNetworkServiceProvider',
+              icon: 'stop-outlined',
+              listView: true,
+              label: 'label.disable.provider',
+              confirm: 'message.confirm.disable.provider',
+              show: (record) => { return (record && record.id && record.state === 'Enabled') },
+              mapping: {
+                state: {
+                  value: (record) => { return 'Disabled' }
+                }
+              }
+            },
+            {
+              api: 'updateNetworkServiceProvider',
+              icon: 'play-circle-outlined',
+              listView: true,
+              label: 'label.enable.provider',
+              confirm: 'message.confirm.enable.provider',
+              show: (record) => { return (record && record.id && record.state === 'Disabled') },
+              mapping: {
+                state: {
+                  value: (record) => { return 'Enabled' }
+                }
+              }
+            }
+          ],
+          lists: [
+            {
+              title: 'label.ovn.provider',
+              api: 'listOvnProviders',
+              mapping: {
+                zoneid: {
+                  value: (record) => { return record.zoneid }
+                }
+              },
+              columns: ['name', 'ovnnbconnection', 'ovnsbconnection', 'ovnexternalbridge', 'ovnlocalnetname']
+            }
+          ]
         }
       ]
     }
diff --git a/ui/src/views/infra/zone/PhysicalNetworksTab.vue b/ui/src/views/infra/zone/PhysicalNetworksTab.vue
index cccb8719805f..387a7ea8bf98 100644
--- a/ui/src/views/infra/zone/PhysicalNetworksTab.vue
+++ b/ui/src/views/infra/zone/PhysicalNetworksTab.vue
@@ -200,7 +200,7 @@ export default {
   },
   computed: {
     isolationMethods () {
-      return ['VLAN', 'VXLAN', 'GRE', 'STT', 'BCF_SEGMENT', 'SSP', 'ODL', 'L3VPN', 'VCS', 'NSX', 'NETRIS']
+      return ['VLAN', 'VXLAN', 'GRE', 'STT', 'BCF_SEGMENT', 'SSP', 'ODL', 'L3VPN', 'VCS', 'NSX', 'NETRIS', 'OVN']
     }
   },
   methods: {
diff --git a/ui/src/views/infra/zone/ZoneWizardPhysicalNetworkSetupStep.vue b/ui/src/views/infra/zone/ZoneWizardPhysicalNetworkSetupStep.vue
index 88f681de3796..9e5df5e3baa6 100644
--- a/ui/src/views/infra/zone/ZoneWizardPhysicalNetworkSetupStep.vue
+++ b/ui/src/views/infra/zone/ZoneWizardPhysicalNetworkSetupStep.vue
@@ -68,6 +68,7 @@
             <a-select-option value="TF"> TF </a-select-option>
             <a-select-option v-if="hypervisor === 'VMware'" value="NSX"> NSX </a-select-option>
             <a-select-option v-if="hypervisor === 'KVM'" value="Netris"> NETRIS </a-select-option>
+            <a-select-option v-if="hypervisor === 'KVM'" value="OVN"> OVN </a-select-option>
 
             <template #suffixIcon>
               <a-tooltip

From 2e8c8a69ad4f8dfb550d61e06c09c0b371780797 Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Tue, 28 Apr 2026 13:54:29 +0200
Subject: [PATCH 07/33] OVN plugin: bind VM NICs to logical switches via OVSDB
 LSPs

OvnElement.prepare/release now creates and removes a Logical_Switch_Port in
the OVN Northbound database for every NIC plugged into an OVN-broadcast
network. The LSP carries the NIC's MAC and IPv4 in both addresses and
port_security and is named after the NIC UUID; OvnNbClient performs the
insert+mutate transaction natively over OVSDB JSON-RPC and is idempotent on
both ends.

OvsVifDriver picks up a new BroadcastDomainType.OVN branch that drops the
NIC tap on the OVN integration bridge and stamps external_ids:iface-id
with the same NIC UUID, which is what ovn-controller looks up to bind the
local OVS port to the LSP. End to end the VM now appears under the
correct chassis in ovn-sbctl show and traffic is plumbed through OVN.
---
 .../hypervisor/kvm/resource/OvsVifDriver.java |   8 +
 .../apache/cloudstack/service/OvnElement.java |  38 +++++
 .../cloudstack/service/OvnNbClient.java       | 152 ++++++++++++++++++
 3 files changed, 198 insertions(+)

diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/OvsVifDriver.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/OvsVifDriver.java
index 4c0482c5384f..736059457558 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/OvsVifDriver.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/OvsVifDriver.java
@@ -150,6 +150,14 @@ public InterfaceDef plug(NicTO nic, String guestOsType, String nicAdapter, Map<S
                 intf.setVirtualPortInterfaceId(nic.getUuid());
                 String brName = (trafficLabel != null && !trafficLabel.isEmpty()) ? _pifs.get(trafficLabel) : _pifs.get("private");
                 intf.defBridgeNet(brName, null, nic.getMac(), getGuestNicModel(guestOsType, nicAdapter), networkRateKBps);
+            } else if (nic.getBroadcastType() == Networks.BroadcastDomainType.OVN) {
+                // OVN integration bridge attachment: ovn-controller binds the OVS port to the
+                // Logical_Switch_Port whose name equals external_ids:iface-id. Use the NIC UUID,
+                // matching the LSP name chosen by OvnElement.getLogicalSwitchPortName.
+                String brName = (trafficLabel != null && !trafficLabel.isEmpty()) ? _pifs.get(trafficLabel) : _bridges.get("guest");
+                logger.debug("nic " + nic + " needs to be connected to OVN integration bridge " + brName);
+                intf.setVirtualPortInterfaceId(nic.getUuid());
+                intf.defBridgeNet(brName, null, nic.getMac(), getGuestNicModel(guestOsType, nicAdapter), networkRateKBps);
             } else if (nic.getBroadcastType() == Networks.BroadcastDomainType.Vswitch) {
                 String brName = getOvsTunnelNetworkName(nic.getBroadcastUri().getAuthority());
                 logger.debug("nic " + nic + " needs to be connected to Open vSwitch bridge " + brName);
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
index 6fe6b0023074..03791c357d49 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
@@ -140,15 +140,53 @@ public boolean implement(Network network, NetworkOffering offering, DeployDestin
     @Override
     public boolean prepare(Network network, NicProfile nic, VirtualMachineProfile vm, DeployDestination dest, ReservationContext context)
             throws ConcurrentOperationException, ResourceUnavailableException, InsufficientCapacityException {
+        if (network.getBroadcastDomainType() == Networks.BroadcastDomainType.OVN) {
+            OvnProviderVO provider = getProviderForNetwork(network);
+            String lsName = getLogicalSwitchName(network);
+            String lspName = getLogicalSwitchPortName(nic);
+            Map<String, String> externalIds = new HashMap<>();
+            externalIds.put("cloudstack_nic_id", String.valueOf(nic.getId()));
+            externalIds.put("cloudstack_nic_uuid", nic.getUuid());
+            externalIds.put("cloudstack_vm_id", String.valueOf(vm.getId()));
+            externalIds.put("cloudstack_vm_uuid", vm.getUuid());
+            try {
+                ovnNbClient.createLogicalSwitchPort(provider.getNbConnection(),
+                        provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                        lsName, lspName, nic.getMacAddress(), nic.getIPv4Address(), externalIds);
+            } catch (CloudRuntimeException e) {
+                throw new ResourceUnavailableException(e.getMessage(), DataCenter.class, network.getDataCenterId());
+            }
+        }
         return true;
     }
 
     @Override
     public boolean release(Network network, NicProfile nic, VirtualMachineProfile vm, ReservationContext context)
             throws ConcurrentOperationException, ResourceUnavailableException {
+        if (network.getBroadcastDomainType() == Networks.BroadcastDomainType.OVN) {
+            OvnProviderVO provider = getProviderForNetwork(network);
+            String lsName = getLogicalSwitchName(network);
+            String lspName = getLogicalSwitchPortName(nic);
+            try {
+                ovnNbClient.deleteLogicalSwitchPort(provider.getNbConnection(),
+                        provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                        lsName, lspName);
+            } catch (CloudRuntimeException e) {
+                throw new ResourceUnavailableException(e.getMessage(), DataCenter.class, network.getDataCenterId());
+            }
+        }
         return true;
     }
 
+    /**
+     * Returns the OVN Logical_Switch_Port name for the given NIC. Must match the value the KVM
+     * agent stamps as {@code external_ids:iface-id} on the OVS port — see {@code OvsVifDriver}'s
+     * OVN branch which uses {@link com.cloud.agent.api.to.NicTO#getUuid()} for the same purpose.
+     */
+    protected String getLogicalSwitchPortName(NicProfile nic) {
+        return nic.getUuid();
+    }
+
     @Override
     public boolean shutdown(Network network, ReservationContext context, boolean cleanup) throws ConcurrentOperationException, ResourceUnavailableException {
         if (cleanup && network.getBroadcastDomainType() == Networks.BroadcastDomainType.OVN) {
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
index 6e2d15667b28..5ed9c8903077 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
@@ -24,7 +24,9 @@
 import org.opendaylight.ovsdb.lib.OvsdbClient;
 import org.opendaylight.ovsdb.lib.impl.NettyBootstrapFactoryImpl;
 import org.opendaylight.ovsdb.lib.impl.OvsdbConnectionService;
+import org.opendaylight.ovsdb.lib.notation.Mutator;
 import org.opendaylight.ovsdb.lib.notation.Row;
+import org.opendaylight.ovsdb.lib.notation.UUID;
 import org.opendaylight.ovsdb.lib.operations.DefaultOperations;
 import org.opendaylight.ovsdb.lib.operations.Insert;
 import org.opendaylight.ovsdb.lib.operations.Operation;
@@ -39,10 +41,12 @@
 import java.net.InetAddress;
 import java.security.KeyStore;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.concurrent.TimeUnit;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -51,6 +55,7 @@ public class OvnNbClient {
     protected static final Logger logger = LogManager.getLogger(OvnNbClient.class);
     private static final String NORTHBOUND_DB = "OVN_Northbound";
     private static final String LOGICAL_SWITCH_TABLE = "Logical_Switch";
+    private static final String LOGICAL_SWITCH_PORT_TABLE = "Logical_Switch_Port";
     private static final long DEFAULT_TIMEOUT_MS = 5_000L;
     private static final Pattern CONN_PATTERN = Pattern.compile("^(tcp|ssl):([^:]+):([0-9]+)$");
     private static final ICertificateManager NOOP_CERT_MANAGER = new NoopCertificateManager();
@@ -156,6 +161,153 @@ public void deleteLogicalSwitch(String nbConnection, String caCertPath, String c
         });
     }
 
+    /**
+     * Creates a Logical_Switch_Port on the named Logical_Switch and binds it.
+     * The LSP {@code addresses} and {@code port_security} columns are seeded with the supplied
+     * MAC and (optional) IPv4. Idempotent: if an LSP with the same name already exists in the NB
+     * database, the call succeeds without modifying the row. The {@code iface-id} that ovn-controller
+     * looks for on the local OVS port should match {@code lspName}.
+     */
+    public void createLogicalSwitchPort(String nbConnection, String caCertPath, String clientCertPath,
+                                        String clientPrivateKeyPath,
+                                        String logicalSwitchName, String lspName,
+                                        String mac, String ipv4, Map<String, String> externalIds) {
+        if (StringUtils.isBlank(logicalSwitchName) || StringUtils.isBlank(lspName)) {
+            throw new CloudRuntimeException("Logical switch / port name is blank");
+        }
+        if (StringUtils.isBlank(mac)) {
+            throw new CloudRuntimeException("MAC is required for Logical_Switch_Port " + lspName);
+        }
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema lsTable = schema.table(LOGICAL_SWITCH_TABLE, GenericTableSchema.class);
+            GenericTableSchema lspTable = schema.table(LOGICAL_SWITCH_PORT_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> lsNameCol = lsTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, String> lspNameCol = lspTable.column("name", String.class);
+
+            if (logicalSwitchPortExists(client, schema, lspTable, lspNameCol, lspName)) {
+                logger.debug("Logical_Switch_Port [{}] already exists on {} - skipping create", lspName, nbConnection);
+                return null;
+            }
+
+            String addressEntry = StringUtils.isNotBlank(ipv4) ? mac + " " + ipv4 : mac;
+            ColumnSchema<GenericTableSchema, Set<String>> addressesCol = lspTable.multiValuedColumn("addresses", String.class);
+            ColumnSchema<GenericTableSchema, Set<String>> portSecCol = lspTable.multiValuedColumn("port_security", String.class);
+            ColumnSchema<GenericTableSchema, Set<UUID>> portsCol = lsTable.multiValuedColumn("ports", UUID.class);
+
+            String namedUuid = "newlsp";
+            Insert<GenericTableSchema> insertLsp = OVSDB_OPS.insert(lspTable)
+                    .withId(namedUuid)
+                    .value(lspNameCol, lspName)
+                    .value(addressesCol, Collections.singleton(addressEntry))
+                    .value(portSecCol, Collections.singleton(addressEntry));
+            if (externalIds != null && !externalIds.isEmpty()) {
+                @SuppressWarnings({"rawtypes", "unchecked"})
+                ColumnSchema<GenericTableSchema, Map> extIdsCol = lspTable.column("external_ids", Map.class);
+                insertLsp = insertLsp.value(extIdsCol, new HashMap<>(externalIds));
+            }
+
+            UUID lspRef = new UUID(namedUuid);
+            Operation<GenericTableSchema> mutateLs = OVSDB_OPS.mutate(lsTable)
+                    .addMutation(portsCol, Mutator.INSERT, Collections.singleton(lspRef))
+                    .where(lsNameCol.opEqual(logicalSwitchName)).build();
+
+            List<OperationResult> results = client.transact(schema,
+                            Arrays.<Operation>asList(insertLsp, mutateLs))
+                    .get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("create Logical_Switch_Port %s on %s", lspName, logicalSwitchName));
+            logger.info("Created OVN Logical_Switch_Port [{}] on Logical_Switch [{}] at {}",
+                    lspName, logicalSwitchName, nbConnection);
+            return null;
+        });
+    }
+
+    /**
+     * Removes a Logical_Switch_Port by name and detaches it from its parent Logical_Switch.
+     * Idempotent: missing LSP is treated as a successful no-op.
+     */
+    public void deleteLogicalSwitchPort(String nbConnection, String caCertPath, String clientCertPath,
+                                        String clientPrivateKeyPath,
+                                        String logicalSwitchName, String lspName) {
+        if (StringUtils.isBlank(lspName)) {
+            throw new CloudRuntimeException("Logical_Switch_Port name is blank");
+        }
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema lsTable = schema.table(LOGICAL_SWITCH_TABLE, GenericTableSchema.class);
+            GenericTableSchema lspTable = schema.table(LOGICAL_SWITCH_PORT_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> lsNameCol = lsTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, String> lspNameCol = lspTable.column("name", String.class);
+
+            UUID lspUuid = findLspUuid(client, schema, lspTable, lspNameCol, lspName);
+            if (lspUuid == null) {
+                logger.debug("Logical_Switch_Port [{}] not present on {} - nothing to delete", lspName, nbConnection);
+                return null;
+            }
+
+            ColumnSchema<GenericTableSchema, Set<UUID>> portsCol = lsTable.multiValuedColumn("ports", UUID.class);
+
+            List<Operation> ops = new ArrayList<>();
+            if (StringUtils.isNotBlank(logicalSwitchName)) {
+                ops.add(OVSDB_OPS.mutate(lsTable)
+                        .addMutation(portsCol, Mutator.DELETE, Collections.singleton(lspUuid))
+                        .where(lsNameCol.opEqual(logicalSwitchName)).build());
+            }
+            ops.add(OVSDB_OPS.delete(lspTable)
+                    .where(lspNameCol.opEqual(lspName)).build());
+
+            List<OperationResult> results = client.transact(schema, ops)
+                    .get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("delete Logical_Switch_Port %s", lspName));
+            logger.info("Deleted OVN Logical_Switch_Port [{}] at {}", lspName, nbConnection);
+            return null;
+        });
+    }
+
+    private boolean logicalSwitchPortExists(OvsdbClient client, DatabaseSchema schema,
+                                            GenericTableSchema lspTable,
+                                            ColumnSchema<GenericTableSchema, String> nameCol,
+                                            String name) throws Exception {
+        Operation<GenericTableSchema> select = OVSDB_OPS.select(lspTable)
+                .column(nameCol)
+                .where(nameCol.opEqual(name)).build();
+        List<OperationResult> results = client.transact(schema, Collections.<Operation>singletonList(select))
+                .get(timeoutMs, TimeUnit.MILLISECONDS);
+        if (results == null || results.isEmpty()) {
+            return false;
+        }
+        OperationResult r = results.get(0);
+        if (r.getError() != null) {
+            throw new CloudRuntimeException("OVSDB select failed for Logical_Switch_Port " + name + ": " + r.getError());
+        }
+        List<Row<GenericTableSchema>> rows = r.getRows();
+        return rows != null && !rows.isEmpty();
+    }
+
+    private UUID findLspUuid(OvsdbClient client, DatabaseSchema schema,
+                             GenericTableSchema lspTable,
+                             ColumnSchema<GenericTableSchema, String> nameCol,
+                             String name) throws Exception {
+        ColumnSchema<GenericTableSchema, UUID> uuidCol = lspTable.column("_uuid", UUID.class);
+        Operation<GenericTableSchema> select = OVSDB_OPS.select(lspTable)
+                .column(uuidCol)
+                .where(nameCol.opEqual(name)).build();
+        List<OperationResult> results = client.transact(schema, Collections.<Operation>singletonList(select))
+                .get(timeoutMs, TimeUnit.MILLISECONDS);
+        if (results == null || results.isEmpty()) {
+            return null;
+        }
+        OperationResult r = results.get(0);
+        if (r.getError() != null) {
+            throw new CloudRuntimeException("OVSDB select failed for LSP _uuid lookup " + name + ": " + r.getError());
+        }
+        List<Row<GenericTableSchema>> rows = r.getRows();
+        if (rows == null || rows.isEmpty()) {
+            return null;
+        }
+        return rows.get(0).getColumn(uuidCol).getData();
+    }
+
     private boolean logicalSwitchExists(OvsdbClient client, DatabaseSchema schema,
                                         GenericTableSchema ls, ColumnSchema<GenericTableSchema, String> nameCol,
                                         String name) throws Exception {

From 5d4685280c857fce730680cb9881bbaa3c39d8d4 Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Tue, 28 Apr 2026 14:07:20 +0200
Subject: [PATCH 08/33] OVN plugin: serve DHCPv4 from OVN itself via
 DHCP_Options
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OvnElement.implement now seeds a DHCP_Options row whose cidr/router/dns
mirror the CloudStack network and tags it with cloudstack_network_id in
external_ids; OvnElement.prepare links each new Logical_Switch_Port to
that row through dhcpv4_options so ovn-controller answers DHCP DISCOVER
locally instead of leaking the request out of the integration bridge.
The row is removed in destroy along with the Logical_Switch.

OvnNbClient grows three native OVSDB helpers — createDhcpOptions (idempotent
via external_ids lookup), deleteDhcpOptions, setLspDhcpv4Options — that
shape the JSON-RPC transactions for these flows. Verified end to end with
ovn-trace: a DHCPDISCOVER from a VM LSP triggers put_dhcp_opts with the
expected offerip/lease_time/mtu/router/server_id and an OFFER reply with
the per-network server_mac.
---
 .../apache/cloudstack/service/OvnElement.java |  55 +++++++
 .../cloudstack/service/OvnNbClient.java       | 134 ++++++++++++++++++
 2 files changed, 189 insertions(+)

diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
index 03791c357d49..4b052a4bfdbb 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
@@ -130,6 +130,7 @@ public boolean implement(Network network, NetworkOffering offering, DeployDestin
             try {
                 ovnNbClient.createLogicalSwitch(provider.getNbConnection(), provider.getCaCertPath(), provider.getClientCertPath(),
                         provider.getClientPrivateKeyPath(), logicalSwitchName, externalIds);
+                createDhcpOptionsForNetwork(provider, network);
             } catch (CloudRuntimeException e) {
                 throw new ResourceUnavailableException(e.getMessage(), DataCenter.class, network.getDataCenterId());
             }
@@ -153,6 +154,12 @@ public boolean prepare(Network network, NicProfile nic, VirtualMachineProfile vm
                 ovnNbClient.createLogicalSwitchPort(provider.getNbConnection(),
                         provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
                         lsName, lspName, nic.getMacAddress(), nic.getIPv4Address(), externalIds);
+                String dhcpUuid = createDhcpOptionsForNetwork(provider, network);
+                if (dhcpUuid != null && nic.getIPv4Address() != null) {
+                    ovnNbClient.setLspDhcpv4Options(provider.getNbConnection(),
+                            provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                            lspName, dhcpUuid);
+                }
             } catch (CloudRuntimeException e) {
                 throw new ResourceUnavailableException(e.getMessage(), DataCenter.class, network.getDataCenterId());
             }
@@ -160,6 +167,52 @@ public boolean prepare(Network network, NicProfile nic, VirtualMachineProfile vm
         return true;
     }
 
+    /**
+     * Idempotently creates the DHCP_Options row for an OVN-backed Network. Returns the UUID, or null
+     * when the network has no IPv4 CIDR (in which case there is nothing to serve via OVN DHCP).
+     */
+    protected String createDhcpOptionsForNetwork(OvnProviderVO provider, Network network) {
+        String cidr = network.getCidr();
+        if (cidr == null || cidr.isEmpty()) {
+            return null;
+        }
+        String gateway = network.getGateway();
+        Map<String, String> options = new HashMap<>();
+        if (gateway != null && !gateway.isEmpty()) {
+            options.put("server_id", gateway);
+            options.put("router", gateway);
+        }
+        // server_mac just needs to be a stable, locally administered MAC unique within this LS.
+        options.put("server_mac", buildServerMac(network.getId()));
+        options.put("lease_time", "86400");
+        options.put("mtu", "1442");
+        StringBuilder dns = new StringBuilder("{");
+        if (network.getDns1() != null && !network.getDns1().isEmpty()) {
+            dns.append(network.getDns1());
+        }
+        if (network.getDns2() != null && !network.getDns2().isEmpty()) {
+            if (dns.length() > 1) dns.append(",");
+            dns.append(network.getDns2());
+        }
+        dns.append("}");
+        if (dns.length() > 2) {
+            options.put("dns_server", dns.toString());
+        }
+        Map<String, String> externalIds = new HashMap<>();
+        externalIds.put("cloudstack_network_id", String.valueOf(network.getId()));
+        externalIds.put("cloudstack_network_uuid", network.getUuid());
+        return ovnNbClient.createDhcpOptions(provider.getNbConnection(),
+                provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                cidr, options, externalIds);
+    }
+
+    private static String buildServerMac(long networkId) {
+        return String.format("fa:16:3e:%02x:%02x:%02x",
+                (int) ((networkId >> 16) & 0xff),
+                (int) ((networkId >> 8) & 0xff),
+                (int) (networkId & 0xff));
+    }
+
     @Override
     public boolean release(Network network, NicProfile nic, VirtualMachineProfile vm, ReservationContext context)
             throws ConcurrentOperationException, ResourceUnavailableException {
@@ -200,6 +253,8 @@ public boolean destroy(Network network, ReservationContext context) throws Concu
         if (network.getBroadcastDomainType() == Networks.BroadcastDomainType.OVN) {
             OvnProviderVO provider = getProviderForNetwork(network);
             try {
+                ovnNbClient.deleteDhcpOptions(provider.getNbConnection(), provider.getCaCertPath(), provider.getClientCertPath(),
+                        provider.getClientPrivateKeyPath(), String.valueOf(network.getId()));
                 ovnNbClient.deleteLogicalSwitch(provider.getNbConnection(), provider.getCaCertPath(), provider.getClientCertPath(),
                         provider.getClientPrivateKeyPath(), getLogicalSwitchName(network));
             } catch (CloudRuntimeException e) {
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
index 5ed9c8903077..1eb684947d1e 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
@@ -56,6 +56,7 @@ public class OvnNbClient {
     private static final String NORTHBOUND_DB = "OVN_Northbound";
     private static final String LOGICAL_SWITCH_TABLE = "Logical_Switch";
     private static final String LOGICAL_SWITCH_PORT_TABLE = "Logical_Switch_Port";
+    private static final String DHCP_OPTIONS_TABLE = "DHCP_Options";
     private static final long DEFAULT_TIMEOUT_MS = 5_000L;
     private static final Pattern CONN_PATTERN = Pattern.compile("^(tcp|ssl):([^:]+):([0-9]+)$");
     private static final ICertificateManager NOOP_CERT_MANAGER = new NoopCertificateManager();
@@ -308,6 +309,139 @@ private UUID findLspUuid(OvsdbClient client, DatabaseSchema schema,
         return rows.get(0).getColumn(uuidCol).getData();
     }
 
+    /**
+     * Creates (or returns the UUID of an existing) DHCP_Options row identified by
+     * {@code external_ids:cloudstack_network_id}. Idempotent: if a row already matches the
+     * external_ids tag for this network, no new row is created and the existing UUID is returned.
+     */
+    public String createDhcpOptions(String nbConnection, String caCertPath, String clientCertPath,
+                                    String clientPrivateKeyPath,
+                                    String cidr, Map<String, String> options, Map<String, String> externalIds) {
+        if (StringUtils.isBlank(cidr)) {
+            throw new CloudRuntimeException("DHCP_Options cidr is blank");
+        }
+        if (externalIds == null || !externalIds.containsKey("cloudstack_network_id")) {
+            throw new CloudRuntimeException("DHCP_Options external_ids must include cloudstack_network_id");
+        }
+        final String networkId = externalIds.get("cloudstack_network_id");
+        return runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema dhcpTable = schema.table(DHCP_OPTIONS_TABLE, GenericTableSchema.class);
+
+            UUID existing = findDhcpOptionsByNetworkId(client, schema, dhcpTable, networkId);
+            if (existing != null) {
+                logger.debug("DHCP_Options for network [{}] already exists ({}) on {} - skipping create",
+                        networkId, existing, nbConnection);
+                return existing.toString();
+            }
+
+            ColumnSchema<GenericTableSchema, String> cidrCol = dhcpTable.column("cidr", String.class);
+            @SuppressWarnings({"rawtypes", "unchecked"})
+            ColumnSchema<GenericTableSchema, Map> optionsCol = dhcpTable.column("options", Map.class);
+            @SuppressWarnings({"rawtypes", "unchecked"})
+            ColumnSchema<GenericTableSchema, Map> extIdsCol = dhcpTable.column("external_ids", Map.class);
+
+            String namedUuid = "newdhcp";
+            Insert<GenericTableSchema> insert = OVSDB_OPS.insert(dhcpTable)
+                    .withId(namedUuid)
+                    .value(cidrCol, cidr)
+                    .value(extIdsCol, new HashMap<>(externalIds));
+            if (options != null && !options.isEmpty()) {
+                insert = insert.value(optionsCol, new HashMap<>(options));
+            }
+            List<OperationResult> results = client.transact(schema, Collections.<Operation>singletonList(insert))
+                    .get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("create DHCP_Options for network %s", networkId));
+            UUID created = results.get(0).getUuid();
+            logger.info("Created OVN DHCP_Options [{}] for network [{}] cidr=[{}] at {}",
+                    created, networkId, cidr, nbConnection);
+            return created != null ? created.toString() : null;
+        });
+    }
+
+    /**
+     * Removes the DHCP_Options row tagged with {@code external_ids:cloudstack_network_id=networkId}.
+     * Idempotent: missing row is a no-op.
+     */
+    public void deleteDhcpOptions(String nbConnection, String caCertPath, String clientCertPath,
+                                  String clientPrivateKeyPath, String networkId) {
+        if (StringUtils.isBlank(networkId)) {
+            throw new CloudRuntimeException("Network id is blank");
+        }
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema dhcpTable = schema.table(DHCP_OPTIONS_TABLE, GenericTableSchema.class);
+            UUID existing = findDhcpOptionsByNetworkId(client, schema, dhcpTable, networkId);
+            if (existing == null) {
+                logger.debug("DHCP_Options for network [{}] not present on {} - nothing to delete",
+                        networkId, nbConnection);
+                return null;
+            }
+            ColumnSchema<GenericTableSchema, UUID> uuidCol = dhcpTable.column("_uuid", UUID.class);
+            Operation<GenericTableSchema> delete = OVSDB_OPS.delete(dhcpTable)
+                    .where(uuidCol.opEqual(existing)).build();
+            List<OperationResult> results = client.transact(schema, Collections.singletonList(delete))
+                    .get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("delete DHCP_Options for network %s", networkId));
+            logger.info("Deleted OVN DHCP_Options [{}] for network [{}] at {}", existing, networkId, nbConnection);
+            return null;
+        });
+    }
+
+    /**
+     * Sets the {@code dhcpv4_options} reference of a Logical_Switch_Port to the given DHCP_Options UUID,
+     * causing ovn-controller to answer DHCPv4 requests on that port from the DHCP_Options row.
+     */
+    public void setLspDhcpv4Options(String nbConnection, String caCertPath, String clientCertPath,
+                                    String clientPrivateKeyPath, String lspName, String dhcpOptionsUuid) {
+        if (StringUtils.isBlank(lspName) || StringUtils.isBlank(dhcpOptionsUuid)) {
+            throw new CloudRuntimeException("LSP name or DHCP_Options uuid is blank");
+        }
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema lspTable = schema.table(LOGICAL_SWITCH_PORT_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> lspNameCol = lspTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, Set<UUID>> dhcpCol = lspTable.multiValuedColumn("dhcpv4_options", UUID.class);
+
+            UUID dhcpRef = new UUID(dhcpOptionsUuid);
+            Operation<GenericTableSchema> update = OVSDB_OPS.update(lspTable)
+                    .set(dhcpCol, Collections.singleton(dhcpRef))
+                    .where(lspNameCol.opEqual(lspName)).build();
+            List<OperationResult> results = client.transact(schema, Collections.singletonList(update))
+                    .get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("set dhcpv4_options=%s on LSP %s", dhcpOptionsUuid, lspName));
+            logger.debug("Set dhcpv4_options=[{}] on Logical_Switch_Port [{}] at {}", dhcpOptionsUuid, lspName, nbConnection);
+            return null;
+        });
+    }
+
+    private UUID findDhcpOptionsByNetworkId(OvsdbClient client, DatabaseSchema schema,
+                                            GenericTableSchema dhcpTable, String networkId) throws Exception {
+        ColumnSchema<GenericTableSchema, UUID> uuidCol = dhcpTable.column("_uuid", UUID.class);
+        // Native OVSDB conditions on map values are awkward via the ODL operations API, so we
+        // pull every DHCP_Options row's external_ids and filter client-side. The DHCP_Options
+        // table is small enough that this is acceptable.
+        @SuppressWarnings({"rawtypes", "unchecked"})
+        ColumnSchema<GenericTableSchema, Map> extIdsCol = dhcpTable.column("external_ids", Map.class);
+        Operation<GenericTableSchema> selectAll = OVSDB_OPS.select(dhcpTable).column(uuidCol).column(extIdsCol);
+        List<OperationResult> results = client.transact(schema, Collections.<Operation>singletonList(selectAll))
+                .get(timeoutMs, TimeUnit.MILLISECONDS);
+        if (results == null || results.isEmpty()) return null;
+        OperationResult r = results.get(0);
+        if (r.getError() != null) {
+            throw new CloudRuntimeException("OVSDB select on DHCP_Options failed: " + r.getError());
+        }
+        if (r.getRows() == null) return null;
+        for (Row<GenericTableSchema> row : r.getRows()) {
+            @SuppressWarnings("unchecked")
+            Map<String, String> ext = (Map<String, String>) row.getColumn(extIdsCol).getData();
+            if (ext != null && networkId.equals(ext.get("cloudstack_network_id"))) {
+                return row.getColumn(uuidCol).getData();
+            }
+        }
+        return null;
+    }
+
     private boolean logicalSwitchExists(OvsdbClient client, DatabaseSchema schema,
                                         GenericTableSchema ls, ColumnSchema<GenericTableSchema, String> nameCol,
                                         String name) throws Exception {

From 7aea0b57fd35001afc746954092201f003c8a61d Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Tue, 28 Apr 2026 14:25:59 +0200
Subject: [PATCH 09/33] OVN plugin: provision per-network L3 router with source
 NAT
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OvnElement.implement now provisions the full external attachment for an
isolated guest network:

  * a Logical_Router (cs-router-<id>) with a guest LRP at the network
    gateway and a public LRP carrying the source-NAT public IP;
  * a public-side Logical_Switch (cs-pub-<id>) with a localnet port
    bound to the operator-supplied physical network so traffic can leave
    via br-ex;
  * a snat NAT row mapping the guest CIDR to the public IP;
  * a default Logical_Router_Static_Route to the VLAN gateway so OVN
    knows where to ARP next-hops.

The trigger fires from implement() instead of waiting for
applyIpAssociations because no port-forwarding/static-NAT rule is
required for source-NAT alone — Netris does the same. ovn-trace
confirms a packet from the VM toward 8.8.8.8 is rewritten with the
public IP, switched out the LR's external port and ARPs the VLAN
gateway.

OvnNbClient grows native OVSDB helpers for Logical_Router,
Logical_Router_Port (with a paired router-type LSP via
attachRouterToSwitch), localnet LSP, NAT and Logical_Router_Static_Route.
---
 .../apache/cloudstack/service/OvnElement.java | 191 ++++++++++
 .../cloudstack/service/OvnNbClient.java       | 343 ++++++++++++++++++
 2 files changed, 534 insertions(+)

diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
index 4b052a4bfdbb..03fd4b47ad05 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
@@ -33,6 +33,10 @@
 import com.cloud.network.element.IpDeployer;
 import com.cloud.network.element.LoadBalancingServiceProvider;
 import com.cloud.network.element.NetworkACLServiceProvider;
+import com.cloud.dc.VlanVO;
+import com.cloud.dc.dao.VlanDao;
+import com.cloud.network.dao.IPAddressDao;
+import com.cloud.network.dao.IPAddressVO;
 import com.cloud.network.dao.OvnProviderDao;
 import com.cloud.network.element.OvnProviderVO;
 import com.cloud.network.element.PortForwardingServiceProvider;
@@ -70,6 +74,12 @@ public class OvnElement extends AdapterBase implements DhcpServiceProvider, DnsS
     @Inject
     OvnProviderDao ovnProviderDao;
 
+    @Inject
+    IPAddressDao ipAddressDao;
+
+    @Inject
+    VlanDao vlanDao;
+
     protected static Map<Network.Service, Map<Network.Capability, String>> initCapabilities() {
         Map<Network.Service, Map<Network.Capability, String>> capabilities = new HashMap<>();
 
@@ -131,6 +141,8 @@ public boolean implement(Network network, NetworkOffering offering, DeployDestin
                 ovnNbClient.createLogicalSwitch(provider.getNbConnection(), provider.getCaCertPath(), provider.getClientCertPath(),
                         provider.getClientPrivateKeyPath(), logicalSwitchName, externalIds);
                 createDhcpOptionsForNetwork(provider, network);
+                createRouterAndAttachToGuest(provider, network);
+                applySourceNatForNetwork(provider, network);
             } catch (CloudRuntimeException e) {
                 throw new ResourceUnavailableException(e.getMessage(), DataCenter.class, network.getDataCenterId());
             }
@@ -213,6 +225,114 @@ private static String buildServerMac(long networkId) {
                 (int) (networkId & 0xff));
     }
 
+    /** Returns the OVN Logical_Router name owning the network's tenant routing. */
+    protected String getLogicalRouterName(Network network) {
+        return String.format("cs-router-%d", network.getId());
+    }
+
+    /** Returns the auxiliary public-side Logical_Switch that fronts the LR's external port. */
+    protected String getPublicLogicalSwitchName(Network network) {
+        return String.format("cs-pub-%d", network.getId());
+    }
+
+    /**
+     * Creates the LR for the network and wires it to the guest Logical_Switch with an internal-only
+     * router port whose IP is the network gateway. External attachment / NAT rules are added later
+     * in {@link #applyIps(Network, java.util.List, java.util.Set)} when CloudStack provisions a
+     * source NAT IP for the network.
+     */
+    protected void createRouterAndAttachToGuest(OvnProviderVO provider, Network network) {
+        if (network.getCidr() == null || network.getGateway() == null) {
+            return;
+        }
+        String routerName = getLogicalRouterName(network);
+        Map<String, String> lrExternalIds = new HashMap<>();
+        lrExternalIds.put("cloudstack_network_id", String.valueOf(network.getId()));
+        lrExternalIds.put("cloudstack_network_uuid", network.getUuid());
+        lrExternalIds.put("cloudstack_zone_id", String.valueOf(network.getDataCenterId()));
+        ovnNbClient.createLogicalRouter(provider.getNbConnection(),
+                provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                routerName, lrExternalIds);
+        String prefix = network.getCidr().contains("/")
+                ? network.getCidr().substring(network.getCidr().indexOf('/'))
+                : "/24";
+        String lrpNetwork = network.getGateway() + prefix;
+        ovnNbClient.attachRouterToSwitch(provider.getNbConnection(),
+                provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                routerName, getLogicalSwitchName(network),
+                "lrp-" + getLogicalSwitchName(network), buildRouterMac(network.getId(), false),
+                java.util.Collections.singletonList(lrpNetwork));
+    }
+
+    private static String buildRouterMac(long networkId, boolean external) {
+        return String.format("fa:16:3e:%02x:%02x:%02x",
+                external ? 0xfe : 0xfd,
+                (int) ((networkId >> 8) & 0xff),
+                (int) (networkId & 0xff));
+    }
+
+    /**
+     * Looks up CloudStack-allocated source NAT public IPs for the network and provisions the
+     * full external attachment (public LS + localnet port + LR external port + snat rule) for
+     * each. Idempotent: re-running on an already-provisioned LR is a no-op.
+     */
+    protected void applySourceNatForNetwork(OvnProviderVO provider, Network network) {
+        if (network.getCidr() == null) {
+            return;
+        }
+        List<IPAddressVO> ips = ipAddressDao.listByAssociatedNetwork(network.getId(), true);
+        if (ips == null || ips.isEmpty()) {
+            return;
+        }
+        String routerName = getLogicalRouterName(network);
+        String publicLs = getPublicLogicalSwitchName(network);
+        String localnet = provider.getLocalnetName();
+        String externalBridge = provider.getExternalBridge();
+        String guestCidr = network.getCidr();
+        for (IPAddressVO ipVo : ips) {
+            if (!ipVo.isSourceNat() || ipVo.getAddress() == null) {
+                continue;
+            }
+            String externalIp = ipVo.getAddress().addr();
+            VlanVO vlan = vlanDao.findById(ipVo.getVlanId());
+            String netmask = vlan != null && vlan.getVlanNetmask() != null ? vlan.getVlanNetmask() : "255.255.240.0";
+            String externalGateway = vlan != null ? vlan.getVlanGateway() : null;
+            Integer vlanTag = null;
+            if (vlan != null && vlan.getVlanTag() != null && !"untagged".equalsIgnoreCase(vlan.getVlanTag())) {
+                String tagPart = vlan.getVlanTag().replaceAll("^vlan://", "");
+                try { vlanTag = Integer.parseInt(tagPart); } catch (NumberFormatException ignored) { }
+            }
+            // VlanVO is fetched lazily in DAO; for now we let CloudStack stamp the localnet port
+            // without a vlan (admin can override via the localnet on br-ex if needed).
+            Map<String, String> publicLsExt = new HashMap<>();
+            publicLsExt.put("cloudstack_network_id", String.valueOf(network.getId()));
+            publicLsExt.put("cloudstack_role", "public");
+            ovnNbClient.createLogicalSwitch(provider.getNbConnection(),
+                    provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                    publicLs, publicLsExt);
+            ovnNbClient.addLocalnetPort(provider.getNbConnection(),
+                    provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                    publicLs, "ln-" + publicLs, localnet != null ? localnet : externalBridge, vlanTag);
+            String prefix = "/" + maskToPrefix(netmask != null ? netmask : "255.255.240.0");
+            ovnNbClient.attachRouterToSwitch(provider.getNbConnection(),
+                    provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                    routerName, publicLs,
+                    "lrp-" + publicLs, buildRouterMac(network.getId(), true),
+                    java.util.Collections.singletonList(externalIp + prefix));
+            Map<String, String> natExt = new HashMap<>();
+            natExt.put("cloudstack_network_id", String.valueOf(network.getId()));
+            natExt.put("cloudstack_nat_kind", "source");
+            ovnNbClient.addNatRule(provider.getNbConnection(),
+                    provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                    routerName, "snat", externalIp, guestCidr, natExt);
+            if (externalGateway != null && !externalGateway.isEmpty()) {
+                ovnNbClient.addStaticRoute(provider.getNbConnection(),
+                        provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                        routerName, "0.0.0.0/0", externalGateway);
+            }
+        }
+    }
+
     @Override
     public boolean release(Network network, NicProfile nic, VirtualMachineProfile vm, ReservationContext context)
             throws ConcurrentOperationException, ResourceUnavailableException {
@@ -253,6 +373,10 @@ public boolean destroy(Network network, ReservationContext context) throws Concu
         if (network.getBroadcastDomainType() == Networks.BroadcastDomainType.OVN) {
             OvnProviderVO provider = getProviderForNetwork(network);
             try {
+                ovnNbClient.deleteLogicalSwitch(provider.getNbConnection(), provider.getCaCertPath(), provider.getClientCertPath(),
+                        provider.getClientPrivateKeyPath(), getPublicLogicalSwitchName(network));
+                ovnNbClient.deleteLogicalRouter(provider.getNbConnection(), provider.getCaCertPath(), provider.getClientCertPath(),
+                        provider.getClientPrivateKeyPath(), getLogicalRouterName(network));
                 ovnNbClient.deleteDhcpOptions(provider.getNbConnection(), provider.getCaCertPath(), provider.getClientCertPath(),
                         provider.getClientPrivateKeyPath(), String.valueOf(network.getId()));
                 ovnNbClient.deleteLogicalSwitch(provider.getNbConnection(), provider.getCaCertPath(), provider.getClientCertPath(),
@@ -344,9 +468,76 @@ public boolean removeDnsSupportForSubnet(Network network) throws ResourceUnavail
 
     @Override
     public boolean applyIps(Network network, List<? extends PublicIpAddress> ipAddress, Set<Network.Service> services) throws ResourceUnavailableException {
+        if (network.getBroadcastDomainType() != Networks.BroadcastDomainType.OVN
+                || ipAddress == null || ipAddress.isEmpty()) {
+            return true;
+        }
+        OvnProviderVO provider = getProviderForNetwork(network);
+        String routerName = getLogicalRouterName(network);
+        String publicLs = getPublicLogicalSwitchName(network);
+        String localnet = provider.getLocalnetName();
+        String guestCidr = network.getCidr();
+        String externalBridge = provider.getExternalBridge();
+        try {
+            for (PublicIpAddress ip : ipAddress) {
+                String externalIp = ip.getAddress() != null ? ip.getAddress().addr() : null;
+                if (externalIp == null) {
+                    continue;
+                }
+                if (ip.isSourceNat() && Boolean.TRUE.equals(services.contains(Network.Service.SourceNat))) {
+                    if (ip.getState() == com.cloud.network.IpAddress.State.Releasing) {
+                        ovnNbClient.removeNatRule(provider.getNbConnection(),
+                                provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                                routerName, "snat", externalIp, guestCidr);
+                        continue;
+                    }
+                    // Ensure public-side LS + localnet port + LR external attachment exist
+                    Map<String, String> publicLsExt = new HashMap<>();
+                    publicLsExt.put("cloudstack_network_id", String.valueOf(network.getId()));
+                    publicLsExt.put("cloudstack_role", "public");
+                    ovnNbClient.createLogicalSwitch(provider.getNbConnection(),
+                            provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                            publicLs, publicLsExt);
+                    Integer vlanTag = null;
+                    try {
+                        if (ip.getVlanTag() != null) vlanTag = Integer.valueOf(ip.getVlanTag());
+                    } catch (NumberFormatException ignored) { /* vlan may be 'untagged' */ }
+                    ovnNbClient.addLocalnetPort(provider.getNbConnection(),
+                            provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                            publicLs, "ln-" + publicLs, localnet != null ? localnet : externalBridge, vlanTag);
+                    String prefix = ip.getNetmask() != null ? "/" + maskToPrefix(ip.getNetmask()) : "/20";
+                    ovnNbClient.attachRouterToSwitch(provider.getNbConnection(),
+                            provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                            routerName, publicLs,
+                            "lrp-" + publicLs, buildRouterMac(network.getId(), true),
+                            java.util.Collections.singletonList(externalIp + prefix));
+                    Map<String, String> natExt = new HashMap<>();
+                    natExt.put("cloudstack_network_id", String.valueOf(network.getId()));
+                    natExt.put("cloudstack_nat_kind", "source");
+                    ovnNbClient.addNatRule(provider.getNbConnection(),
+                            provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                            routerName, "snat", externalIp, guestCidr, natExt);
+                }
+            }
+        } catch (CloudRuntimeException e) {
+            throw new ResourceUnavailableException(e.getMessage(), DataCenter.class, network.getDataCenterId());
+        }
         return true;
     }
 
+    private static int maskToPrefix(String netmask) {
+        try {
+            String[] parts = netmask.split("\\.");
+            int bits = 0;
+            for (String p : parts) {
+                bits += Integer.bitCount(Integer.parseInt(p) & 0xff);
+            }
+            return bits;
+        } catch (Exception e) {
+            return 24;
+        }
+    }
+
     @Override
     public IpDeployer getIpDeployer(Network network) {
         return this;
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
index 1eb684947d1e..0df654e65ac6 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
@@ -56,7 +56,11 @@ public class OvnNbClient {
     private static final String NORTHBOUND_DB = "OVN_Northbound";
     private static final String LOGICAL_SWITCH_TABLE = "Logical_Switch";
     private static final String LOGICAL_SWITCH_PORT_TABLE = "Logical_Switch_Port";
+    private static final String LOGICAL_ROUTER_TABLE = "Logical_Router";
+    private static final String LOGICAL_ROUTER_PORT_TABLE = "Logical_Router_Port";
+    private static final String LOGICAL_ROUTER_STATIC_ROUTE_TABLE = "Logical_Router_Static_Route";
     private static final String DHCP_OPTIONS_TABLE = "DHCP_Options";
+    private static final String NAT_TABLE = "NAT";
     private static final long DEFAULT_TIMEOUT_MS = 5_000L;
     private static final Pattern CONN_PATTERN = Pattern.compile("^(tcp|ssl):([^:]+):([0-9]+)$");
     private static final ICertificateManager NOOP_CERT_MANAGER = new NoopCertificateManager();
@@ -442,6 +446,345 @@ private UUID findDhcpOptionsByNetworkId(OvsdbClient client, DatabaseSchema schem
         return null;
     }
 
+    /**
+     * Idempotently creates a Logical_Router with the given name and external_ids.
+     */
+    public void createLogicalRouter(String nbConnection, String caCertPath, String clientCertPath,
+                                    String clientPrivateKeyPath, String routerName, Map<String, String> externalIds) {
+        if (StringUtils.isBlank(routerName)) {
+            throw new CloudRuntimeException("Logical_Router name is blank");
+        }
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema lr = schema.table(LOGICAL_ROUTER_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> nameCol = lr.column("name", String.class);
+            if (rowExistsByName(client, schema, lr, nameCol, routerName)) {
+                logger.debug("Logical_Router [{}] already exists on {} - skipping create", routerName, nbConnection);
+                return null;
+            }
+            Insert<GenericTableSchema> insert = OVSDB_OPS.insert(lr).value(nameCol, routerName);
+            if (externalIds != null && !externalIds.isEmpty()) {
+                @SuppressWarnings({"rawtypes", "unchecked"})
+                ColumnSchema<GenericTableSchema, Map> extIdsCol = lr.column("external_ids", Map.class);
+                insert = insert.value(extIdsCol, new HashMap<>(externalIds));
+            }
+            List<OperationResult> results = client.transact(schema, Collections.<Operation>singletonList(insert))
+                    .get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("create Logical_Router %s", routerName));
+            logger.info("Created OVN Logical_Router [{}] at {}", routerName, nbConnection);
+            return null;
+        });
+    }
+
+    /**
+     * Removes a Logical_Router by name. Idempotent. Caller is responsible for first detaching any
+     * router ports the LR owns and for clearing nat rules.
+     */
+    public void deleteLogicalRouter(String nbConnection, String caCertPath, String clientCertPath,
+                                    String clientPrivateKeyPath, String routerName) {
+        if (StringUtils.isBlank(routerName)) {
+            throw new CloudRuntimeException("Logical_Router name is blank");
+        }
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema lr = schema.table(LOGICAL_ROUTER_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> nameCol = lr.column("name", String.class);
+            if (!rowExistsByName(client, schema, lr, nameCol, routerName)) {
+                logger.debug("Logical_Router [{}] not present on {} - nothing to delete", routerName, nbConnection);
+                return null;
+            }
+            Operation<GenericTableSchema> delete = OVSDB_OPS.delete(lr).where(nameCol.opEqual(routerName)).build();
+            List<OperationResult> results = client.transact(schema, Collections.singletonList(delete))
+                    .get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("delete Logical_Router %s", routerName));
+            logger.info("Deleted OVN Logical_Router [{}] at {}", routerName, nbConnection);
+            return null;
+        });
+    }
+
+    /**
+     * Idempotently attaches a routed segment to a Logical_Router: creates a Logical_Router_Port
+     * with the given mac/networks and a peer Logical_Switch_Port of type=router on the Logical_Switch
+     * pointing back at it. Used to wire the LR to either the guest tier or the public/localnet tier.
+     */
+    public void attachRouterToSwitch(String nbConnection, String caCertPath, String clientCertPath,
+                                     String clientPrivateKeyPath,
+                                     String routerName, String switchName,
+                                     String lrpName, String lrpMac, List<String> lrpNetworks) {
+        if (StringUtils.isBlank(routerName) || StringUtils.isBlank(switchName) || StringUtils.isBlank(lrpName)) {
+            throw new CloudRuntimeException("Logical_Router/Switch/Port name is blank");
+        }
+        if (StringUtils.isBlank(lrpMac) || lrpNetworks == null || lrpNetworks.isEmpty()) {
+            throw new CloudRuntimeException("Logical_Router_Port mac/networks are required");
+        }
+        final String lspName = "lsp-" + lrpName;
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema lrTable = schema.table(LOGICAL_ROUTER_TABLE, GenericTableSchema.class);
+            GenericTableSchema lrpTable = schema.table(LOGICAL_ROUTER_PORT_TABLE, GenericTableSchema.class);
+            GenericTableSchema lsTable = schema.table(LOGICAL_SWITCH_TABLE, GenericTableSchema.class);
+            GenericTableSchema lspTable = schema.table(LOGICAL_SWITCH_PORT_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> lrNameCol = lrTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, String> lrpNameCol = lrpTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, String> lsNameCol = lsTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, String> lspNameCol = lspTable.column("name", String.class);
+
+            boolean lrpExists = rowExistsByName(client, schema, lrpTable, lrpNameCol, lrpName);
+            boolean lspExists = rowExistsByName(client, schema, lspTable, lspNameCol, lspName);
+            if (lrpExists && lspExists) {
+                logger.debug("Router attachment {} ↔ {} already in place - skipping", lrpName, lspName);
+                return null;
+            }
+
+            List<Operation> ops = new ArrayList<>();
+            UUID lrpRef = null;
+            if (!lrpExists) {
+                ColumnSchema<GenericTableSchema, String> lrpMacCol = lrpTable.column("mac", String.class);
+                ColumnSchema<GenericTableSchema, Set<String>> lrpNetCol = lrpTable.multiValuedColumn("networks", String.class);
+                Insert<GenericTableSchema> insertLrp = OVSDB_OPS.insert(lrpTable)
+                        .withId("newlrp")
+                        .value(lrpNameCol, lrpName)
+                        .value(lrpMacCol, lrpMac)
+                        .value(lrpNetCol, new java.util.HashSet<>(lrpNetworks));
+                ops.add(insertLrp);
+                ColumnSchema<GenericTableSchema, Set<UUID>> lrPortsCol = lrTable.multiValuedColumn("ports", UUID.class);
+                lrpRef = new UUID("newlrp");
+                ops.add(OVSDB_OPS.mutate(lrTable)
+                        .addMutation(lrPortsCol, Mutator.INSERT, Collections.singleton(lrpRef))
+                        .where(lrNameCol.opEqual(routerName)).build());
+            }
+            if (!lspExists) {
+                ColumnSchema<GenericTableSchema, String> lspTypeCol = lspTable.column("type", String.class);
+                ColumnSchema<GenericTableSchema, Set<String>> lspAddrCol = lspTable.multiValuedColumn("addresses", String.class);
+                @SuppressWarnings({"rawtypes", "unchecked"})
+                ColumnSchema<GenericTableSchema, Map> lspOptsCol = lspTable.column("options", Map.class);
+                Map<String, String> opts = new HashMap<>();
+                opts.put("router-port", lrpName);
+                Insert<GenericTableSchema> insertLsp = OVSDB_OPS.insert(lspTable)
+                        .withId("newlsp")
+                        .value(lspNameCol, lspName)
+                        .value(lspTypeCol, "router")
+                        .value(lspAddrCol, Collections.singleton("router"))
+                        .value(lspOptsCol, opts);
+                ops.add(insertLsp);
+                ColumnSchema<GenericTableSchema, Set<UUID>> lsPortsCol = lsTable.multiValuedColumn("ports", UUID.class);
+                ops.add(OVSDB_OPS.mutate(lsTable)
+                        .addMutation(lsPortsCol, Mutator.INSERT, Collections.singleton(new UUID("newlsp")))
+                        .where(lsNameCol.opEqual(switchName)).build());
+            }
+            List<OperationResult> results = client.transact(schema, ops).get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("attach Logical_Router %s to Logical_Switch %s via %s", routerName, switchName, lrpName));
+            logger.info("Attached OVN Logical_Router [{}] to Logical_Switch [{}] via LRP [{}] at {}",
+                    routerName, switchName, lrpName, nbConnection);
+            return null;
+        });
+    }
+
+    /**
+     * Idempotently adds a localnet Logical_Switch_Port to a Logical_Switch so traffic can egress
+     * the OVN integration bridge through ovn-bridge-mappings to the named physical network.
+     */
+    public void addLocalnetPort(String nbConnection, String caCertPath, String clientCertPath,
+                                String clientPrivateKeyPath,
+                                String switchName, String lspName, String physicalNetworkName, Integer vlanTag) {
+        if (StringUtils.isBlank(switchName) || StringUtils.isBlank(lspName) || StringUtils.isBlank(physicalNetworkName)) {
+            throw new CloudRuntimeException("Localnet port arguments are incomplete");
+        }
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema lsTable = schema.table(LOGICAL_SWITCH_TABLE, GenericTableSchema.class);
+            GenericTableSchema lspTable = schema.table(LOGICAL_SWITCH_PORT_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> lsNameCol = lsTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, String> lspNameCol = lspTable.column("name", String.class);
+            if (rowExistsByName(client, schema, lspTable, lspNameCol, lspName)) {
+                logger.debug("Localnet LSP [{}] already exists - skipping", lspName);
+                return null;
+            }
+            ColumnSchema<GenericTableSchema, String> typeCol = lspTable.column("type", String.class);
+            ColumnSchema<GenericTableSchema, Set<String>> addrCol = lspTable.multiValuedColumn("addresses", String.class);
+            @SuppressWarnings({"rawtypes", "unchecked"})
+            ColumnSchema<GenericTableSchema, Map> optsCol = lspTable.column("options", Map.class);
+            Map<String, String> opts = new HashMap<>();
+            opts.put("network_name", physicalNetworkName);
+            ColumnSchema<GenericTableSchema, Set<UUID>> lsPortsCol = lsTable.multiValuedColumn("ports", UUID.class);
+            Insert<GenericTableSchema> insertLsp = OVSDB_OPS.insert(lspTable)
+                    .withId("newln")
+                    .value(lspNameCol, lspName)
+                    .value(typeCol, "localnet")
+                    .value(addrCol, Collections.singleton("unknown"))
+                    .value(optsCol, opts);
+            if (vlanTag != null) {
+                ColumnSchema<GenericTableSchema, Set<Long>> tagCol = lspTable.multiValuedColumn("tag", Long.class);
+                insertLsp = insertLsp.value(tagCol, Collections.singleton((long) vlanTag));
+            }
+            List<Operation> ops = new ArrayList<>();
+            ops.add(insertLsp);
+            ops.add(OVSDB_OPS.mutate(lsTable)
+                    .addMutation(lsPortsCol, Mutator.INSERT, Collections.singleton(new UUID("newln")))
+                    .where(lsNameCol.opEqual(switchName)).build());
+            List<OperationResult> results = client.transact(schema, ops).get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("add localnet LSP %s on %s", lspName, switchName));
+            logger.info("Added OVN localnet Logical_Switch_Port [{}] on Logical_Switch [{}] (network_name={}, vlan={}) at {}",
+                    lspName, switchName, physicalNetworkName, vlanTag, nbConnection);
+            return null;
+        });
+    }
+
+    /**
+     * Idempotently adds a NAT rule to a Logical_Router. {@code natType} should be {@code snat},
+     * {@code dnat} or {@code dnat_and_snat}.
+     */
+    public void addNatRule(String nbConnection, String caCertPath, String clientCertPath,
+                           String clientPrivateKeyPath,
+                           String routerName, String natType, String externalIp, String logicalIp,
+                           Map<String, String> externalIds) {
+        if (StringUtils.isBlank(routerName) || StringUtils.isBlank(natType)
+                || StringUtils.isBlank(externalIp) || StringUtils.isBlank(logicalIp)) {
+            throw new CloudRuntimeException("NAT rule arguments are incomplete");
+        }
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema lrTable = schema.table(LOGICAL_ROUTER_TABLE, GenericTableSchema.class);
+            GenericTableSchema natTable = schema.table(NAT_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> lrNameCol = lrTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, String> natTypeCol = natTable.column("type", String.class);
+            ColumnSchema<GenericTableSchema, String> natExtCol = natTable.column("external_ip", String.class);
+            ColumnSchema<GenericTableSchema, String> natLogCol = natTable.column("logical_ip", String.class);
+
+            if (natRuleExists(client, schema, natTable, natType, externalIp, logicalIp)) {
+                logger.debug("NAT [{} {}→{}] on {} already exists - skipping", natType, logicalIp, externalIp, routerName);
+                return null;
+            }
+
+            Insert<GenericTableSchema> insertNat = OVSDB_OPS.insert(natTable)
+                    .withId("newnat")
+                    .value(natTypeCol, natType)
+                    .value(natExtCol, externalIp)
+                    .value(natLogCol, logicalIp);
+            if (externalIds != null && !externalIds.isEmpty()) {
+                @SuppressWarnings({"rawtypes", "unchecked"})
+                ColumnSchema<GenericTableSchema, Map> extIdsCol = natTable.column("external_ids", Map.class);
+                insertNat = insertNat.value(extIdsCol, new HashMap<>(externalIds));
+            }
+            ColumnSchema<GenericTableSchema, Set<UUID>> lrNatCol = lrTable.multiValuedColumn("nat", UUID.class);
+            List<Operation> ops = new ArrayList<>();
+            ops.add(insertNat);
+            ops.add(OVSDB_OPS.mutate(lrTable)
+                    .addMutation(lrNatCol, Mutator.INSERT, Collections.singleton(new UUID("newnat")))
+                    .where(lrNameCol.opEqual(routerName)).build());
+            List<OperationResult> results = client.transact(schema, ops).get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("add NAT %s %s→%s on %s", natType, logicalIp, externalIp, routerName));
+            logger.info("Added OVN NAT [{} {} → {}] on Logical_Router [{}] at {}", natType, logicalIp, externalIp, routerName, nbConnection);
+            return null;
+        });
+    }
+
+    /**
+     * Removes a NAT rule matching type/external_ip/logical_ip from a Logical_Router. Idempotent.
+     */
+    public void removeNatRule(String nbConnection, String caCertPath, String clientCertPath,
+                              String clientPrivateKeyPath,
+                              String routerName, String natType, String externalIp, String logicalIp) {
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema natTable = schema.table(NAT_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> natTypeCol = natTable.column("type", String.class);
+            ColumnSchema<GenericTableSchema, String> natExtCol = natTable.column("external_ip", String.class);
+            ColumnSchema<GenericTableSchema, String> natLogCol = natTable.column("logical_ip", String.class);
+            if (!natRuleExists(client, schema, natTable, natType, externalIp, logicalIp)) {
+                return null;
+            }
+            Operation<GenericTableSchema> delete = OVSDB_OPS.delete(natTable)
+                    .where(natTypeCol.opEqual(natType))
+                    .and(natExtCol.opEqual(externalIp))
+                    .and(natLogCol.opEqual(logicalIp)).build();
+            List<OperationResult> results = client.transact(schema, Collections.singletonList(delete))
+                    .get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("delete NAT %s %s→%s on %s", natType, logicalIp, externalIp, routerName));
+            logger.info("Deleted OVN NAT [{} {} → {}] on Logical_Router [{}] at {}", natType, logicalIp, externalIp, routerName, nbConnection);
+            return null;
+        });
+    }
+
+    /**
+     * Idempotently adds a static route on a Logical_Router.
+     */
+    public void addStaticRoute(String nbConnection, String caCertPath, String clientCertPath,
+                               String clientPrivateKeyPath,
+                               String routerName, String ipPrefix, String nexthop) {
+        if (StringUtils.isBlank(routerName) || StringUtils.isBlank(ipPrefix) || StringUtils.isBlank(nexthop)) {
+            throw new CloudRuntimeException("Static route arguments are incomplete");
+        }
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema lrTable = schema.table(LOGICAL_ROUTER_TABLE, GenericTableSchema.class);
+            GenericTableSchema srTable = schema.table(LOGICAL_ROUTER_STATIC_ROUTE_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> lrNameCol = lrTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, String> srPrefixCol = srTable.column("ip_prefix", String.class);
+            ColumnSchema<GenericTableSchema, String> srNexthopCol = srTable.column("nexthop", String.class);
+
+            Operation<GenericTableSchema> selExisting = OVSDB_OPS.select(srTable).column(srPrefixCol)
+                    .where(srPrefixCol.opEqual(ipPrefix)).and(srNexthopCol.opEqual(nexthop)).build();
+            List<OperationResult> existing = client.transact(schema, Collections.<Operation>singletonList(selExisting))
+                    .get(timeoutMs, TimeUnit.MILLISECONDS);
+            if (existing != null && !existing.isEmpty()
+                    && existing.get(0).getRows() != null && !existing.get(0).getRows().isEmpty()) {
+                logger.debug("Static_Route {}→{} already exists - skipping", ipPrefix, nexthop);
+                return null;
+            }
+
+            Insert<GenericTableSchema> insertSr = OVSDB_OPS.insert(srTable)
+                    .withId("newsr")
+                    .value(srPrefixCol, ipPrefix)
+                    .value(srNexthopCol, nexthop);
+            ColumnSchema<GenericTableSchema, Set<UUID>> lrRoutesCol = lrTable.multiValuedColumn("static_routes", UUID.class);
+            List<Operation> ops = new ArrayList<>();
+            ops.add(insertSr);
+            ops.add(OVSDB_OPS.mutate(lrTable)
+                    .addMutation(lrRoutesCol, Mutator.INSERT, Collections.singleton(new UUID("newsr")))
+                    .where(lrNameCol.opEqual(routerName)).build());
+            List<OperationResult> results = client.transact(schema, ops).get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("add Static_Route %s→%s on %s", ipPrefix, nexthop, routerName));
+            logger.info("Added OVN Static_Route [{} → {}] on Logical_Router [{}] at {}", ipPrefix, nexthop, routerName, nbConnection);
+            return null;
+        });
+    }
+
+    private boolean natRuleExists(OvsdbClient client, DatabaseSchema schema, GenericTableSchema natTable,
+                                   String natType, String externalIp, String logicalIp) throws Exception {
+        ColumnSchema<GenericTableSchema, String> natTypeCol = natTable.column("type", String.class);
+        ColumnSchema<GenericTableSchema, String> natExtCol = natTable.column("external_ip", String.class);
+        ColumnSchema<GenericTableSchema, String> natLogCol = natTable.column("logical_ip", String.class);
+        Operation<GenericTableSchema> select = OVSDB_OPS.select(natTable).column(natTypeCol)
+                .where(natTypeCol.opEqual(natType))
+                .and(natExtCol.opEqual(externalIp))
+                .and(natLogCol.opEqual(logicalIp)).build();
+        List<OperationResult> results = client.transact(schema, Collections.<Operation>singletonList(select))
+                .get(timeoutMs, TimeUnit.MILLISECONDS);
+        if (results == null || results.isEmpty()) return false;
+        OperationResult r = results.get(0);
+        if (r.getError() != null) {
+            throw new CloudRuntimeException("OVSDB select on NAT failed: " + r.getError());
+        }
+        List<Row<GenericTableSchema>> rows = r.getRows();
+        return rows != null && !rows.isEmpty();
+    }
+
+    private boolean rowExistsByName(OvsdbClient client, DatabaseSchema schema,
+                                     GenericTableSchema table, ColumnSchema<GenericTableSchema, String> nameCol,
+                                     String name) throws Exception {
+        Operation<GenericTableSchema> select = OVSDB_OPS.select(table).column(nameCol).where(nameCol.opEqual(name)).build();
+        List<OperationResult> results = client.transact(schema, Collections.<Operation>singletonList(select))
+                .get(timeoutMs, TimeUnit.MILLISECONDS);
+        if (results == null || results.isEmpty()) return false;
+        OperationResult r = results.get(0);
+        if (r.getError() != null) {
+            throw new CloudRuntimeException("OVSDB select failed: " + r.getError());
+        }
+        List<Row<GenericTableSchema>> rows = r.getRows();
+        return rows != null && !rows.isEmpty();
+    }
+
     private boolean logicalSwitchExists(OvsdbClient client, DatabaseSchema schema,
                                         GenericTableSchema ls, ColumnSchema<GenericTableSchema, String> nameCol,
                                         String name) throws Exception {

From 661f659a5eb808f14948735a824513b13ccd0b3d Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Tue, 28 Apr 2026 15:04:44 +0200
Subject: [PATCH 10/33] OVN plugin: implement StaticNat via dnat_and_snat with
 Gateway_Chassis anchor

applyStaticNats now installs a dnat_and_snat NAT row on the per-network
Logical_Router with external_mac/logical_port set to the VM's NIC, so the
distributed pipeline can rewrite both directions without bouncing through
a centralised gateway for the SNAT half.

ovn-northd will only materialise lr_in_dnat for a NAT row when the
public-side Logical_Router_Port is anchored to a chassis via
Gateway_Chassis. Without it, lr_in_dnat keeps only the priority-0 default
and inbound packets are silently dropped instead of ct_dnat()'d.

To pick a chassis we now query the OVN_Southbound Chassis table via a
new listSouthboundChassisNames helper and rotate by network id, so
multiple LRs do not all pile on the same hypervisor. The Chassis row is
keyed by the OVS system-id, which is what Gateway_Chassis.chassis_name
must reference - the previous attempt of using HostVO.getGuid was wrong
because that surface is not the system-id.

OvnNbClient additions:
  - addNatRule overload taking distributedMac + distributedLogicalPort
  - removeNatRulesByExternalIp (delete by type + external_ip alone)
  - setLrpGatewayChassis (idempotent Gateway_Chassis create + LRP mutate)
  - listSouthboundChassisNames (queries OVN_Southbound)
  - runOnDb refactor so the same connect/dispatch path serves NB and SB

OvnElement additions:
  - pickAnchorChassis(provider, network) using OVN SB
  - applySourceNatForNetwork now also anchors the public LRP
  - applyStaticNats anchors before installing the dnat_and_snat row

Validated on the lab against cs-router-257: cycling the static NAT
through cmk recreates the NAT row and a Gateway_Chassis row pointing at
ovn-kvm-02, and ovn-trace from the localnet shows
"lr_in_dnat priority 100 ... ct_dnat(10.1.1.222)" and output to the
guest LSP for the inbound 10.0.56.186 -> 10.1.1.222 flow.
---
 .../apache/cloudstack/service/OvnElement.java |  88 ++++++++++++
 .../cloudstack/service/OvnNbClient.java       | 135 +++++++++++++++++-
 2 files changed, 220 insertions(+), 3 deletions(-)

diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
index 03fd4b47ad05..016bff19ff71 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
@@ -39,6 +39,8 @@
 import com.cloud.network.dao.IPAddressVO;
 import com.cloud.network.dao.OvnProviderDao;
 import com.cloud.network.element.OvnProviderVO;
+import com.cloud.vm.NicVO;
+import com.cloud.vm.dao.NicDao;
 import com.cloud.network.element.PortForwardingServiceProvider;
 import com.cloud.network.element.StaticNatServiceProvider;
 import com.cloud.network.element.VpcProvider;
@@ -80,6 +82,12 @@ public class OvnElement extends AdapterBase implements DhcpServiceProvider, DnsS
     @Inject
     VlanDao vlanDao;
 
+    @Inject
+    NicDao nicDao;
+
+    @Inject
+    com.cloud.host.dao.HostDao hostDao;
+
     protected static Map<Network.Service, Map<Network.Capability, String>> initCapabilities() {
         Map<Network.Service, Map<Network.Capability, String>> capabilities = new HashMap<>();
 
@@ -319,6 +327,14 @@ protected void applySourceNatForNetwork(OvnProviderVO provider, Network network)
                     routerName, publicLs,
                     "lrp-" + publicLs, buildRouterMac(network.getId(), true),
                     java.util.Collections.singletonList(externalIp + prefix));
+            // Anchor the external LRP to a chassis so ovn-northd materialises lr_in_dnat /
+            // lr_in_unsnat / lr_out_snat for the NAT rules attached to this router.
+            String anchorChassis = pickAnchorChassis(provider, network);
+            if (anchorChassis != null) {
+                ovnNbClient.setLrpGatewayChassis(provider.getNbConnection(),
+                        provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                        "lrp-" + publicLs, anchorChassis, 10);
+            }
             Map<String, String> natExt = new HashMap<>();
             natExt.put("cloudstack_network_id", String.valueOf(network.getId()));
             natExt.put("cloudstack_nat_kind", "source");
@@ -525,6 +541,36 @@ public boolean applyIps(Network network, List<? extends PublicIpAddress> ipAddre
         return true;
     }
 
+    /**
+     * Picks a chassis name to host the centralised gateway pipeline for this network's LR.
+     * For now we deterministically map the network to one of the registered hypervisor hosts
+     * to avoid every LR piling on the same chassis. A future iteration can rotate this when
+     * a chassis goes offline.
+     */
+    protected String pickAnchorChassis(OvnProviderVO provider, Network network) {
+        if (provider == null || provider.getSbConnection() == null || provider.getSbConnection().isEmpty()) {
+            logger.warn("No OVN SB connection configured; cannot pick a Gateway_Chassis anchor for network {}", network);
+            return null;
+        }
+        try {
+            java.util.List<String> chassisNames = ovnNbClient.listSouthboundChassisNames(
+                    provider.getSbConnection(), provider.getCaCertPath(),
+                    provider.getClientCertPath(), provider.getClientPrivateKeyPath());
+            if (chassisNames == null || chassisNames.isEmpty()) {
+                logger.warn("OVN SB reports no registered Chassis yet; deferring Gateway_Chassis anchor for network {}", network);
+                return null;
+            }
+            // Deterministic pick: sort by name and rotate by network id so several LRs do not
+            // all pile on the same chassis. The Chassis row is keyed by the OVS system-id that
+            // ovn-controller registers on each hypervisor.
+            java.util.Collections.sort(chassisNames);
+            return chassisNames.get((int) (Math.abs(network.getId()) % chassisNames.size()));
+        } catch (Exception e) {
+            logger.warn("Failed to query OVN SB for Chassis names while anchoring network {}: {}", network, e.getMessage());
+            return null;
+        }
+    }
+
     private static int maskToPrefix(String netmask) {
         try {
             String[] parts = netmask.split("\\.");
@@ -545,6 +591,48 @@ public IpDeployer getIpDeployer(Network network) {
 
     @Override
     public boolean applyStaticNats(Network config, List<? extends StaticNat> rules) throws ResourceUnavailableException {
+        if (config.getBroadcastDomainType() != Networks.BroadcastDomainType.OVN || rules == null || rules.isEmpty()) {
+            return true;
+        }
+        OvnProviderVO provider = getProviderForNetwork(config);
+        String routerName = getLogicalRouterName(config);
+        try {
+            // Anchor the public LRP to a chassis so ovn-northd materialises the lr_in_dnat
+            // pipeline. Without Gateway_Chassis, dnat_and_snat NAT rows are silently ignored
+            // by lr_in_dnat. setLrpGatewayChassis is idempotent.
+            String anchorChassis = pickAnchorChassis(provider, config);
+            if (anchorChassis != null) {
+                ovnNbClient.setLrpGatewayChassis(provider.getNbConnection(),
+                        provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                        "lrp-" + getPublicLogicalSwitchName(config), anchorChassis, 10);
+            }
+            for (StaticNat rule : rules) {
+                IPAddressVO ipVo = ipAddressDao.findById(rule.getSourceIpAddressId());
+                if (ipVo == null || ipVo.getAddress() == null) {
+                    continue;
+                }
+                String externalIp = ipVo.getAddress().addr();
+                String logicalIp = rule.getDestIpAddress();
+                if (rule.isForRevoke() || logicalIp == null || logicalIp.isEmpty()) {
+                    ovnNbClient.removeNatRulesByExternalIp(provider.getNbConnection(),
+                            provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                            routerName, "dnat_and_snat", externalIp);
+                    continue;
+                }
+                Map<String, String> ext = new HashMap<>();
+                ext.put("cloudstack_network_id", String.valueOf(config.getId()));
+                ext.put("cloudstack_nat_kind", "static");
+                NicVO targetNic = nicDao.findByIp4AddressAndNetworkId(logicalIp, config.getId());
+                String distributedLogicalPort = targetNic != null ? targetNic.getUuid() : null;
+                String distributedMac = buildRouterMac(config.getId(), true);
+                ovnNbClient.addNatRule(provider.getNbConnection(),
+                        provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                        routerName, "dnat_and_snat", externalIp, logicalIp, ext,
+                        distributedMac, distributedLogicalPort);
+            }
+        } catch (CloudRuntimeException e) {
+            throw new ResourceUnavailableException(e.getMessage(), DataCenter.class, config.getDataCenterId());
+        }
         return true;
     }
 
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
index 0df654e65ac6..605fec91816d 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
@@ -54,11 +54,13 @@
 public class OvnNbClient {
     protected static final Logger logger = LogManager.getLogger(OvnNbClient.class);
     private static final String NORTHBOUND_DB = "OVN_Northbound";
+    private static final String SOUTHBOUND_DB = "OVN_Southbound";
     private static final String LOGICAL_SWITCH_TABLE = "Logical_Switch";
     private static final String LOGICAL_SWITCH_PORT_TABLE = "Logical_Switch_Port";
     private static final String LOGICAL_ROUTER_TABLE = "Logical_Router";
     private static final String LOGICAL_ROUTER_PORT_TABLE = "Logical_Router_Port";
     private static final String LOGICAL_ROUTER_STATIC_ROUTE_TABLE = "Logical_Router_Static_Route";
+    private static final String GATEWAY_CHASSIS_TABLE = "Gateway_Chassis";
     private static final String DHCP_OPTIONS_TABLE = "DHCP_Options";
     private static final String NAT_TABLE = "NAT";
     private static final long DEFAULT_TIMEOUT_MS = 5_000L;
@@ -632,12 +634,23 @@ public void addLocalnetPort(String nbConnection, String caCertPath, String clien
 
     /**
      * Idempotently adds a NAT rule to a Logical_Router. {@code natType} should be {@code snat},
-     * {@code dnat} or {@code dnat_and_snat}.
+     * {@code dnat} or {@code dnat_and_snat}. Setting both {@code distributedMac} and
+     * {@code distributedLogicalPort} marks the row as distributed-NAT (so ovn-northd can apply
+     * the rule on the chassis hosting the workload, no Gateway_Chassis required).
      */
     public void addNatRule(String nbConnection, String caCertPath, String clientCertPath,
                            String clientPrivateKeyPath,
                            String routerName, String natType, String externalIp, String logicalIp,
                            Map<String, String> externalIds) {
+        addNatRule(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath,
+                routerName, natType, externalIp, logicalIp, externalIds, null, null);
+    }
+
+    public void addNatRule(String nbConnection, String caCertPath, String clientCertPath,
+                           String clientPrivateKeyPath,
+                           String routerName, String natType, String externalIp, String logicalIp,
+                           Map<String, String> externalIds,
+                           String distributedMac, String distributedLogicalPort) {
         if (StringUtils.isBlank(routerName) || StringUtils.isBlank(natType)
                 || StringUtils.isBlank(externalIp) || StringUtils.isBlank(logicalIp)) {
             throw new CloudRuntimeException("NAT rule arguments are incomplete");
@@ -666,6 +679,14 @@ public void addNatRule(String nbConnection, String caCertPath, String clientCert
                 ColumnSchema<GenericTableSchema, Map> extIdsCol = natTable.column("external_ids", Map.class);
                 insertNat = insertNat.value(extIdsCol, new HashMap<>(externalIds));
             }
+            if (StringUtils.isNotBlank(distributedMac)) {
+                ColumnSchema<GenericTableSchema, String> extMacCol = natTable.column("external_mac", String.class);
+                insertNat = insertNat.value(extMacCol, distributedMac);
+            }
+            if (StringUtils.isNotBlank(distributedLogicalPort)) {
+                ColumnSchema<GenericTableSchema, String> logPortCol = natTable.column("logical_port", String.class);
+                insertNat = insertNat.value(logPortCol, distributedLogicalPort);
+            }
             ColumnSchema<GenericTableSchema, Set<UUID>> lrNatCol = lrTable.multiValuedColumn("nat", UUID.class);
             List<Operation> ops = new ArrayList<>();
             ops.add(insertNat);
@@ -679,6 +700,33 @@ public void addNatRule(String nbConnection, String caCertPath, String clientCert
         });
     }
 
+    /**
+     * Removes every NAT rule matching {@code type}+{@code external_ip} from the Logical_Router,
+     * regardless of logical_ip. Convenient when reverting a static NAT mapping where the caller
+     * does not know the previously-bound private address. Idempotent.
+     */
+    public void removeNatRulesByExternalIp(String nbConnection, String caCertPath, String clientCertPath,
+                                           String clientPrivateKeyPath,
+                                           String routerName, String natType, String externalIp) {
+        if (StringUtils.isBlank(routerName) || StringUtils.isBlank(natType) || StringUtils.isBlank(externalIp)) {
+            throw new CloudRuntimeException("removeNatRulesByExternalIp: arguments are incomplete");
+        }
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema natTable = schema.table(NAT_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> natTypeCol = natTable.column("type", String.class);
+            ColumnSchema<GenericTableSchema, String> natExtCol = natTable.column("external_ip", String.class);
+            Operation<GenericTableSchema> delete = OVSDB_OPS.delete(natTable)
+                    .where(natTypeCol.opEqual(natType))
+                    .and(natExtCol.opEqual(externalIp)).build();
+            List<OperationResult> results = client.transact(schema, Collections.singletonList(delete))
+                    .get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("delete NAT %s ext=%s on %s", natType, externalIp, routerName));
+            logger.info("Deleted OVN NAT [{} ext={}] on Logical_Router [{}] at {}", natType, externalIp, routerName, nbConnection);
+            return null;
+        });
+    }
+
     /**
      * Removes a NAT rule matching type/external_ip/logical_ip from a Logical_Router. Idempotent.
      */
@@ -706,6 +754,82 @@ public void removeNatRule(String nbConnection, String caCertPath, String clientC
         });
     }
 
+    /**
+     * Lists the chassis system-ids registered in the OVN_Southbound database. Useful for picking
+     * a deterministic anchor chassis for a Logical_Router gateway port without having to map
+     * CloudStack hostnames onto OVS system-ids.
+     */
+    public List<String> listSouthboundChassisNames(String sbConnection, String caCertPath, String clientCertPath,
+                                                   String clientPrivateKeyPath) {
+        return runOnDb(sbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, SOUTHBOUND_DB, client -> {
+            DatabaseSchema schema = client.getSchema(SOUTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema chassisTable = schema.table("Chassis", GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> nameCol = chassisTable.column("name", String.class);
+            Operation<GenericTableSchema> select = OVSDB_OPS.select(chassisTable).column(nameCol);
+            List<OperationResult> results = client.transact(schema, Collections.<Operation>singletonList(select))
+                    .get(timeoutMs, TimeUnit.MILLISECONDS);
+            List<String> names = new ArrayList<>();
+            if (results != null && !results.isEmpty() && results.get(0).getRows() != null) {
+                for (Row<GenericTableSchema> row : results.get(0).getRows()) {
+                    String n = row.getColumn(nameCol).getData();
+                    if (n != null && !n.isEmpty()) names.add(n);
+                }
+            }
+            return names;
+        });
+    }
+
+    /**
+     * Idempotently anchors a Logical_Router_Port to a chassis via Gateway_Chassis. This is what
+     * lets ovn-northd materialise the centralised NAT pipeline for the LR (lr_in_dnat,
+     * lr_in_unsnat, lr_out_snat) — without it the lr_in_dnat table only carries the default
+     * priority-0 rule and DNAT silently does not happen.
+     */
+    public void setLrpGatewayChassis(String nbConnection, String caCertPath, String clientCertPath,
+                                     String clientPrivateKeyPath,
+                                     String lrpName, String chassisName, int priority) {
+        if (StringUtils.isBlank(lrpName) || StringUtils.isBlank(chassisName)) {
+            throw new CloudRuntimeException("Gateway_Chassis arguments are incomplete");
+        }
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema lrpTable = schema.table(LOGICAL_ROUTER_PORT_TABLE, GenericTableSchema.class);
+            GenericTableSchema gcTable = schema.table(GATEWAY_CHASSIS_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> lrpNameCol = lrpTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, String> gcChassisCol = gcTable.column("chassis_name", String.class);
+            ColumnSchema<GenericTableSchema, Long> gcPrioCol = gcTable.column("priority", Long.class);
+            ColumnSchema<GenericTableSchema, String> gcNameCol = gcTable.column("name", String.class);
+
+            Operation<GenericTableSchema> existingSel = OVSDB_OPS.select(gcTable).column(gcChassisCol)
+                    .where(gcChassisCol.opEqual(chassisName))
+                    .and(gcNameCol.opEqual(lrpName + "_" + chassisName)).build();
+            List<OperationResult> existing = client.transact(schema, Collections.<Operation>singletonList(existingSel))
+                    .get(timeoutMs, TimeUnit.MILLISECONDS);
+            if (existing != null && !existing.isEmpty()
+                    && existing.get(0).getRows() != null && !existing.get(0).getRows().isEmpty()) {
+                logger.debug("Gateway_Chassis for LRP [{}] on [{}] already exists - skipping", lrpName, chassisName);
+                return null;
+            }
+
+            Insert<GenericTableSchema> insertGc = OVSDB_OPS.insert(gcTable)
+                    .withId("newgc")
+                    .value(gcNameCol, lrpName + "_" + chassisName)
+                    .value(gcChassisCol, chassisName)
+                    .value(gcPrioCol, (long) priority);
+            ColumnSchema<GenericTableSchema, Set<UUID>> lrpGcCol = lrpTable.multiValuedColumn("gateway_chassis", UUID.class);
+            List<Operation> ops = new ArrayList<>();
+            ops.add(insertGc);
+            ops.add(OVSDB_OPS.mutate(lrpTable)
+                    .addMutation(lrpGcCol, Mutator.INSERT, Collections.singleton(new UUID("newgc")))
+                    .where(lrpNameCol.opEqual(lrpName)).build());
+            List<OperationResult> results = client.transact(schema, ops).get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("set Gateway_Chassis %s on LRP %s", chassisName, lrpName));
+            logger.info("Set OVN Gateway_Chassis [{} prio={}] on Logical_Router_Port [{}] at {}",
+                    chassisName, priority, lrpName, nbConnection);
+            return null;
+        });
+    }
+
     /**
      * Idempotently adds a static route on a Logical_Router.
      */
@@ -838,6 +962,11 @@ private interface NbAction<T> {
 
     private <T> T runOn(String nbConnection, String caCertPath, String clientCertPath, String clientPrivateKeyPath,
                         NbAction<T> action) {
+        return runOnDb(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, NORTHBOUND_DB, action);
+    }
+
+    private <T> T runOnDb(String nbConnection, String caCertPath, String clientCertPath, String clientPrivateKeyPath,
+                          String expectedDb, NbAction<T> action) {
         Endpoint ep = parse(nbConnection);
         if (ep.scheme == Scheme.UNIX) {
             throw new CloudRuntimeException("Unix-socket OVN connections are not supported by the management server client; use tcp: or ssl:");
@@ -858,13 +987,13 @@ private <T> T runOn(String nbConnection, String caCertPath, String clientCertPat
                 client = service.connect(addr, ep.port);
             }
             if (client == null) {
-                throw new CloudRuntimeException(String.format("OVN NB at %s did not accept the connection", nbConnection));
+                throw new CloudRuntimeException(String.format("OVN %s at %s did not accept the connection", expectedDb, nbConnection));
             }
             return action.call(client);
         } catch (CloudRuntimeException e) {
             throw e;
         } catch (Exception e) {
-            throw new CloudRuntimeException("OVN NB operation against " + nbConnection + " failed: " + e.getMessage(), e);
+            throw new CloudRuntimeException("OVN " + expectedDb + " operation against " + nbConnection + " failed: " + e.getMessage(), e);
         } finally {
             if (client != null && service != null) {
                 try { service.disconnect(client); } catch (Exception ignored) { }

From 21619f3c474d1a7271860f8f84972ee9a46975e7 Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Tue, 28 Apr 2026 15:21:11 +0200
Subject: [PATCH 11/33] OVN plugin: enforce ingress firewall rules via OVN ACL
 on the public LS

applyFWRules now translates each CloudStack FirewallRule into an OVN
ACL row attached to the network's public Logical_Switch in the
"to-lport" direction toward the router patch port. Allowed traffic uses
"allow-related" so conntrack opens the reverse path automatically; the
match expression is constructed before DNAT (ip4.dst == publicIp) so
the user's public-side TCP/UDP port stays correct.

A per-public-IP default-drop ACL is installed alongside the first allow
to flip the implicit OVN allow-by-default into CloudStack's expected
deny-by-default for an exposed public IP. Every ACL row is tagged via
external_ids:cloudstack_fw_rule_id (per rule) plus cloudstack_fw_ip and
cloudstack_network_id, which lets revoke target the row by tag without
re-walking the rule set.

OvnNbClient additions:
  - ACL_TABLE constant
  - addAclOnLs (idempotent: removes any prior ACL with the same
    external_ids tag before inserting + linking via Logical_Switch.acls)
  - removeAclsOnLsByExternalId (deletes by tag, mutates LS.acls)
  - findAclUuidsByExternalIds helper (server-side select + client-side
    map filter, since OVSDB select cannot match into a map column)

OvnElement additions:
  - applyFWRules now programs ACL per FirewallRule
  - programFirewallRule respects FirewallRule.State.Revoke
  - buildFirewallMatch handles tcp/udp dst ports, icmp type/code, "all"
    and source CIDR list (skipping the 0.0.0.0/0 noise)
  - ensureFirewallDefaultDeny installs the per-IP drop ACL

Validated on the lab against cs-pub-257 with two rules on 10.0.56.186
(icmp + tcp/22). ovn-nbctl acl-list shows the two allow-related ACLs
plus the priority-100 drop. ovn-trace confirms:
  - tcp/22 -> ACL allow -> ct_dnat(10.1.1.222) -> output to guest LSP
  - icmp  -> ACL allow -> ct_dnat(10.1.1.222) -> output to guest LSP
  - tcp/80 -> ls_out_acl_eval priority 1100 hits the drop, no output
---
 .../apache/cloudstack/service/OvnElement.java | 135 ++++++++++++++++
 .../cloudstack/service/OvnNbClient.java       | 150 ++++++++++++++++++
 2 files changed, 285 insertions(+)

diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
index 016bff19ff71..13a522d0732d 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
@@ -643,9 +643,144 @@ public boolean applyPFRules(Network network, List<PortForwardingRule> rules) thr
 
     @Override
     public boolean applyFWRules(Network network, List<? extends FirewallRule> rules) throws ResourceUnavailableException {
+        if (network.getBroadcastDomainType() != Networks.BroadcastDomainType.OVN || rules == null || rules.isEmpty()) {
+            return true;
+        }
+        OvnProviderVO provider = getProviderForNetwork(network);
+        String publicLs = getPublicLogicalSwitchName(network);
+        String publicLrpLsp = "lsp-lrp-" + publicLs;
+        try {
+            for (FirewallRule rule : rules) {
+                programFirewallRule(provider, network, publicLs, publicLrpLsp, rule);
+            }
+        } catch (CloudRuntimeException e) {
+            throw new ResourceUnavailableException(e.getMessage(), DataCenter.class, network.getDataCenterId());
+        }
         return true;
     }
 
+    /**
+     * Translates a single {@link FirewallRule} into an OVN ACL row attached to the network's
+     * public Logical_Switch. The default-deny scoped to the public IP is kept fresh on every
+     * call so newly-allocated IPs only become reachable through explicit allow rules. Revoke
+     * state simply deletes the per-rule row by external_ids tag.
+     */
+    protected void programFirewallRule(OvnProviderVO provider, Network network, String publicLs,
+                                        String publicLrpLsp, FirewallRule rule) {
+        IPAddressVO ipVo = ipAddressDao.findById(rule.getSourceIpAddressId());
+        if (ipVo == null || ipVo.getAddress() == null) {
+            return;
+        }
+        String publicIp = ipVo.getAddress().addr();
+        // Make sure the per-IP default-drop is in place before we layer allow rules on top.
+        ensureFirewallDefaultDeny(provider, network, publicLs, publicLrpLsp, publicIp);
+
+        String ruleTag = "fw-" + rule.getId();
+        if (rule.getState() == FirewallRule.State.Revoke) {
+            ovnNbClient.removeAclsOnLsByExternalId(provider.getNbConnection(),
+                    provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                    publicLs, "cloudstack_fw_rule_id", String.valueOf(rule.getId()));
+            return;
+        }
+
+        String matchExpr = buildFirewallMatch(publicLrpLsp, publicIp, rule);
+        if (matchExpr == null) {
+            // Unsupported protocol or empty rule - skip silently.
+            return;
+        }
+        Map<String, String> ext = new HashMap<>();
+        ext.put("cloudstack_fw_rule_id", String.valueOf(rule.getId()));
+        ext.put("cloudstack_fw_ip", publicIp);
+        ext.put("cloudstack_network_id", String.valueOf(network.getId()));
+        ovnNbClient.addAclOnLs(provider.getNbConnection(),
+                provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                publicLs, ruleTag, "to-lport", 1000L, matchExpr, "allow-related", ext);
+    }
+
+    /**
+     * Builds the OVN match expression for a single firewall rule. ACLs on the public LS are
+     * evaluated in the {@code to-lport} direction toward the router patch port, so we match
+     * before DNAT happens - {@code ip4.dst} is still the public IP, {@code tcp/udp.dst} is
+     * still the public-side port the user typed in CloudStack.
+     */
+    protected String buildFirewallMatch(String publicLrpLsp, String publicIp, FirewallRule rule) {
+        String proto = rule.getProtocol() == null ? "" : rule.getProtocol().toLowerCase();
+        StringBuilder sb = new StringBuilder();
+        sb.append("outport == \"").append(publicLrpLsp).append("\" && ip4");
+        sb.append(" && ip4.dst == ").append(publicIp);
+        // Scope to source CIDRs if the user provided any, otherwise leave the rule open to 0.0.0.0/0.
+        List<String> sourceCidrs = rule.getSourceCidrList();
+        if (sourceCidrs != null && !sourceCidrs.isEmpty()) {
+            StringBuilder cidrs = new StringBuilder();
+            boolean first = true;
+            for (String cidr : sourceCidrs) {
+                if (cidr == null || cidr.isEmpty() || "0.0.0.0/0".equals(cidr)) {
+                    cidrs.setLength(0);
+                    break;
+                }
+                if (!first) cidrs.append(", ");
+                cidrs.append(cidr);
+                first = false;
+            }
+            if (cidrs.length() > 0) {
+                sb.append(" && ip4.src == {").append(cidrs).append("}");
+            }
+        }
+        switch (proto) {
+            case "tcp":
+            case "udp": {
+                sb.append(" && ").append(proto);
+                Integer s = rule.getSourcePortStart();
+                Integer e = rule.getSourcePortEnd();
+                if (s != null && e != null) {
+                    if (s.equals(e)) {
+                        sb.append(" && ").append(proto).append(".dst == ").append(s);
+                    } else {
+                        sb.append(" && ").append(proto).append(".dst >= ").append(s)
+                                .append(" && ").append(proto).append(".dst <= ").append(e);
+                    }
+                }
+                break;
+            }
+            case "icmp": {
+                sb.append(" && icmp4");
+                if (rule.getIcmpType() != null && rule.getIcmpType() != -1) {
+                    sb.append(" && icmp4.type == ").append(rule.getIcmpType());
+                }
+                if (rule.getIcmpCode() != null && rule.getIcmpCode() != -1) {
+                    sb.append(" && icmp4.code == ").append(rule.getIcmpCode());
+                }
+                break;
+            }
+            case "all":
+            case "":
+                // No protocol filter - any IPv4 traffic to the public IP.
+                break;
+            default:
+                logger.warn("Skipping firewall rule {} with unsupported protocol [{}]", rule.getId(), proto);
+                return null;
+        }
+        return sb.toString();
+    }
+
+    /**
+     * Installs (or refreshes) the per-public-IP default-drop ACL. Without this, the public LS
+     * would forward every DNAT'd packet because OVN ACLs default-allow when none of the rules
+     * match - that is the opposite of CloudStack's expectation that an unprotected public IP
+     * is unreachable.
+     */
+    protected void ensureFirewallDefaultDeny(OvnProviderVO provider, Network network, String publicLs,
+                                              String publicLrpLsp, String publicIp) {
+        Map<String, String> ext = new HashMap<>();
+        ext.put("cloudstack_fw_default", "true");
+        ext.put("cloudstack_fw_ip", publicIp);
+        ext.put("cloudstack_network_id", String.valueOf(network.getId()));
+        String match = "outport == \"" + publicLrpLsp + "\" && ip4 && ip4.dst == " + publicIp;
+        ovnNbClient.addAclOnLs(provider.getNbConnection(),
+                provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                publicLs, "fw-default-" + publicIp, "to-lport", 100L, match, "drop", ext);
+    }
+
     @Override
     public boolean applyNetworkACLs(Network config, List<? extends NetworkACLItem> rules) throws ResourceUnavailableException {
         return true;
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
index 605fec91816d..bf3a37b4574e 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
@@ -63,6 +63,7 @@ public class OvnNbClient {
     private static final String GATEWAY_CHASSIS_TABLE = "Gateway_Chassis";
     private static final String DHCP_OPTIONS_TABLE = "DHCP_Options";
     private static final String NAT_TABLE = "NAT";
+    private static final String ACL_TABLE = "ACL";
     private static final long DEFAULT_TIMEOUT_MS = 5_000L;
     private static final Pattern CONN_PATTERN = Pattern.compile("^(tcp|ssl):([^:]+):([0-9]+)$");
     private static final ICertificateManager NOOP_CERT_MANAGER = new NoopCertificateManager();
@@ -874,6 +875,155 @@ public void addStaticRoute(String nbConnection, String caCertPath, String client
         });
     }
 
+    /**
+     * Idempotently installs an ACL row on the named Logical_Switch. The caller is expected to
+     * tag the ACL via {@code external_ids} so subsequent revocation can target the row by tag
+     * (e.g. {@code cloudstack_fw_rule_id=<rule_id>}). If a row with the same tag combination
+     * already exists on this switch it is replaced - this keeps applyFWRules idempotent across
+     * retries without leaking stale rows.
+     *
+     * <p>Logical_Switch.acls is a weak-ref set, so deleting the ACL row alone is enough to
+     * break the link, but we still mutate {@code acls} explicitly to keep the LS row tidy.</p>
+     */
+    public void addAclOnLs(String nbConnection, String caCertPath, String clientCertPath,
+                           String clientPrivateKeyPath,
+                           String logicalSwitchName, String name, String direction, long priority,
+                           String match, String action, Map<String, String> externalIds) {
+        if (StringUtils.isBlank(logicalSwitchName) || StringUtils.isBlank(direction)
+                || StringUtils.isBlank(match) || StringUtils.isBlank(action)) {
+            throw new CloudRuntimeException("ACL arguments are incomplete");
+        }
+        if (externalIds == null || externalIds.isEmpty()) {
+            throw new CloudRuntimeException("ACL external_ids must be set so the row can be replaced/removed by tag");
+        }
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema lsTable = schema.table(LOGICAL_SWITCH_TABLE, GenericTableSchema.class);
+            GenericTableSchema aclTable = schema.table(ACL_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> lsNameCol = lsTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, Set<UUID>> lsAclsCol = lsTable.multiValuedColumn("acls", UUID.class);
+
+            ColumnSchema<GenericTableSchema, String> aclDirCol = aclTable.column("direction", String.class);
+            ColumnSchema<GenericTableSchema, Long> aclPrioCol = aclTable.column("priority", Long.class);
+            ColumnSchema<GenericTableSchema, String> aclMatchCol = aclTable.column("match", String.class);
+            ColumnSchema<GenericTableSchema, String> aclActionCol = aclTable.column("action", String.class);
+            @SuppressWarnings("rawtypes")
+            ColumnSchema<GenericTableSchema, Map> aclExtCol = aclTable.column("external_ids", Map.class);
+
+            // First, remove any existing ACL on this LS that already carries the same external_ids
+            // tag. We do this in the same transaction to keep the operation atomic.
+            List<UUID> staleAclUuids = findAclUuidsByExternalIds(client, schema, aclTable, externalIds);
+            List<Operation> ops = new ArrayList<>();
+            ColumnSchema<GenericTableSchema, UUID> aclUuidCol = aclTable.column("_uuid", UUID.class);
+            for (UUID stale : staleAclUuids) {
+                ops.add(OVSDB_OPS.delete(aclTable).where(aclUuidCol.opEqual(stale)).build());
+                ops.add(OVSDB_OPS.mutate(lsTable)
+                        .addMutation(lsAclsCol, Mutator.DELETE, Collections.singleton(stale))
+                        .where(lsNameCol.opEqual(logicalSwitchName)).build());
+            }
+
+            String namedUuid = "newacl";
+            Insert<GenericTableSchema> insertAcl = OVSDB_OPS.insert(aclTable)
+                    .withId(namedUuid)
+                    .value(aclDirCol, direction)
+                    .value(aclPrioCol, priority)
+                    .value(aclMatchCol, match)
+                    .value(aclActionCol, action)
+                    .value(aclExtCol, new HashMap<>(externalIds));
+            if (StringUtils.isNotBlank(name)) {
+                ColumnSchema<GenericTableSchema, String> aclNameCol = aclTable.column("name", String.class);
+                insertAcl = insertAcl.value(aclNameCol, name);
+            }
+            ops.add(insertAcl);
+            ops.add(OVSDB_OPS.mutate(lsTable)
+                    .addMutation(lsAclsCol, Mutator.INSERT, Collections.singleton(new UUID(namedUuid)))
+                    .where(lsNameCol.opEqual(logicalSwitchName)).build());
+
+            List<OperationResult> results = client.transact(schema, ops).get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("install ACL on Logical_Switch %s (priority=%d, action=%s)",
+                    logicalSwitchName, priority, action));
+            logger.info("Installed OVN ACL on Logical_Switch [{}] dir=[{}] prio=[{}] action=[{}] match=[{}] tags=[{}]",
+                    logicalSwitchName, direction, priority, action, match, externalIds);
+            return null;
+        });
+    }
+
+    /**
+     * Removes every ACL row whose {@code external_ids} contains the supplied (key, value) pair
+     * and detaches it from the named Logical_Switch. Used to revoke individual firewall rules
+     * (by {@code cloudstack_fw_rule_id}) or to wipe per-IP scopes (by {@code cloudstack_fw_ip}).
+     */
+    public int removeAclsOnLsByExternalId(String nbConnection, String caCertPath, String clientCertPath,
+                                           String clientPrivateKeyPath,
+                                           String logicalSwitchName, String externalIdKey, String externalIdValue) {
+        if (StringUtils.isBlank(logicalSwitchName) || StringUtils.isBlank(externalIdKey) || StringUtils.isBlank(externalIdValue)) {
+            throw new CloudRuntimeException("ACL removal arguments are incomplete");
+        }
+        return runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema lsTable = schema.table(LOGICAL_SWITCH_TABLE, GenericTableSchema.class);
+            GenericTableSchema aclTable = schema.table(ACL_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> lsNameCol = lsTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, Set<UUID>> lsAclsCol = lsTable.multiValuedColumn("acls", UUID.class);
+            ColumnSchema<GenericTableSchema, UUID> aclUuidCol = aclTable.column("_uuid", UUID.class);
+
+            Map<String, String> filter = new HashMap<>();
+            filter.put(externalIdKey, externalIdValue);
+            List<UUID> uuids = findAclUuidsByExternalIds(client, schema, aclTable, filter);
+            if (uuids.isEmpty()) {
+                return 0;
+            }
+            List<Operation> ops = new ArrayList<>();
+            for (UUID u : uuids) {
+                ops.add(OVSDB_OPS.delete(aclTable).where(aclUuidCol.opEqual(u)).build());
+                ops.add(OVSDB_OPS.mutate(lsTable)
+                        .addMutation(lsAclsCol, Mutator.DELETE, Collections.singleton(u))
+                        .where(lsNameCol.opEqual(logicalSwitchName)).build());
+            }
+            List<OperationResult> results = client.transact(schema, ops).get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("remove ACLs on %s by %s=%s", logicalSwitchName, externalIdKey, externalIdValue));
+            logger.info("Removed {} OVN ACL row(s) on Logical_Switch [{}] tagged [{}={}]",
+                    uuids.size(), logicalSwitchName, externalIdKey, externalIdValue);
+            return uuids.size();
+        });
+    }
+
+    /**
+     * Returns the UUIDs of every ACL row whose {@code external_ids} map contains every entry
+     * present in {@code wantedExternalIds}. We pull the column server-side and filter in the
+     * client because OVSDB select with where-clause cannot match into a map column.
+     */
+    @SuppressWarnings("unchecked")
+    private List<UUID> findAclUuidsByExternalIds(OvsdbClient client, DatabaseSchema schema,
+                                                  GenericTableSchema aclTable,
+                                                  Map<String, String> wantedExternalIds) throws Exception {
+        ColumnSchema<GenericTableSchema, UUID> uuidCol = aclTable.column("_uuid", UUID.class);
+        @SuppressWarnings("rawtypes")
+        ColumnSchema<GenericTableSchema, Map> extIdsCol = aclTable.column("external_ids", Map.class);
+        Operation<GenericTableSchema> selectAll = OVSDB_OPS.select(aclTable).column(uuidCol).column(extIdsCol);
+        List<OperationResult> results = client.transact(schema, Collections.<Operation>singletonList(selectAll))
+                .get(timeoutMs, TimeUnit.MILLISECONDS);
+        List<UUID> matches = new ArrayList<>();
+        if (results == null || results.isEmpty() || results.get(0).getRows() == null) {
+            return matches;
+        }
+        for (Row<GenericTableSchema> row : results.get(0).getRows()) {
+            Map<String, String> ext = (Map<String, String>) row.getColumn(extIdsCol).getData();
+            if (ext == null) continue;
+            boolean ok = true;
+            for (Map.Entry<String, String> e : wantedExternalIds.entrySet()) {
+                if (!e.getValue().equals(ext.get(e.getKey()))) {
+                    ok = false;
+                    break;
+                }
+            }
+            if (ok) {
+                matches.add(row.getColumn(uuidCol).getData());
+            }
+        }
+        return matches;
+    }
+
     private boolean natRuleExists(OvsdbClient client, DatabaseSchema schema, GenericTableSchema natTable,
                                    String natType, String externalIp, String logicalIp) throws Exception {
         ColumnSchema<GenericTableSchema, String> natTypeCol = natTable.column("type", String.class);

From 1f7c3061b7c0bafd24abd0beb230ceb7a51ff9c9 Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Tue, 28 Apr 2026 15:30:23 +0200
Subject: [PATCH 12/33] OVN plugin: detach NAT rows from Logical_Router.nat
 before deleting them

removeNatRulesByExternalIp and removeNatRule were issuing a bare
delete on the NAT table, leaving the strong reference set in
Logical_Router.nat dangling. OVSDB then refused the delete with
"referential integrity violation: cannot delete NAT row ... because
of N remaining reference(s)", which surfaced in CloudStack as
"Failed to expunge VM" / "Failed to disable static NAT" whenever a
VM tied to a static NAT IP was destroyed.

Both helpers now resolve the matching NAT UUIDs first, then mutate
Logical_Router.nat to remove those UUIDs and delete the rows in the
same transaction. Same idempotency guarantees as before, no new
public API.

Validated on the lab: destroyed the static-NAT VM that previously
got stuck in Error and deleted its network. ovn-nbctl shows the LR,
LSes, NAT, ACL and Gateway_Chassis tables fully empty afterwards.
---
 .../cloudstack/service/OvnNbClient.java       | 60 ++++++++++++++++---
 1 file changed, 52 insertions(+), 8 deletions(-)

diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
index bf3a37b4574e..e26605c8af90 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
@@ -715,15 +715,41 @@ public void removeNatRulesByExternalIp(String nbConnection, String caCertPath, S
         runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
             DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
             GenericTableSchema natTable = schema.table(NAT_TABLE, GenericTableSchema.class);
+            GenericTableSchema lrTable = schema.table(LOGICAL_ROUTER_TABLE, GenericTableSchema.class);
             ColumnSchema<GenericTableSchema, String> natTypeCol = natTable.column("type", String.class);
             ColumnSchema<GenericTableSchema, String> natExtCol = natTable.column("external_ip", String.class);
-            Operation<GenericTableSchema> delete = OVSDB_OPS.delete(natTable)
+            ColumnSchema<GenericTableSchema, UUID> natUuidCol = natTable.column("_uuid", UUID.class);
+            ColumnSchema<GenericTableSchema, String> lrNameCol = lrTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, Set<UUID>> lrNatCol = lrTable.multiValuedColumn("nat", UUID.class);
+
+            // Logical_Router.nat is a strong reference set; deleting NAT rows without first
+            // mutating the LR.nat column triggers a referential-integrity violation. Resolve
+            // the UUIDs to remove via select, then mutate-and-delete in one transaction.
+            Operation<GenericTableSchema> selectUuids = OVSDB_OPS.select(natTable).column(natUuidCol)
                     .where(natTypeCol.opEqual(natType))
                     .and(natExtCol.opEqual(externalIp)).build();
-            List<OperationResult> results = client.transact(schema, Collections.singletonList(delete))
+            List<OperationResult> selectResult = client.transact(schema, Collections.<Operation>singletonList(selectUuids))
                     .get(timeoutMs, TimeUnit.MILLISECONDS);
+            if (selectResult == null || selectResult.isEmpty() || selectResult.get(0).getRows() == null
+                    || selectResult.get(0).getRows().isEmpty()) {
+                logger.debug("No NAT rows match type={} ext={} on {} - nothing to remove", natType, externalIp, routerName);
+                return null;
+            }
+            List<UUID> uuids = new ArrayList<>();
+            for (Row<GenericTableSchema> row : selectResult.get(0).getRows()) {
+                uuids.add(row.getColumn(natUuidCol).getData());
+            }
+            List<Operation> ops = new ArrayList<>();
+            ops.add(OVSDB_OPS.mutate(lrTable)
+                    .addMutation(lrNatCol, Mutator.DELETE, new java.util.HashSet<>(uuids))
+                    .where(lrNameCol.opEqual(routerName)).build());
+            for (UUID u : uuids) {
+                ops.add(OVSDB_OPS.delete(natTable).where(natUuidCol.opEqual(u)).build());
+            }
+            List<OperationResult> results = client.transact(schema, ops).get(timeoutMs, TimeUnit.MILLISECONDS);
             assertNoError(results, String.format("delete NAT %s ext=%s on %s", natType, externalIp, routerName));
-            logger.info("Deleted OVN NAT [{} ext={}] on Logical_Router [{}] at {}", natType, externalIp, routerName, nbConnection);
+            logger.info("Deleted {} OVN NAT row(s) [{} ext={}] on Logical_Router [{}] at {}",
+                    uuids.size(), natType, externalIp, routerName, nbConnection);
             return null;
         });
     }
@@ -737,18 +763,36 @@ public void removeNatRule(String nbConnection, String caCertPath, String clientC
         runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
             DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
             GenericTableSchema natTable = schema.table(NAT_TABLE, GenericTableSchema.class);
+            GenericTableSchema lrTable = schema.table(LOGICAL_ROUTER_TABLE, GenericTableSchema.class);
             ColumnSchema<GenericTableSchema, String> natTypeCol = natTable.column("type", String.class);
             ColumnSchema<GenericTableSchema, String> natExtCol = natTable.column("external_ip", String.class);
             ColumnSchema<GenericTableSchema, String> natLogCol = natTable.column("logical_ip", String.class);
-            if (!natRuleExists(client, schema, natTable, natType, externalIp, logicalIp)) {
-                return null;
-            }
-            Operation<GenericTableSchema> delete = OVSDB_OPS.delete(natTable)
+            ColumnSchema<GenericTableSchema, UUID> natUuidCol = natTable.column("_uuid", UUID.class);
+            ColumnSchema<GenericTableSchema, String> lrNameCol = lrTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, Set<UUID>> lrNatCol = lrTable.multiValuedColumn("nat", UUID.class);
+
+            Operation<GenericTableSchema> selectUuids = OVSDB_OPS.select(natTable).column(natUuidCol)
                     .where(natTypeCol.opEqual(natType))
                     .and(natExtCol.opEqual(externalIp))
                     .and(natLogCol.opEqual(logicalIp)).build();
-            List<OperationResult> results = client.transact(schema, Collections.singletonList(delete))
+            List<OperationResult> selectResult = client.transact(schema, Collections.<Operation>singletonList(selectUuids))
                     .get(timeoutMs, TimeUnit.MILLISECONDS);
+            if (selectResult == null || selectResult.isEmpty() || selectResult.get(0).getRows() == null
+                    || selectResult.get(0).getRows().isEmpty()) {
+                return null;
+            }
+            List<UUID> uuids = new ArrayList<>();
+            for (Row<GenericTableSchema> row : selectResult.get(0).getRows()) {
+                uuids.add(row.getColumn(natUuidCol).getData());
+            }
+            List<Operation> ops = new ArrayList<>();
+            ops.add(OVSDB_OPS.mutate(lrTable)
+                    .addMutation(lrNatCol, Mutator.DELETE, new java.util.HashSet<>(uuids))
+                    .where(lrNameCol.opEqual(routerName)).build());
+            for (UUID u : uuids) {
+                ops.add(OVSDB_OPS.delete(natTable).where(natUuidCol.opEqual(u)).build());
+            }
+            List<OperationResult> results = client.transact(schema, ops).get(timeoutMs, TimeUnit.MILLISECONDS);
             assertNoError(results, String.format("delete NAT %s %s→%s on %s", natType, logicalIp, externalIp, routerName));
             logger.info("Deleted OVN NAT [{} {} → {}] on Logical_Router [{}] at {}", natType, logicalIp, externalIp, routerName, nbConnection);
             return null;

From ea3ecc476671460e00c2d91237c86a620190d51f Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Tue, 28 Apr 2026 17:03:03 +0200
Subject: [PATCH 13/33] OVN plugin: add no-router network offerings

---
 .../com/cloud/offering/NetworkOffering.java   |  2 +
 .../admin/network/NetworkOfferingBaseCmd.java | 11 +++--
 .../admin/vpc/CreateVPCOfferingCmd.java       | 11 +++--
 .../orchestration/NetworkOrchestrator.java    | 46 ++++++++++++++++++-
 .../network/guru/OvsGuestNetworkGuru.java     |  4 +-
 .../com/cloud/network/vpc/VpcManagerImpl.java | 28 +++++++----
 .../cloud/server/ConfigurationServerImpl.java | 20 ++++++--
 7 files changed, 100 insertions(+), 22 deletions(-)

diff --git a/api/src/main/java/com/cloud/offering/NetworkOffering.java b/api/src/main/java/com/cloud/offering/NetworkOffering.java
index 5000a4f8c626..9fe44fe2d798 100644
--- a/api/src/main/java/com/cloud/offering/NetworkOffering.java
+++ b/api/src/main/java/com/cloud/offering/NetworkOffering.java
@@ -66,6 +66,8 @@ enum RoutingMode {
     public static final String DEFAULT_ROUTED_NSX_OFFERING_FOR_VPC = "DefaultRoutedNSXNetworkOfferingForVpc";
     public static final String DEFAULT_ROUTED_NETRIS_OFFERING_FOR_VPC = "DefaultRoutedNetrisNetworkOfferingForVpc";
     public static final String DEFAULT_NAT_NETRIS_OFFERING_FOR_VPC = "DefaultNATNetrisNetworkOfferingForVpc";
+    public static final String DEFAULT_NAT_OVN_OFFERING = "DefaultNATOVNNetworkOffering";
+    public static final String DEFAULT_NAT_OVN_OFFERING_FOR_VPC = "DefaultNATOVNNetworkOfferingForVpc";
     public static final String DEFAULT_NAT_NSX_OFFERING = "DefaultNATNSXNetworkOffering";
     public static final String DEFAULT_ROUTED_NSX_OFFERING = "DefaultRoutedNSXNetworkOffering";
     public final static String QuickCloudNoServices = "QuickCloudNoServices";
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/network/NetworkOfferingBaseCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/network/NetworkOfferingBaseCmd.java
index c1321fc31823..20a0ca90c916 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/admin/network/NetworkOfferingBaseCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/network/NetworkOfferingBaseCmd.java
@@ -272,9 +272,11 @@ public List<String> getSupportedServices() {
         } else {
             List<String> services = new ArrayList<>(List.of(
                     Dhcp.getName(),
-                    Dns.getName(),
-                    UserData.getName()
+                    Dns.getName()
             ));
+            if (!isOvnProvider(getProvider())) {
+                services.add(UserData.getName());
+            }
             if (NetworkOffering.NetworkMode.NATTED.name().equalsIgnoreCase(getNetworkMode())) {
                 services.addAll(Arrays.asList(
                         StaticNat.getName(),
@@ -375,7 +377,7 @@ private void getServiceProviderMapForExternalProvider(Map<String, List<String>>
         String routerProvider = Boolean.TRUE.equals(getForVpc()) ? VirtualRouterProvider.Type.VPCVirtualRouter.name() :
                 VirtualRouterProvider.Type.VirtualRouter.name();
         List<String> unsupportedServices = new ArrayList<>(List.of("Vpn", "Gateway", "SecurityGroup", "Connectivity", "BaremetalPxeService"));
-        List<String> routerSupported = List.of("Dhcp", "Dns", "UserData");
+        List<String> routerSupported = isOvnProvider(provider) ? List.of() : List.of("Dhcp", "Dns", "UserData");
         List<String> allServices = Network.Service.listAllServices().stream().map(Network.Service::getName).collect(Collectors.toList());
         if (routerProvider.equals(VirtualRouterProvider.Type.VPCVirtualRouter.name())) {
             unsupportedServices.add("Firewall");
@@ -387,6 +389,9 @@ private void getServiceProviderMapForExternalProvider(Map<String, List<String>>
                 continue;
             if (routerSupported.contains(service))
                 serviceProviderMap.put(service, List.of(routerProvider));
+            else if (isOvnProvider(provider) && (Dhcp.getName().equalsIgnoreCase(service) || Dns.getName().equalsIgnoreCase(service))) {
+                serviceProviderMap.put(service, List.of(provider));
+            }
             else if (NetworkOffering.NetworkMode.NATTED.name().equalsIgnoreCase(getNetworkMode()) || NetworkACL.getName().equalsIgnoreCase(service)) {
                 serviceProviderMap.put(service, List.of(provider));
             }
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/vpc/CreateVPCOfferingCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/vpc/CreateVPCOfferingCmd.java
index 4eb9d5f546f9..4b33e3a6c91c 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/admin/vpc/CreateVPCOfferingCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/vpc/CreateVPCOfferingCmd.java
@@ -190,9 +190,11 @@ public List<String> getSupportedServices() {
             supportedServices = new ArrayList<>(List.of(
                     Dhcp.getName(),
                     Dns.getName(),
-                    NetworkACL.getName(),
-                    UserData.getName()
+                    NetworkACL.getName()
                     ));
+            if (!isOvnProvider(getProvider())) {
+                supportedServices.add(UserData.getName());
+            }
             if (NetworkOffering.NetworkMode.NATTED.name().equalsIgnoreCase(getNetworkMode())) {
                 supportedServices.addAll(Arrays.asList(
                         StaticNat.getName(),
@@ -253,13 +255,16 @@ private void getServiceProviderMapForExternalProvider(Map<String, List<String>>
         if (NetworkOffering.NetworkMode.NATTED.name().equalsIgnoreCase(getNetworkMode())) {
             unsupportedServices.add("Gateway");
         }
-        List<String> routerSupported = List.of("Dhcp", "Dns", "UserData");
+        List<String> routerSupported = isOvnProvider(provider) ? List.of() : List.of("Dhcp", "Dns", "UserData");
         List<String> allServices = Network.Service.listAllServices().stream().map(Network.Service::getName).collect(Collectors.toList());
         for (String service : allServices) {
             if (unsupportedServices.contains(service))
                 continue;
             if (routerSupported.contains(service))
                 serviceProviderMap.put(service, List.of(VirtualRouterProvider.Type.VPCVirtualRouter.name()));
+            else if (isOvnProvider(provider) && (Dhcp.getName().equalsIgnoreCase(service) || Dns.getName().equalsIgnoreCase(service))) {
+                serviceProviderMap.put(service, List.of(provider));
+            }
             else if (NetworkOffering.NetworkMode.NATTED.name().equalsIgnoreCase(getNetworkMode()) ||
                     Stream.of(NetworkACL.getName(), Gateway.getName()).anyMatch(s -> s.equalsIgnoreCase(service))) {
                 serviceProviderMap.put(service, List.of(provider));
diff --git a/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java b/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
index 224357dca655..6d5722958128 100644
--- a/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
+++ b/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
@@ -626,7 +626,49 @@ public void doInTransactionWithoutResult(final TransactionStatus status) {
                             true, null, true, false, null, false, null, true, false, false, false, false, null, null, null, true, null, null, false);
                 }
 
-                //#8 - network offering with internal lb service
+                //#8 - OVN isolated offering with source nat enabled and no Virtual Router dependency
+                if (_networkOfferingDao.findByUniqueName(NetworkOffering.DEFAULT_NAT_OVN_OFFERING) == null) {
+                    final Map<Network.Service, Set<Network.Provider>> defaultOvnIsolatedOfferingProviders = new HashMap<>();
+                    final Set<Network.Provider> ovnProvider = new HashSet<>();
+                    ovnProvider.add(Network.Provider.Ovn);
+                    defaultOvnIsolatedOfferingProviders.put(Service.Dhcp, ovnProvider);
+                    defaultOvnIsolatedOfferingProviders.put(Service.Dns, ovnProvider);
+                    defaultOvnIsolatedOfferingProviders.put(Service.Firewall, ovnProvider);
+                    defaultOvnIsolatedOfferingProviders.put(Service.Gateway, ovnProvider);
+                    defaultOvnIsolatedOfferingProviders.put(Service.Lb, ovnProvider);
+                    defaultOvnIsolatedOfferingProviders.put(Service.SourceNat, ovnProvider);
+                    defaultOvnIsolatedOfferingProviders.put(Service.StaticNat, ovnProvider);
+                    defaultOvnIsolatedOfferingProviders.put(Service.PortForwarding, ovnProvider);
+                    offering = _configMgr.createNetworkOffering(NetworkOffering.DEFAULT_NAT_OVN_OFFERING,
+                            "Offering for OVN enabled networks - NAT mode", TrafficType.Guest, null, false, Availability.Optional, null,
+                            defaultOvnIsolatedOfferingProviders, true, Network.GuestType.Isolated, false, null, true, null, false, false, null, false, null,
+                            true, false, false, false, false, null, null, null, true, null, null, false);
+                    offering.setPublicLb(true);
+                    _networkOfferingDao.update(offering.getId(), offering);
+                }
+
+                //#9 - OVN VPC offering with source nat enabled and no Virtual Router dependency
+                if (_networkOfferingDao.findByUniqueName(NetworkOffering.DEFAULT_NAT_OVN_OFFERING_FOR_VPC) == null) {
+                    final Map<Network.Service, Set<Network.Provider>> defaultOvnVpcOfferingProviders = new HashMap<>();
+                    final Set<Network.Provider> ovnProvider = new HashSet<>();
+                    ovnProvider.add(Network.Provider.Ovn);
+                    defaultOvnVpcOfferingProviders.put(Service.Dhcp, ovnProvider);
+                    defaultOvnVpcOfferingProviders.put(Service.Dns, ovnProvider);
+                    defaultOvnVpcOfferingProviders.put(Service.NetworkACL, ovnProvider);
+                    defaultOvnVpcOfferingProviders.put(Service.Gateway, ovnProvider);
+                    defaultOvnVpcOfferingProviders.put(Service.Lb, ovnProvider);
+                    defaultOvnVpcOfferingProviders.put(Service.SourceNat, ovnProvider);
+                    defaultOvnVpcOfferingProviders.put(Service.StaticNat, ovnProvider);
+                    defaultOvnVpcOfferingProviders.put(Service.PortForwarding, ovnProvider);
+                    offering = _configMgr.createNetworkOffering(NetworkOffering.DEFAULT_NAT_OVN_OFFERING_FOR_VPC,
+                            "Offering for OVN enabled networks on VPCs - NAT mode", TrafficType.Guest, null, false, Availability.Optional, null,
+                            defaultOvnVpcOfferingProviders, true, Network.GuestType.Isolated, false, null, true, null, false, false, null, false, null,
+                            true, true, false, false, false, null, null, null, true, null, null, false);
+                    offering.setPublicLb(true);
+                    _networkOfferingDao.update(offering.getId(), offering);
+                }
+
+                //#10 - network offering with internal lb service
                 final Map<Network.Service, Set<Network.Provider>> internalLbOffProviders = new HashMap<>();
                 final Set<Network.Provider> defaultVpcProvider = new HashSet<>();
                 defaultVpcProvider.add(Network.Provider.VPCVirtualRouter);
@@ -4939,7 +4981,7 @@ public ConfigKey<?>[] getConfigKeys() {
         return new ConfigKey<?>[]{NetworkGcWait, NetworkGcInterval, NetworkLockTimeout, DeniedRoutes,
                 GuestDomainSuffix, NetworkThrottlingRate, MinVRVersion,
                 PromiscuousMode, MacAddressChanges, ForgedTransmits, MacLearning, RollingRestartEnabled,
-                TUNGSTEN_ENABLED, NSX_ENABLED, NETRIS_ENABLED, OVN_ENABLED, NETWORK_LB_HAPROXY_MAX_CONN,
+                TUNGSTEN_ENABLED, NSX_ENABLED, NETRIS_ENABLED, NETWORK_LB_HAPROXY_MAX_CONN,
                 NETWORK_LB_HAPROXY_IDLE_TIMEOUT};
     }
 }
diff --git a/plugins/network-elements/ovs/src/main/java/com/cloud/network/guru/OvsGuestNetworkGuru.java b/plugins/network-elements/ovs/src/main/java/com/cloud/network/guru/OvsGuestNetworkGuru.java
index 571afa8d79ed..d58653ed75c6 100644
--- a/plugins/network-elements/ovs/src/main/java/com/cloud/network/guru/OvsGuestNetworkGuru.java
+++ b/plugins/network-elements/ovs/src/main/java/com/cloud/network/guru/OvsGuestNetworkGuru.java
@@ -77,9 +77,9 @@ protected boolean canHandle(NetworkOffering offering,
             && isMyTrafficType(offering.getTrafficType())
             && offering.getGuestType() == Network.GuestType.Isolated
             && isMyIsolationMethod(physicalNetwork)
+            && _ntwkOfferingSrvcDao.isProviderForNetworkOffering(offering.getId(), Network.Provider.Ovs)
             && _ntwkOfferingSrvcDao.areServicesSupportedByNetworkOffering(
-                offering.getId(), Service.Connectivity)
-            && _ntwkOfferingSrvcDao.isProviderForNetworkOffering(offering.getId(), Network.Provider.Ovs)) {
+                offering.getId(), Service.Connectivity)) {
             return true;
         } else if (networkType == NetworkType.Advanced
             && offering.getGuestType() == GuestType.Shared
diff --git a/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java b/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java
index 5b4ab908ca4c..3bb3cc35c3f7 100644
--- a/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java
@@ -137,6 +137,7 @@
 import com.cloud.network.dao.NetworkVO;
 import com.cloud.network.dao.NetrisProviderDao;
 import com.cloud.network.dao.NsxProviderDao;
+import com.cloud.network.dao.OvnProviderDao;
 import com.cloud.network.dao.RemoteAccessVpnDao;
 import com.cloud.network.dao.RemoteAccessVpnVO;
 import com.cloud.network.dao.Site2SiteCustomerGatewayDao;
@@ -147,6 +148,7 @@
 import com.cloud.network.element.NetworkACLServiceProvider;
 import com.cloud.network.element.NetworkElement;
 import com.cloud.network.element.NsxProviderVO;
+import com.cloud.network.element.OvnProviderVO;
 import com.cloud.network.element.StaticNatServiceProvider;
 import com.cloud.network.element.VpcProvider;
 import com.cloud.network.router.CommandSetupHelper;
@@ -314,6 +316,8 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
     @Inject
     private NetrisProviderDao netrisProviderDao;
     @Inject
+    private OvnProviderDao ovnProviderDao;
+    @Inject
     RoutedIpv4Manager routedIpv4Manager;
     @Inject
     DomainRouterDao domainRouterDao;
@@ -334,7 +338,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
     private List<VpcProvider> vpcElements = null;
     private final List<Service> nonSupportedServices = Arrays.asList(Service.SecurityGroup, Service.Firewall);
     private final List<Provider> supportedProviders = Arrays.asList(Provider.VPCVirtualRouter, Provider.NiciraNvp, Provider.InternalLbVm, Provider.Netscaler,
-            Provider.JuniperContrailVpcRouter, Provider.Ovs, Provider.BigSwitchBcf, Provider.ConfigDrive, Provider.Nsx, Provider.Netris);
+            Provider.JuniperContrailVpcRouter, Provider.Ovs, Provider.BigSwitchBcf, Provider.ConfigDrive, Provider.Nsx, Provider.Netris, Provider.Ovn);
 
     int _cleanupInterval;
     int _maxNetworks;
@@ -1733,10 +1737,11 @@ public Vpc createVpc(CreateVPCCmd cmd) throws ResourceAllocationException {
         String sourceNatIP = cmd.getSourceNatIP();
         boolean forNsx = isVpcForProvider(Provider.Nsx, vpc);
         boolean forNetris = isVpcForProvider(Provider.Netris, vpc);
+        boolean forOvn = isVpcForProvider(Provider.Ovn, vpc);
         try {
-            if (sourceNatIP != null || forNsx || forNetris) {
-                if (forNsx || forNetris) {
-                    logger.info("Provided source NAT IP will be ignored in an NSX-enabled or Netris-enabled zone");
+            if (sourceNatIP != null || forNsx || forNetris || forOvn) {
+                if (forNsx || forNetris || forOvn) {
+                    logger.info("Provided source NAT IP will be ignored in an NSX-enabled, Netris-enabled or OVN-enabled zone");
                     sourceNatIP = null;
                 }
                 logger.info(String.format("Trying to allocate the specified IP [%s] as the source NAT of VPC [%s].", sourceNatIP, vpc));
@@ -2511,8 +2516,9 @@ public void validateNtwkOffForVpc(final NetworkOffering guestNtwkOff, final List
         // 2) Only Isolated networks with Source nat service enabled can be
         // added to vpc
         boolean isForNsx = _ntwkModel.isProviderForNetworkOffering(Provider.Nsx, guestNtwkOff.getId());
-        boolean isForNNetris = _ntwkModel.isProviderForNetworkOffering(Provider.Netris, guestNtwkOff.getId());
-        if (!isForNsx && !isForNNetris
+        boolean isForNetris = _ntwkModel.isProviderForNetworkOffering(Provider.Netris, guestNtwkOff.getId());
+        boolean isForOvn = _ntwkModel.isProviderForNetworkOffering(Provider.Ovn, guestNtwkOff.getId());
+        if (!isForNsx && !isForNetris && !isForOvn
                 && !(guestNtwkOff.getGuestType() == GuestType.Isolated && (supportedSvcs.contains(Service.SourceNat) || supportedSvcs.contains(Service.Gateway)))) {
 
             throw new InvalidParameterValueException("Only network offerings of type " + GuestType.Isolated + " with service " + Service.SourceNat.getName()
@@ -3898,6 +3904,8 @@ public PublicIp assignSourceNatIpAddressToVpc(final Account owner, final Vpc vpc
         boolean forNsx = nsxProvider != null;
         NetrisProviderVO netrisProvider = netrisProviderDao.findByZoneId(dcId);
         boolean forNetris = netrisProvider != null;
+        OvnProviderVO ovnProvider = ovnProviderDao.findByZoneId(dcId);
+        boolean forOvn = ovnProvider != null;
 
         final IPAddressVO sourceNatIp = getExistingSourceNatInVpc(owner.getId(), vpc.getId(), forNsx, forNetris);
 
@@ -3906,7 +3914,7 @@ public PublicIp assignSourceNatIpAddressToVpc(final Account owner, final Vpc vpc
         if (sourceNatIp != null) {
             ipToReturn = PublicIp.createFromAddrAndVlan(sourceNatIp, _vlanDao.findById(sourceNatIp.getVlanId()));
         } else {
-            if (forNsx || forNetris) {
+            if (forNsx || forNetris || forOvn) {
                 // Assign VR (helper VM) public NIC IP address from the separate provider Public IP range/pool
                 // NSX: VR uses Public IP from the system VM range
                 // Netris: VR uses Public IP from the non system VM range
@@ -3954,11 +3962,13 @@ public boolean isSrcNatIpRequired(long vpcOfferingId) {
         return (Objects.nonNull(vpcOffSvcProvidersMap.get(Network.Service.SourceNat))
                 && (vpcOffSvcProvidersMap.get(Network.Service.SourceNat).contains(Network.Provider.VPCVirtualRouter)
                 || vpcOffSvcProvidersMap.get(Service.SourceNat).contains(Provider.Nsx)
-                || vpcOffSvcProvidersMap.get(Service.SourceNat).contains(Provider.Netris)))
+                || vpcOffSvcProvidersMap.get(Service.SourceNat).contains(Provider.Netris)
+                || vpcOffSvcProvidersMap.get(Service.SourceNat).contains(Provider.Ovn)))
                 || (Objects.nonNull(vpcOffSvcProvidersMap.get(Network.Service.Gateway))
                     && (vpcOffSvcProvidersMap.get(Service.Gateway).contains(Network.Provider.VPCVirtualRouter)
                     || vpcOffSvcProvidersMap.get(Service.Gateway).contains(Provider.Nsx)
-                    || vpcOffSvcProvidersMap.get(Service.Gateway).contains(Network.Provider.Netris)));
+                    || vpcOffSvcProvidersMap.get(Service.Gateway).contains(Network.Provider.Netris)
+                    || vpcOffSvcProvidersMap.get(Service.Gateway).contains(Network.Provider.Ovn)));
     }
 
      @Override
diff --git a/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java b/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java
index 8f10dd84b54d..976d1bd7a6da 100644
--- a/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java
+++ b/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java
@@ -1222,6 +1222,14 @@ public void doInTransactionWithoutResult(TransactionStatus status) {
                 // Offering #15 - network offering for Netris provider for VPCs - NATTED mode
                 createAndPersistDefaultProviderOffering(NetworkOffering.DEFAULT_NAT_NETRIS_OFFERING_FOR_VPC, "Offering for Netris enabled networks on VPCs - NAT mode",
                         NetworkOffering.NetworkMode.NATTED, true, true, true, Provider.Netris);
+
+                // Offering #16 - network offering for OVN provider - NATTED mode
+                createAndPersistDefaultProviderOffering(NetworkOffering.DEFAULT_NAT_OVN_OFFERING, "Offering for OVN enabled networks - NAT mode",
+                        NetworkOffering.NetworkMode.NATTED, false, true, false, Provider.Ovn);
+
+                // Offering #17 - network offering for OVN provider for VPCs - NATTED mode
+                createAndPersistDefaultProviderOffering(NetworkOffering.DEFAULT_NAT_OVN_OFFERING_FOR_VPC, "Offering for OVN enabled networks on VPCs - NAT mode",
+                        NetworkOffering.NetworkMode.NATTED, true, true, false, Provider.Ovn);
             }
         });
     }
@@ -1251,15 +1259,21 @@ private void createAndPersistDefaultProviderOffering(String name, String display
     private Map<Service, Provider> getServicesAndProvidersForProviderNetwork(NetworkOffering.NetworkMode networkMode, boolean forVpc, Provider provider) {
         final Map<Network.Service, Network.Provider> serviceProviderMap = new HashMap<>();
         Provider routerProvider = forVpc ? Provider.VPCVirtualRouter : Provider.VirtualRouter;
-        serviceProviderMap.put(Service.Dhcp, routerProvider);
-        serviceProviderMap.put(Service.Dns, routerProvider);
-        serviceProviderMap.put(Service.UserData, routerProvider);
+        Provider controlPlaneProvider = Provider.Ovn.equals(provider) ? provider : routerProvider;
+        serviceProviderMap.put(Service.Dhcp, controlPlaneProvider);
+        serviceProviderMap.put(Service.Dns, controlPlaneProvider);
+        if (!Provider.Ovn.equals(provider)) {
+            serviceProviderMap.put(Service.UserData, routerProvider);
+        }
         if (forVpc) {
             serviceProviderMap.put(Service.NetworkACL, provider);
         } else {
             serviceProviderMap.put(Service.Firewall, provider);
         }
         if (networkMode == NetworkOffering.NetworkMode.NATTED) {
+            if (Provider.Ovn.equals(provider)) {
+                serviceProviderMap.put(Service.Gateway, provider);
+            }
             serviceProviderMap.put(Service.SourceNat, provider);
             serviceProviderMap.put(Service.StaticNat, provider);
             serviceProviderMap.put(Service.PortForwarding, provider);

From 6e7c612400622361de564b007d44d9a306b47456 Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Tue, 28 Apr 2026 18:08:40 +0200
Subject: [PATCH 14/33] OVN plugin: implement PortForwarding and NetworkACL
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PortForwarding (applyPFRules):
- Adds dnat_and_snat NAT rows with external_port + protocol columns
- Handles port ranges by iterating extPortStart..extPortEnd
- Logs a warning when external port ≠ internal port (OVN NAT does 1:1
  port mapping; full remapping would require a Load_Balancer rule)
- Revoke path removes per-port rows via removeNatRulesByExternalIpAndPort
- Anchors public LRP Gateway_Chassis on first call so ovn-northd
  materialises the lr_in_dnat pipeline

NetworkACL (applyNetworkACLs):
- Full-sync: wipe all ACLs tagged cloudstack_network_id=<id> then
  re-install the authoritative set so reordering and list replacements
  converge correctly
- CloudStack Ingress → OVN to-lport; Egress → from-lport
- OVN priority derived from rule.getNumber() (lower CS# = higher prio)
- Default-drop at priority 1 for both directions matches CloudStack's
  implicit deny-all-unmatched semantics (OVN default is allow-all)
- buildNetworkAclMatch: supports tcp/udp (port range), icmp (type/code),
  all, and source/destination CIDR sets

OvnNbClient additions:
- addNatRuleWithPorts: inserts NAT row with external_port (Set<Long>)
  and protocol (Set<String>) optional columns; idempotency check
  filters client-side since OVSDB WHERE cannot match into set columns
- removeNatRulesByExternalIpAndPort: select-then-delete pattern with
  LR.nat mutation to satisfy strong-ref integrity (same as existing
  removeNatRulesByExternalIp)
- natRuleWithPortExists: helper to detect existing port-scoped NAT rows
---
 .../apache/cloudstack/service/OvnElement.java | 193 ++++++++++++++++++
 .../cloudstack/service/OvnNbClient.java       | 165 +++++++++++++++
 2 files changed, 358 insertions(+)

diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
index 13a522d0732d..6888aceeb014 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
@@ -638,6 +638,66 @@ public boolean applyStaticNats(Network config, List<? extends StaticNat> rules)
 
     @Override
     public boolean applyPFRules(Network network, List<PortForwardingRule> rules) throws ResourceUnavailableException {
+        if (network.getBroadcastDomainType() != Networks.BroadcastDomainType.OVN || rules == null || rules.isEmpty()) {
+            return true;
+        }
+        OvnProviderVO provider = getProviderForNetwork(network);
+        String routerName = getLogicalRouterName(network);
+        try {
+            // Anchor the public LRP so ovn-northd materialises the dnat pipeline.
+            String anchorChassis = pickAnchorChassis(provider, network);
+            if (anchorChassis != null) {
+                ovnNbClient.setLrpGatewayChassis(provider.getNbConnection(),
+                        provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                        "lrp-" + getPublicLogicalSwitchName(network), anchorChassis, 10);
+            }
+            for (PortForwardingRule rule : rules) {
+                IPAddressVO ipVo = ipAddressDao.findById(rule.getSourceIpAddressId());
+                if (ipVo == null || ipVo.getAddress() == null) {
+                    continue;
+                }
+                String externalIp = ipVo.getAddress().addr();
+                String logicalIp = rule.getDestIpAddress();
+                String protocol = rule.getProtocol() != null ? rule.getProtocol().toLowerCase() : "tcp";
+                int extPortStart = rule.getSourcePortStart() != null ? rule.getSourcePortStart() : 0;
+                int extPortEnd = rule.getSourcePortEnd() != null ? rule.getSourcePortEnd() : extPortStart;
+                int destPortBase = rule.getDestPort() != null ? rule.getDestPort() : extPortStart;
+
+                if (rule.getState() == FirewallRule.State.Revoke) {
+                    for (int extPort = extPortStart; extPort <= extPortEnd; extPort++) {
+                        ovnNbClient.removeNatRulesByExternalIpAndPort(provider.getNbConnection(),
+                                provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                                routerName, "dnat_and_snat", externalIp, extPort, protocol);
+                    }
+                    continue;
+                }
+
+                NicVO targetNic = logicalIp != null ? nicDao.findByIp4AddressAndNetworkId(logicalIp, network.getId()) : null;
+                String distributedLogicalPort = targetNic != null ? targetNic.getUuid() : null;
+                String distributedMac = buildRouterMac(network.getId(), true);
+
+                // OVN NAT translates externalIp:externalPort → logicalIp:externalPort (same port).
+                // When destPort ≠ extPort we log a warning; full port-remapping requires an LB rule.
+                for (int i = 0; i <= extPortEnd - extPortStart; i++) {
+                    int extPort = extPortStart + i;
+                    int destPort = destPortBase + i;
+                    if (destPort != extPort) {
+                        logger.warn("OVN NAT cannot remap ports: rule {} maps external port {} to internal port {};"
+                                + " forwarding to external port on VM instead", rule.getId(), extPort, destPort);
+                    }
+                    Map<String, String> ext = new HashMap<>();
+                    ext.put("cloudstack_network_id", String.valueOf(network.getId()));
+                    ext.put("cloudstack_nat_kind", "portforward");
+                    ext.put("cloudstack_pf_rule_id", String.valueOf(rule.getId()));
+                    ovnNbClient.addNatRuleWithPorts(provider.getNbConnection(),
+                            provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                            routerName, "dnat_and_snat", externalIp, extPort, protocol, logicalIp, ext,
+                            distributedMac, distributedLogicalPort);
+                }
+            }
+        } catch (CloudRuntimeException e) {
+            throw new ResourceUnavailableException(e.getMessage(), DataCenter.class, network.getDataCenterId());
+        }
         return true;
     }
 
@@ -783,9 +843,142 @@ protected void ensureFirewallDefaultDeny(OvnProviderVO provider, Network network
 
     @Override
     public boolean applyNetworkACLs(Network config, List<? extends NetworkACLItem> rules) throws ResourceUnavailableException {
+        if (config.getBroadcastDomainType() != Networks.BroadcastDomainType.OVN) {
+            return true;
+        }
+        OvnProviderVO provider = getProviderForNetwork(config);
+        String guestLs = getLogicalSwitchName(config);
+        String networkId = String.valueOf(config.getId());
+        try {
+            // Full sync: wipe every ACL currently tagged to this network and re-install
+            // the authoritative set. This keeps OVN state consistent even when rules are
+            // reordered or the ACL list is replaced entirely.
+            ovnNbClient.removeAclsOnLsByExternalId(provider.getNbConnection(),
+                    provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                    guestLs, "cloudstack_network_id", networkId);
+
+            if (rules != null) {
+                for (NetworkACLItem rule : rules) {
+                    if (rule.getState() == NetworkACLItem.State.Revoke) {
+                        continue;
+                    }
+                    programNetworkAclRule(provider, config, guestLs, rule);
+                }
+            }
+            // Always install a default-deny at priority 1 for both directions so that
+            // unmatched traffic is dropped (OVN ACL default is allow when no rule matches).
+            ensureNetworkAclDefaultDeny(provider, config, guestLs);
+        } catch (CloudRuntimeException e) {
+            throw new ResourceUnavailableException(e.getMessage(), DataCenter.class, config.getDataCenterId());
+        }
         return true;
     }
 
+    /**
+     * Translates a single {@link NetworkACLItem} into an OVN ACL row on the guest Logical_Switch.
+     * CloudStack {@code Ingress} (traffic into the VM) maps to OVN {@code to-lport}; {@code Egress}
+     * (traffic from the VM) maps to {@code from-lport}. Priority is derived from the rule number
+     * so that lower CloudStack rule numbers take precedence (higher OVN priority).
+     */
+    protected void programNetworkAclRule(OvnProviderVO provider, Network network,
+                                          String guestLs, NetworkACLItem rule) {
+        String direction = rule.getTrafficType() == NetworkACLItem.TrafficType.Ingress
+                ? "to-lport" : "from-lport";
+        String aclAction = rule.getAction() == NetworkACLItem.Action.Allow ? "allow-related" : "drop";
+        // CloudStack rule number starts at 1; lower = higher CloudStack priority = higher OVN prio.
+        long ovnPriority = Math.max(2L, 1000L - (rule.getNumber() != null ? rule.getNumber() : 500));
+        String matchExpr = buildNetworkAclMatch(direction, rule);
+        if (matchExpr == null) {
+            return;
+        }
+        Map<String, String> ext = new HashMap<>();
+        ext.put("cloudstack_acl_rule_id", String.valueOf(rule.getId()));
+        ext.put("cloudstack_network_id", String.valueOf(network.getId()));
+        ext.put("cloudstack_acl_direction", direction);
+        ovnNbClient.addAclOnLs(provider.getNbConnection(),
+                provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                guestLs, "nacl-" + rule.getId(), direction, ovnPriority, matchExpr, aclAction, ext);
+    }
+
+    /**
+     * Builds the OVN match expression for a NetworkACL rule on the guest LS. For {@code to-lport}
+     * (ingress) the source address is matched; for {@code from-lport} (egress) the destination
+     * address is matched.
+     */
+    protected String buildNetworkAclMatch(String ovnDirection, NetworkACLItem rule) {
+        boolean isIngress = "to-lport".equals(ovnDirection);
+        String proto = rule.getProtocol() == null ? "all" : rule.getProtocol().toLowerCase();
+        StringBuilder sb = new StringBuilder("ip4");
+        List<String> cidrs = rule.getSourceCidrList();
+        if (cidrs != null && !cidrs.isEmpty()) {
+            StringBuilder cidrSet = new StringBuilder();
+            for (String cidr : cidrs) {
+                if (cidr == null || cidr.isEmpty() || "0.0.0.0/0".equals(cidr)) {
+                    cidrSet.setLength(0);
+                    break;
+                }
+                if (cidrSet.length() > 0) cidrSet.append(", ");
+                cidrSet.append(cidr);
+            }
+            if (cidrSet.length() > 0) {
+                // For ingress the CIDR is the packet source; for egress it is the destination.
+                sb.append(isIngress ? " && ip4.src == {" : " && ip4.dst == {")
+                        .append(cidrSet).append("}");
+            }
+        }
+        switch (proto) {
+            case "tcp":
+            case "udp": {
+                sb.append(" && ").append(proto);
+                Integer portStart = rule.getSourcePortStart();
+                Integer portEnd = rule.getSourcePortEnd();
+                if (portStart != null && portEnd != null) {
+                    String portCol = isIngress ? proto + ".dst" : proto + ".src";
+                    if (portStart.equals(portEnd)) {
+                        sb.append(" && ").append(portCol).append(" == ").append(portStart);
+                    } else {
+                        sb.append(" && ").append(portCol).append(" >= ").append(portStart)
+                                .append(" && ").append(portCol).append(" <= ").append(portEnd);
+                    }
+                }
+                break;
+            }
+            case "icmp": {
+                sb.append(" && icmp4");
+                if (rule.getIcmpType() != null && rule.getIcmpType() != -1) {
+                    sb.append(" && icmp4.type == ").append(rule.getIcmpType());
+                }
+                if (rule.getIcmpCode() != null && rule.getIcmpCode() != -1) {
+                    sb.append(" && icmp4.code == ").append(rule.getIcmpCode());
+                }
+                break;
+            }
+            case "all":
+                break;
+            default:
+                logger.warn("Skipping NetworkACL rule {} with unsupported protocol [{}]", rule.getId(), proto);
+                return null;
+        }
+        return sb.toString();
+    }
+
+    /**
+     * Installs a default-drop ACL at priority 1 for both directions on the guest LS. Without this
+     * OVN would allow any traffic not matched by an explicit rule (OVN ACL default is allow-all).
+     */
+    protected void ensureNetworkAclDefaultDeny(OvnProviderVO provider, Network network, String guestLs) {
+        String networkId = String.valueOf(network.getId());
+        for (String dir : new String[]{"to-lport", "from-lport"}) {
+            Map<String, String> ext = new HashMap<>();
+            ext.put("cloudstack_acl_default", "true");
+            ext.put("cloudstack_network_id", networkId);
+            ext.put("cloudstack_acl_direction", dir);
+            ovnNbClient.addAclOnLs(provider.getNbConnection(),
+                    provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                    guestLs, "nacl-default-" + dir, dir, 1L, "ip4", "drop", ext);
+        }
+    }
+
     @Override
     public boolean reorderAclRules(Vpc vpc, List<? extends Network> networks, List<? extends NetworkACLItem> networkACLItems) {
         return true;
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
index e26605c8af90..5b675639c157 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
@@ -701,6 +701,171 @@ public void addNatRule(String nbConnection, String caCertPath, String clientCert
         });
     }
 
+    /**
+     * Idempotently adds a port-specific NAT rule (DNAT) to a Logical_Router. The rule matches
+     * traffic arriving at {@code externalIp:externalPort/protocol} and DNATs it to
+     * {@code logicalIp:externalPort} (OVN translates destination port to the same value).
+     * Setting {@code distributedMac} and {@code distributedLogicalPort} marks the row as
+     * distributed so ovn-northd applies DNAT on the workload chassis without the gateway.
+     */
+    public void addNatRuleWithPorts(String nbConnection, String caCertPath, String clientCertPath,
+                                    String clientPrivateKeyPath,
+                                    String routerName, String natType, String externalIp,
+                                    int externalPort, String protocol, String logicalIp,
+                                    Map<String, String> externalIds,
+                                    String distributedMac, String distributedLogicalPort) {
+        if (StringUtils.isBlank(routerName) || StringUtils.isBlank(natType)
+                || StringUtils.isBlank(externalIp) || StringUtils.isBlank(logicalIp)
+                || StringUtils.isBlank(protocol)) {
+            throw new CloudRuntimeException("addNatRuleWithPorts: arguments are incomplete");
+        }
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema lrTable = schema.table(LOGICAL_ROUTER_TABLE, GenericTableSchema.class);
+            GenericTableSchema natTable = schema.table(NAT_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> lrNameCol = lrTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, String> natTypeCol = natTable.column("type", String.class);
+            ColumnSchema<GenericTableSchema, String> natExtCol = natTable.column("external_ip", String.class);
+            ColumnSchema<GenericTableSchema, String> natLogCol = natTable.column("logical_ip", String.class);
+            ColumnSchema<GenericTableSchema, Set<Long>> natExtPortCol = natTable.multiValuedColumn("external_port", Long.class);
+            ColumnSchema<GenericTableSchema, Set<String>> natProtoCol = natTable.multiValuedColumn("protocol", String.class);
+
+            if (natRuleWithPortExists(client, schema, natTable, natType, externalIp, externalPort, protocol)) {
+                logger.debug("NAT [{} {}:{}/{}→{}] on {} already exists - skipping",
+                        natType, externalIp, externalPort, protocol, logicalIp, routerName);
+                return null;
+            }
+
+            Insert<GenericTableSchema> insertNat = OVSDB_OPS.insert(natTable)
+                    .withId("newnat")
+                    .value(natTypeCol, natType)
+                    .value(natExtCol, externalIp)
+                    .value(natLogCol, logicalIp)
+                    .value(natExtPortCol, Collections.singleton((long) externalPort))
+                    .value(natProtoCol, Collections.singleton(protocol));
+            if (externalIds != null && !externalIds.isEmpty()) {
+                @SuppressWarnings({"rawtypes", "unchecked"})
+                ColumnSchema<GenericTableSchema, Map> extIdsCol = natTable.column("external_ids", Map.class);
+                insertNat = insertNat.value(extIdsCol, new HashMap<>(externalIds));
+            }
+            if (StringUtils.isNotBlank(distributedMac)) {
+                ColumnSchema<GenericTableSchema, String> extMacCol = natTable.column("external_mac", String.class);
+                insertNat = insertNat.value(extMacCol, distributedMac);
+            }
+            if (StringUtils.isNotBlank(distributedLogicalPort)) {
+                ColumnSchema<GenericTableSchema, String> logPortCol = natTable.column("logical_port", String.class);
+                insertNat = insertNat.value(logPortCol, distributedLogicalPort);
+            }
+            ColumnSchema<GenericTableSchema, Set<UUID>> lrNatCol = lrTable.multiValuedColumn("nat", UUID.class);
+            List<Operation> ops = new ArrayList<>();
+            ops.add(insertNat);
+            ops.add(OVSDB_OPS.mutate(lrTable)
+                    .addMutation(lrNatCol, Mutator.INSERT, Collections.singleton(new UUID("newnat")))
+                    .where(lrNameCol.opEqual(routerName)).build());
+            List<OperationResult> results = client.transact(schema, ops).get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("add NAT %s %s:%d/%s→%s on %s",
+                    natType, externalIp, externalPort, protocol, logicalIp, routerName));
+            logger.info("Added OVN port NAT [{} {}:{}/{} → {}] on Logical_Router [{}] at {}",
+                    natType, externalIp, externalPort, protocol, logicalIp, routerName, nbConnection);
+            return null;
+        });
+    }
+
+    /**
+     * Removes every NAT row matching {@code type + externalIp + externalPort + protocol} from
+     * the Logical_Router. Idempotent: no-op if nothing matches.
+     */
+    public void removeNatRulesByExternalIpAndPort(String nbConnection, String caCertPath, String clientCertPath,
+                                                  String clientPrivateKeyPath,
+                                                  String routerName, String natType,
+                                                  String externalIp, int externalPort, String protocol) {
+        if (StringUtils.isBlank(routerName) || StringUtils.isBlank(natType)
+                || StringUtils.isBlank(externalIp) || StringUtils.isBlank(protocol)) {
+            throw new CloudRuntimeException("removeNatRulesByExternalIpAndPort: arguments are incomplete");
+        }
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema natTable = schema.table(NAT_TABLE, GenericTableSchema.class);
+            GenericTableSchema lrTable = schema.table(LOGICAL_ROUTER_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> natTypeCol = natTable.column("type", String.class);
+            ColumnSchema<GenericTableSchema, String> natExtCol = natTable.column("external_ip", String.class);
+            ColumnSchema<GenericTableSchema, UUID> natUuidCol = natTable.column("_uuid", UUID.class);
+            ColumnSchema<GenericTableSchema, Set<Long>> natExtPortCol = natTable.multiValuedColumn("external_port", Long.class);
+            ColumnSchema<GenericTableSchema, Set<String>> natProtoCol = natTable.multiValuedColumn("protocol", String.class);
+            ColumnSchema<GenericTableSchema, String> lrNameCol = lrTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, Set<UUID>> lrNatCol = lrTable.multiValuedColumn("nat", UUID.class);
+
+            // Select all rows matching type+externalIp, then filter by port+protocol client-side
+            // because OVSDB conditions cannot match inside set columns.
+            Operation<GenericTableSchema> sel = OVSDB_OPS.select(natTable)
+                    .column(natUuidCol).column(natExtPortCol).column(natProtoCol)
+                    .where(natTypeCol.opEqual(natType))
+                    .and(natExtCol.opEqual(externalIp)).build();
+            List<OperationResult> selResult = client.transact(schema, Collections.<Operation>singletonList(sel))
+                    .get(timeoutMs, TimeUnit.MILLISECONDS);
+            if (selResult == null || selResult.isEmpty() || selResult.get(0).getRows() == null) {
+                return null;
+            }
+            List<UUID> uuids = new ArrayList<>();
+            for (Row<GenericTableSchema> row : selResult.get(0).getRows()) {
+                @SuppressWarnings("unchecked")
+                Set<Long> ports = (Set<Long>) row.getColumn(natExtPortCol).getData();
+                @SuppressWarnings("unchecked")
+                Set<String> protos = (Set<String>) row.getColumn(natProtoCol).getData();
+                if (ports != null && ports.contains((long) externalPort)
+                        && protos != null && protos.contains(protocol)) {
+                    uuids.add(row.getColumn(natUuidCol).getData());
+                }
+            }
+            if (uuids.isEmpty()) {
+                return null;
+            }
+            List<Operation> ops = new ArrayList<>();
+            ops.add(OVSDB_OPS.mutate(lrTable)
+                    .addMutation(lrNatCol, Mutator.DELETE, new java.util.HashSet<>(uuids))
+                    .where(lrNameCol.opEqual(routerName)).build());
+            for (UUID u : uuids) {
+                ops.add(OVSDB_OPS.delete(natTable).where(natUuidCol.opEqual(u)).build());
+            }
+            List<OperationResult> results = client.transact(schema, ops).get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("remove NAT %s %s:%d/%s on %s",
+                    natType, externalIp, externalPort, protocol, routerName));
+            logger.info("Removed {} OVN port NAT row(s) [{} {}:{}/{}] on Logical_Router [{}] at {}",
+                    uuids.size(), natType, externalIp, externalPort, protocol, routerName, nbConnection);
+            return null;
+        });
+    }
+
+    private boolean natRuleWithPortExists(OvsdbClient client, DatabaseSchema schema, GenericTableSchema natTable,
+                                          String natType, String externalIp, int externalPort,
+                                          String protocol) throws Exception {
+        ColumnSchema<GenericTableSchema, String> natTypeCol = natTable.column("type", String.class);
+        ColumnSchema<GenericTableSchema, String> natExtCol = natTable.column("external_ip", String.class);
+        ColumnSchema<GenericTableSchema, Set<Long>> natExtPortCol = natTable.multiValuedColumn("external_port", Long.class);
+        ColumnSchema<GenericTableSchema, Set<String>> natProtoCol = natTable.multiValuedColumn("protocol", String.class);
+        ColumnSchema<GenericTableSchema, UUID> uuidCol = natTable.column("_uuid", UUID.class);
+        Operation<GenericTableSchema> sel = OVSDB_OPS.select(natTable)
+                .column(uuidCol).column(natExtPortCol).column(natProtoCol)
+                .where(natTypeCol.opEqual(natType))
+                .and(natExtCol.opEqual(externalIp)).build();
+        List<OperationResult> results = client.transact(schema, Collections.<Operation>singletonList(sel))
+                .get(timeoutMs, TimeUnit.MILLISECONDS);
+        if (results == null || results.isEmpty() || results.get(0).getRows() == null) {
+            return false;
+        }
+        for (Row<GenericTableSchema> row : results.get(0).getRows()) {
+            @SuppressWarnings("unchecked")
+            Set<Long> ports = (Set<Long>) row.getColumn(natExtPortCol).getData();
+            @SuppressWarnings("unchecked")
+            Set<String> protos = (Set<String>) row.getColumn(natProtoCol).getData();
+            if (ports != null && ports.contains((long) externalPort)
+                    && protos != null && protos.contains(protocol)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
     /**
      * Removes every NAT rule matching {@code type}+{@code external_ip} from the Logical_Router,
      * regardless of logical_ip. Convenient when reverting a static NAT mapping where the caller

From 6af5297ca3623fbc61fa74468e6f1d29863dd0f3 Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Tue, 28 Apr 2026 19:44:58 +0200
Subject: [PATCH 15/33] OVN plugin: announce SourceNat IPs via gARP and stop
 NAT-based PortForwarding

SNAT replies were silently lost when another device on the public VLAN claimed
the same external IP first - the upstream switch CAM table cached the wrong
MAC, and our LR's only ARP behaviour was to respond when asked. With no
unsolicited announcement, return traffic to 10.0.56.183 routed to the wrong
host until manual intervention.

Fix: configure options:nat-addresses on the type=router LSP that peers the
external LRP, formatted as "<LR_external_MAC> <SourceNat_IP> ...". On port
claim, ovn-controller emits gARPs for each address listed (initial burst then
periodic announce), forcing the upstream to converge on our MAC. Use the
explicit string form rather than nat-addresses=router because the keyword mode
only covers dnat_and_snat rules with logical_port set, which excludes plain
SNAT. Also set exclude-lb-vips-from-garp=true to stay consistent with the
Neutron OVN driver default.

Triggered from applySourceNatForNetwork (initial implement) and applyIps
(runtime IP assignment) so updates converge whenever CloudStack adds/removes
a SourceNat IP. Helper rebuilds the full address list from the DB so multiple
SourceNat IPs on a single network all get announced.

OvnNbClient: new setLspOptions() merges entries into Logical_Switch_Port.options,
preserving keys we don't manage (router-port) and bailing out when nothing
changes to avoid spurious NB notifications.

PortForwarding: drop the NAT-based path. OVN NB schema 24.03 removed
NAT.external_port and NAT.protocol; the previous code referenced both columns
and crashed at runtime with "ColumnSchema is null" when revoking PF rules.
applyPFRules now logs a clear warning and returns true; LB-backed PF (the
Neutron pattern) will land in a follow-up.
---
 .../apache/cloudstack/service/OvnElement.java | 118 +++++++++---------
 .../cloudstack/service/OvnNbClient.java       |  54 ++++++++
 2 files changed, 112 insertions(+), 60 deletions(-)

diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
index 6888aceeb014..67b3d4e87074 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
@@ -346,9 +346,52 @@ protected void applySourceNatForNetwork(OvnProviderVO provider, Network network)
                         provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
                         routerName, "0.0.0.0/0", externalGateway);
             }
+            applyNatAddressesAnnouncement(provider, network);
         }
     }
 
+    /**
+     * Tells ovn-controller (running on the gateway chassis for this LR) to announce the public
+     * IPs of this network via gratuitous ARPs. Without this, the upstream switch / router only
+     * learns our LR's MAC when it ARPs for one of those IPs - which races against any other
+     * device on the public segment that may also claim the same address (legitimately or not).
+     *
+     * <p>The mechanism: ovn-controller, when it claims the cr-lrp Port_Binding for this LR's
+     * gateway, looks at {@code options:nat-addresses} on the type=router LSP that peers the
+     * external LRP. If it is set to the explicit {@code "<MAC> <IP> ..."} format, ovn-controller
+     * emits gARP for each IP. The {@code router} keyword only covers {@code dnat_and_snat}
+     * rules with {@code logical_port} set, so it skips plain SNAT - which is why we need the
+     * explicit form here.</p>
+     */
+    protected void applyNatAddressesAnnouncement(OvnProviderVO provider, Network network) {
+        String publicLs = getPublicLogicalSwitchName(network);
+        String externalLrpLsp = "lsp-lrp-" + publicLs;
+        String routerMac = buildRouterMac(network.getId(), true);
+        StringBuilder addresses = new StringBuilder(routerMac);
+        boolean any = false;
+        List<IPAddressVO> ips = ipAddressDao.listByAssociatedNetwork(network.getId(), true);
+        if (ips != null) {
+            for (IPAddressVO ipVo : ips) {
+                if (ipVo.getAddress() == null || !ipVo.isSourceNat()) {
+                    continue;
+                }
+                addresses.append(' ').append(ipVo.getAddress().addr());
+                any = true;
+            }
+        }
+        if (!any) {
+            return;
+        }
+        Map<String, String> options = new HashMap<>();
+        options.put("nat-addresses", addresses.toString());
+        // Without this, ovn-controller would also gARP every Load_Balancer VIP on the LR; we have
+        // no LBs yet, but this stays consistent with the Neutron OVN driver default.
+        options.put("exclude-lb-vips-from-garp", "true");
+        ovnNbClient.setLspOptions(provider.getNbConnection(),
+                provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                externalLrpLsp, options);
+    }
+
     @Override
     public boolean release(Network network, NicProfile nic, VirtualMachineProfile vm, ReservationContext context)
             throws ConcurrentOperationException, ResourceUnavailableException {
@@ -535,6 +578,9 @@ public boolean applyIps(Network network, List<? extends PublicIpAddress> ipAddre
                             routerName, "snat", externalIp, guestCidr, natExt);
                 }
             }
+            // Refresh nat-addresses on the gateway-side LSP so ovn-controller emits gARPs for
+            // every current SourceNat IP. Idempotent and skipped when nothing changed.
+            applyNatAddressesAnnouncement(provider, network);
         } catch (CloudRuntimeException e) {
             throw new ResourceUnavailableException(e.getMessage(), DataCenter.class, network.getDataCenterId());
         }
@@ -638,65 +684,17 @@ public boolean applyStaticNats(Network config, List<? extends StaticNat> rules)
 
     @Override
     public boolean applyPFRules(Network network, List<PortForwardingRule> rules) throws ResourceUnavailableException {
-        if (network.getBroadcastDomainType() != Networks.BroadcastDomainType.OVN || rules == null || rules.isEmpty()) {
-            return true;
-        }
-        OvnProviderVO provider = getProviderForNetwork(network);
-        String routerName = getLogicalRouterName(network);
-        try {
-            // Anchor the public LRP so ovn-northd materialises the dnat pipeline.
-            String anchorChassis = pickAnchorChassis(provider, network);
-            if (anchorChassis != null) {
-                ovnNbClient.setLrpGatewayChassis(provider.getNbConnection(),
-                        provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
-                        "lrp-" + getPublicLogicalSwitchName(network), anchorChassis, 10);
-            }
-            for (PortForwardingRule rule : rules) {
-                IPAddressVO ipVo = ipAddressDao.findById(rule.getSourceIpAddressId());
-                if (ipVo == null || ipVo.getAddress() == null) {
-                    continue;
-                }
-                String externalIp = ipVo.getAddress().addr();
-                String logicalIp = rule.getDestIpAddress();
-                String protocol = rule.getProtocol() != null ? rule.getProtocol().toLowerCase() : "tcp";
-                int extPortStart = rule.getSourcePortStart() != null ? rule.getSourcePortStart() : 0;
-                int extPortEnd = rule.getSourcePortEnd() != null ? rule.getSourcePortEnd() : extPortStart;
-                int destPortBase = rule.getDestPort() != null ? rule.getDestPort() : extPortStart;
-
-                if (rule.getState() == FirewallRule.State.Revoke) {
-                    for (int extPort = extPortStart; extPort <= extPortEnd; extPort++) {
-                        ovnNbClient.removeNatRulesByExternalIpAndPort(provider.getNbConnection(),
-                                provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
-                                routerName, "dnat_and_snat", externalIp, extPort, protocol);
-                    }
-                    continue;
-                }
-
-                NicVO targetNic = logicalIp != null ? nicDao.findByIp4AddressAndNetworkId(logicalIp, network.getId()) : null;
-                String distributedLogicalPort = targetNic != null ? targetNic.getUuid() : null;
-                String distributedMac = buildRouterMac(network.getId(), true);
-
-                // OVN NAT translates externalIp:externalPort → logicalIp:externalPort (same port).
-                // When destPort ≠ extPort we log a warning; full port-remapping requires an LB rule.
-                for (int i = 0; i <= extPortEnd - extPortStart; i++) {
-                    int extPort = extPortStart + i;
-                    int destPort = destPortBase + i;
-                    if (destPort != extPort) {
-                        logger.warn("OVN NAT cannot remap ports: rule {} maps external port {} to internal port {};"
-                                + " forwarding to external port on VM instead", rule.getId(), extPort, destPort);
-                    }
-                    Map<String, String> ext = new HashMap<>();
-                    ext.put("cloudstack_network_id", String.valueOf(network.getId()));
-                    ext.put("cloudstack_nat_kind", "portforward");
-                    ext.put("cloudstack_pf_rule_id", String.valueOf(rule.getId()));
-                    ovnNbClient.addNatRuleWithPorts(provider.getNbConnection(),
-                            provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
-                            routerName, "dnat_and_snat", externalIp, extPort, protocol, logicalIp, ext,
-                            distributedMac, distributedLogicalPort);
-                }
-            }
-        } catch (CloudRuntimeException e) {
-            throw new ResourceUnavailableException(e.getMessage(), DataCenter.class, network.getDataCenterId());
+        // OVN NB schema 24.03 dropped NAT.external_port / NAT.protocol in favour of port-based
+        // forwarding via Load_Balancer rows (vips: "<fip>:<ext>" -> "<int_ip>:<int>"). The
+        // previous NAT-based path crashed at runtime because those columns no longer exist.
+        // TODO: re-implement applyPFRules on top of OvnNbClient.{add,remove}LoadBalancer once
+        // the LB primitives land - see ovn_octavia driver in the Neutron tree for the pattern.
+        if (network.getBroadcastDomainType() == Networks.BroadcastDomainType.OVN
+                && rules != null && !rules.isEmpty()) {
+            logger.warn("OVN plugin: PortForwarding requested for network {} but NAT-based PF was"
+                    + " removed from OVN NB 24.03 (no external_port column). Skipping {} rule(s);"
+                    + " Load_Balancer-backed PF is on the roadmap.",
+                    network.getUuid(), rules.size());
         }
         return true;
     }
@@ -886,7 +884,7 @@ protected void programNetworkAclRule(OvnProviderVO provider, Network network,
                 ? "to-lport" : "from-lport";
         String aclAction = rule.getAction() == NetworkACLItem.Action.Allow ? "allow-related" : "drop";
         // CloudStack rule number starts at 1; lower = higher CloudStack priority = higher OVN prio.
-        long ovnPriority = Math.max(2L, 1000L - (rule.getNumber() != null ? rule.getNumber() : 500));
+        long ovnPriority = Math.max(2L, 1000L - rule.getNumber());
         String matchExpr = buildNetworkAclMatch(direction, rule);
         if (matchExpr == null) {
             return;
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
index 5b675639c157..bf8cd0593f61 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
@@ -422,6 +422,60 @@ public void setLspDhcpv4Options(String nbConnection, String caCertPath, String c
         });
     }
 
+    /**
+     * Merges the supplied entries into the {@code options} column of an existing Logical_Switch_Port.
+     * Existing keys not in {@code optionsToSet} are preserved; keys in {@code optionsToSet} are
+     * overwritten. Use this to set values like {@code nat-addresses="<MAC> <IP> ..."} on the
+     * gateway-side LSP so ovn-controller emits gratuitous ARPs for SNAT/FIP addresses on claim.
+     */
+    public void setLspOptions(String nbConnection, String caCertPath, String clientCertPath,
+                              String clientPrivateKeyPath,
+                              String lspName, Map<String, String> optionsToSet) {
+        if (StringUtils.isBlank(lspName)) {
+            throw new CloudRuntimeException("LSP name is blank");
+        }
+        if (optionsToSet == null || optionsToSet.isEmpty()) {
+            return;
+        }
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema lspTable = schema.table(LOGICAL_SWITCH_PORT_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> lspNameCol = lspTable.column("name", String.class);
+            @SuppressWarnings({"rawtypes", "unchecked"})
+            ColumnSchema<GenericTableSchema, Map> optsCol = lspTable.column("options", Map.class);
+
+            Operation<GenericTableSchema> select = OVSDB_OPS.select(lspTable)
+                    .column(optsCol).where(lspNameCol.opEqual(lspName)).build();
+            List<OperationResult> selResult = client.transact(schema, Collections.<Operation>singletonList(select))
+                    .get(timeoutMs, TimeUnit.MILLISECONDS);
+            if (selResult == null || selResult.isEmpty() || selResult.get(0).getRows() == null
+                    || selResult.get(0).getRows().isEmpty()) {
+                throw new CloudRuntimeException("LSP " + lspName + " not found while setting options");
+            }
+            @SuppressWarnings("unchecked")
+            Map<String, String> existing = (Map<String, String>) selResult.get(0).getRows().get(0)
+                    .getColumn(optsCol).getData();
+            Map<String, String> merged = new HashMap<>();
+            if (existing != null) merged.putAll(existing);
+            merged.putAll(optionsToSet);
+
+            // Bail out when nothing actually changes - avoids spurious NB notifications that
+            // ripple to ovn-controller and cause unnecessary recomputes.
+            if (existing != null && existing.equals(merged)) {
+                logger.debug("LSP [{}] options already at desired state - skipping update", lspName);
+                return null;
+            }
+
+            Operation<GenericTableSchema> update = OVSDB_OPS.update(lspTable)
+                    .set(optsCol, merged).where(lspNameCol.opEqual(lspName)).build();
+            List<OperationResult> results = client.transact(schema, Collections.singletonList(update))
+                    .get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("set options on LSP %s", lspName));
+            logger.info("Set options [{}] on Logical_Switch_Port [{}] at {}", optionsToSet, lspName, nbConnection);
+            return null;
+        });
+    }
+
     private UUID findDhcpOptionsByNetworkId(OvsdbClient client, DatabaseSchema schema,
                                             GenericTableSchema dhcpTable, String networkId) throws Exception {
         ColumnSchema<GenericTableSchema, UUID> uuidCol = dhcpTable.column("_uuid", UUID.class);

From ed6306138a6d150893b3ac46151c015b889f5c0d Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Tue, 28 Apr 2026 23:21:32 +0200
Subject: [PATCH 16/33] OVN plugin: implement PortForwarding via Load_Balancer

OVN NB schema 24.03 dropped NAT.external_port and NAT.protocol; even where the
columns existed, NAT-based DNAT could not remap an external port to a different
internal port, which CloudStack PortForwarding semantics require. This commit
replaces the (broken) NAT-based path with Load_Balancer rows, the same approach
the Neutron OVN port-forwarding driver uses.

OvnNbClient gains four primitives:

  createOrReplaceLoadBalancer(name, protocol, vips, externalIds, options)
    Inserts or atomically updates a Load_Balancer row keyed by name. vips is
    the canonical "<vip_ip>:<vip_port>" -> "<backend_ip>:<backend_port>" map -
    OVN northd interprets each entry as one DNAT rule and rewrites both IP
    and port, which is what we need for source != destination port mappings.

  attachLoadBalancerToRouter(routerName, lbName)
    Mutates Logical_Router.load_balancer to include the LB. Idempotent.

  attachLoadBalancerToSwitch(switchName, lbName)
    Same for Logical_Switch.load_balancer. Required for return traffic when a
    backend VM talks to its own FIP (RHBZ#2043543) - without it, the LS would
    not see the LB pipeline on egress and replies to hairpin traffic would be
    SNATed incorrectly.

  removeLoadBalancersByExternalId(key, value)
    Walks every LR and LS, mutates their load_balancer set to detach matching
    LBs, then deletes the LB rows themselves. Detach must come first because
    Load_Balancer is a strong reference set in the OVN NB schema.

OvnElement.applyPFRules now translates each PortForwardingRule into one LB:

  - LB name: pf-<rule_id>-<protocol> (one row per rule, simple to revoke)
  - vips: one entry per source port. CloudStack range A-B mapped to internal
    range C-D becomes A->C, A+1->C+1, ..., B->D. A single dest port is also
    supported (all source ports map to the same internal port). Mismatched
    range sizes are rejected.
  - protocol: tcp/udp/sctp - any other value is skipped with a warning
  - external_ids: cloudstack_pf_rule_id, cloudstack_network_id,
    cloudstack_nat_kind=portforward (used by revoke)
  - options: hairpin_snat_ip=<external_ip> so a VM behind the FIP can talk
    to its own public address without the router mis-routing the reply
  - attached to both LR (cs-router-<network_id>) and guest LS
    (cs-net-<network_id>)

Defensive cap: ranges over MAX_PF_RANGE (256) are rejected to keep transactions
bounded - users with bigger needs can split the rule.

Validated end-to-end in the lab: created PF rule public:22 -> VM:22, LB row
showed up with vips={"10.0.111.209:22":"10.1.1.66:22"} attached to LR and LS,
external TCP probe to the public IP completed handshake on the VM tap with the
OpenSSH banner reaching the client.
---
 .../apache/cloudstack/service/OvnElement.java | 127 ++++++++-
 .../cloudstack/service/OvnNbClient.java       | 253 ++++++++++++++++++
 2 files changed, 369 insertions(+), 11 deletions(-)

diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
index 67b3d4e87074..18e360d1c43c 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
@@ -682,23 +682,128 @@ public boolean applyStaticNats(Network config, List<? extends StaticNat> rules)
         return true;
     }
 
+    /**
+     * Cap on the size of a single PortForwarding rule's port range. CloudStack lets the user
+     * declare arbitrarily large ranges; we expand each rule into one Load_Balancer.vips entry
+     * per port, so very large ranges would balloon the NB row. 256 is enough for the common
+     * case (small service ranges) without risking an unbounded transaction.
+     */
+    private static final int MAX_PF_RANGE = 256;
+
     @Override
     public boolean applyPFRules(Network network, List<PortForwardingRule> rules) throws ResourceUnavailableException {
-        // OVN NB schema 24.03 dropped NAT.external_port / NAT.protocol in favour of port-based
-        // forwarding via Load_Balancer rows (vips: "<fip>:<ext>" -> "<int_ip>:<int>"). The
-        // previous NAT-based path crashed at runtime because those columns no longer exist.
-        // TODO: re-implement applyPFRules on top of OvnNbClient.{add,remove}LoadBalancer once
-        // the LB primitives land - see ovn_octavia driver in the Neutron tree for the pattern.
-        if (network.getBroadcastDomainType() == Networks.BroadcastDomainType.OVN
-                && rules != null && !rules.isEmpty()) {
-            logger.warn("OVN plugin: PortForwarding requested for network {} but NAT-based PF was"
-                    + " removed from OVN NB 24.03 (no external_port column). Skipping {} rule(s);"
-                    + " Load_Balancer-backed PF is on the roadmap.",
-                    network.getUuid(), rules.size());
+        if (network.getBroadcastDomainType() != Networks.BroadcastDomainType.OVN || rules == null || rules.isEmpty()) {
+            return true;
+        }
+        OvnProviderVO provider = getProviderForNetwork(network);
+        String routerName = getLogicalRouterName(network);
+        String guestLs = getLogicalSwitchName(network);
+        try {
+            for (PortForwardingRule rule : rules) {
+                programPortForwardingRule(provider, network, routerName, guestLs, rule);
+            }
+        } catch (CloudRuntimeException e) {
+            throw new ResourceUnavailableException(e.getMessage(), DataCenter.class, network.getDataCenterId());
         }
         return true;
     }
 
+    /**
+     * Translates one CloudStack {@link PortForwardingRule} into an OVN {@code Load_Balancer} row.
+     * Naming: {@code pf-<rule_id>-<protocol>}. The LB carries one VIP entry per port in the
+     * source range mapped to the corresponding destination port. Backed by {@link
+     * OvnNbClient#createOrReplaceLoadBalancer}, then attached to the network's Logical_Router and
+     * its guest Logical_Switch (the LS attachment is the Neutron-recommended workaround for
+     * RHBZ#2043543 — VMs talking to their own FIP need the LB visible on the LS too).
+     *
+     * <p>NAT-based PortForwarding was removed from OVN NB 24.03 (the {@code external_port} and
+     * {@code protocol} columns are gone), and even where it existed it could not remap a public
+     * port to a different internal port — which CloudStack semantics require. Load_Balancer
+     * gives us both the port translation and the per-rule revoke story (delete the LB by
+     * external_ids tag).</p>
+     */
+    protected void programPortForwardingRule(OvnProviderVO provider, Network network,
+                                              String routerName, String guestLs, PortForwardingRule rule) {
+        String ruleTag = String.valueOf(rule.getId());
+        if (rule.getState() == FirewallRule.State.Revoke) {
+            ovnNbClient.removeLoadBalancersByExternalId(provider.getNbConnection(),
+                    provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                    "cloudstack_pf_rule_id", ruleTag);
+            return;
+        }
+
+        IPAddressVO ipVo = ipAddressDao.findById(rule.getSourceIpAddressId());
+        if (ipVo == null || ipVo.getAddress() == null) {
+            logger.warn("PF rule {} references unknown source IP id {} - skipping", rule.getId(), rule.getSourceIpAddressId());
+            return;
+        }
+        String externalIp = ipVo.getAddress().addr();
+        String logicalIp = rule.getDestinationIpAddress() != null ? rule.getDestinationIpAddress().addr() : null;
+        if (logicalIp == null || logicalIp.isEmpty()) {
+            logger.warn("PF rule {} has no destination IP - skipping", rule.getId());
+            return;
+        }
+        String protocol = rule.getProtocol() != null ? rule.getProtocol().toLowerCase() : "tcp";
+        if (!"tcp".equals(protocol) && !"udp".equals(protocol) && !"sctp".equals(protocol)) {
+            logger.warn("PF rule {} protocol [{}] is not supported by OVN Load_Balancer - skipping", rule.getId(), protocol);
+            return;
+        }
+
+        int extStart = rule.getSourcePortStart() != null ? rule.getSourcePortStart() : 0;
+        int extEnd = rule.getSourcePortEnd() != null ? rule.getSourcePortEnd() : extStart;
+        int destStart = rule.getDestinationPortStart();
+        int destEnd = rule.getDestinationPortEnd();
+        int extRange = extEnd - extStart + 1;
+        int destRange = destEnd - destStart + 1;
+        if (extRange <= 0) {
+            logger.warn("PF rule {} has invalid source port range [{}, {}]", rule.getId(), extStart, extEnd);
+            return;
+        }
+        if (extRange > MAX_PF_RANGE) {
+            logger.warn("PF rule {} source range size [{}] exceeds MAX_PF_RANGE [{}] - rejecting",
+                    rule.getId(), extRange, MAX_PF_RANGE);
+            return;
+        }
+        // CloudStack allows the destination range to be either equal in length to the source
+        // range (1:1 mapping with a possible offset) or a single port (all source ports map to
+        // the same internal port). Anything else is ambiguous.
+        boolean destSinglePort = destRange == 1;
+        if (destRange != extRange && !destSinglePort) {
+            logger.warn("PF rule {} dest range [{}-{}] mismatches source range [{}-{}] - skipping",
+                    rule.getId(), destStart, destEnd, extStart, extEnd);
+            return;
+        }
+
+        Map<String, String> vips = new HashMap<>();
+        for (int i = 0; i < extRange; i++) {
+            int extPort = extStart + i;
+            int destPort = destSinglePort ? destStart : destStart + i;
+            vips.put(externalIp + ":" + extPort, logicalIp + ":" + destPort);
+        }
+
+        Map<String, String> ext = new HashMap<>();
+        ext.put("cloudstack_pf_rule_id", ruleTag);
+        ext.put("cloudstack_network_id", String.valueOf(network.getId()));
+        ext.put("cloudstack_nat_kind", "portforward");
+
+        // hairpin_snat_ip lets a VM behind the FIP talk to its own public IP without ovn-northd
+        // mis-routing the reply. Cost: a tiny extra rewrite. Neutron sets it unconditionally for
+        // FIP-style LBs.
+        Map<String, String> options = new HashMap<>();
+        options.put("hairpin_snat_ip", externalIp);
+
+        String lbName = "pf-" + ruleTag + "-" + protocol;
+        ovnNbClient.createOrReplaceLoadBalancer(provider.getNbConnection(),
+                provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                lbName, protocol, vips, ext, options);
+        ovnNbClient.attachLoadBalancerToRouter(provider.getNbConnection(),
+                provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                routerName, lbName);
+        ovnNbClient.attachLoadBalancerToSwitch(provider.getNbConnection(),
+                provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                guestLs, lbName);
+    }
+
     @Override
     public boolean applyFWRules(Network network, List<? extends FirewallRule> rules) throws ResourceUnavailableException {
         if (network.getBroadcastDomainType() != Networks.BroadcastDomainType.OVN || rules == null || rules.isEmpty()) {
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
index bf8cd0593f61..3e19816412c0 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
@@ -64,6 +64,7 @@ public class OvnNbClient {
     private static final String DHCP_OPTIONS_TABLE = "DHCP_Options";
     private static final String NAT_TABLE = "NAT";
     private static final String ACL_TABLE = "ACL";
+    private static final String LOAD_BALANCER_TABLE = "Load_Balancer";
     private static final long DEFAULT_TIMEOUT_MS = 5_000L;
     private static final Pattern CONN_PATTERN = Pattern.compile("^(tcp|ssl):([^:]+):([0-9]+)$");
     private static final ICertificateManager NOOP_CERT_MANAGER = new NoopCertificateManager();
@@ -1138,6 +1139,258 @@ public void addStaticRoute(String nbConnection, String caCertPath, String client
         });
     }
 
+    /**
+     * Idempotently creates or updates a Load_Balancer row keyed by name. {@code vips} is a map of
+     * {@code "<vip_ip>:<vip_port>"} → {@code "<backend_ip>:<backend_port>[,...]"}. {@code protocol}
+     * must be {@code tcp}, {@code udp} or {@code sctp}. Existing row is reset to the supplied
+     * vips/protocol/options/external_ids - the row name is the stable identifier.
+     *
+     * <p>The OVN NB schema for Load_Balancer.vips is a {@code map<string,string>}; OVN
+     * north interprets each entry as one DNAT mapping and may rewrite both IP and port (which is
+     * exactly what we need for CloudStack PortForwarding rules where source and destination ports
+     * can differ).</p>
+     */
+    public void createOrReplaceLoadBalancer(String nbConnection, String caCertPath, String clientCertPath,
+                                            String clientPrivateKeyPath,
+                                            String name, String protocol, Map<String, String> vips,
+                                            Map<String, String> externalIds, Map<String, String> options) {
+        if (StringUtils.isBlank(name)) {
+            throw new CloudRuntimeException("Load_Balancer name is blank");
+        }
+        if (vips == null || vips.isEmpty()) {
+            throw new CloudRuntimeException("Load_Balancer vips must be non-empty");
+        }
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema lbTable = schema.table(LOAD_BALANCER_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> nameCol = lbTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, UUID> uuidCol = lbTable.column("_uuid", UUID.class);
+            @SuppressWarnings({"rawtypes", "unchecked"})
+            ColumnSchema<GenericTableSchema, Map> vipsCol = lbTable.column("vips", Map.class);
+            ColumnSchema<GenericTableSchema, Set<String>> protoCol = lbTable.multiValuedColumn("protocol", String.class);
+            @SuppressWarnings({"rawtypes", "unchecked"})
+            ColumnSchema<GenericTableSchema, Map> optsCol = lbTable.column("options", Map.class);
+            @SuppressWarnings({"rawtypes", "unchecked"})
+            ColumnSchema<GenericTableSchema, Map> extIdsCol = lbTable.column("external_ids", Map.class);
+
+            // Look up existing row by name.
+            Operation<GenericTableSchema> sel = OVSDB_OPS.select(lbTable).column(uuidCol)
+                    .where(nameCol.opEqual(name)).build();
+            List<OperationResult> selResult = client.transact(schema, Collections.<Operation>singletonList(sel))
+                    .get(timeoutMs, TimeUnit.MILLISECONDS);
+            UUID existing = null;
+            if (selResult != null && !selResult.isEmpty() && selResult.get(0).getRows() != null
+                    && !selResult.get(0).getRows().isEmpty()) {
+                existing = selResult.get(0).getRows().get(0).getColumn(uuidCol).getData();
+            }
+
+            List<Operation> ops = new ArrayList<>();
+            if (existing == null) {
+                Insert<GenericTableSchema> insert = OVSDB_OPS.insert(lbTable)
+                        .value(nameCol, name)
+                        .value(vipsCol, new HashMap<>(vips));
+                if (StringUtils.isNotBlank(protocol)) {
+                    insert = insert.value(protoCol, Collections.singleton(protocol));
+                }
+                if (options != null && !options.isEmpty()) {
+                    insert = insert.value(optsCol, new HashMap<>(options));
+                }
+                if (externalIds != null && !externalIds.isEmpty()) {
+                    insert = insert.value(extIdsCol, new HashMap<>(externalIds));
+                }
+                ops.add(insert);
+            } else {
+                // Replace contents in-place. Mutate explicit columns even if empty so stale entries
+                // from a prior revision do not leak through.
+                ops.add(OVSDB_OPS.update(lbTable)
+                        .set(vipsCol, new HashMap<>(vips))
+                        .set(protoCol, StringUtils.isNotBlank(protocol)
+                                ? Collections.singleton(protocol)
+                                : Collections.<String>emptySet())
+                        .set(optsCol, options != null ? new HashMap<>(options) : new HashMap<>())
+                        .set(extIdsCol, externalIds != null ? new HashMap<>(externalIds) : new HashMap<>())
+                        .where(uuidCol.opEqual(existing)).build());
+            }
+            List<OperationResult> results = client.transact(schema, ops).get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("createOrReplace Load_Balancer %s", name));
+            logger.info("Wrote Load_Balancer [{}] vips={} protocol={} options={} at {}",
+                    name, vips, protocol, options, nbConnection);
+            return null;
+        });
+    }
+
+    /**
+     * Idempotently links a Load_Balancer (by name) into a Logical_Router's {@code load_balancer}
+     * set. Used to make ovn-northd evaluate the LB DNAT pipeline on traffic arriving at this LR.
+     */
+    public void attachLoadBalancerToRouter(String nbConnection, String caCertPath, String clientCertPath,
+                                            String clientPrivateKeyPath,
+                                            String routerName, String lbName) {
+        if (StringUtils.isBlank(routerName) || StringUtils.isBlank(lbName)) {
+            throw new CloudRuntimeException("Logical_Router/Load_Balancer name is blank");
+        }
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema lrTable = schema.table(LOGICAL_ROUTER_TABLE, GenericTableSchema.class);
+            GenericTableSchema lbTable = schema.table(LOAD_BALANCER_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> lrNameCol = lrTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, String> lbNameCol = lbTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, UUID> lbUuidCol = lbTable.column("_uuid", UUID.class);
+            ColumnSchema<GenericTableSchema, Set<UUID>> lrLbCol = lrTable.multiValuedColumn("load_balancer", UUID.class);
+
+            UUID lbUuid = lookupUuidByName(client, schema, lbTable, lbNameCol, lbUuidCol, lbName);
+            if (lbUuid == null) {
+                throw new CloudRuntimeException("Load_Balancer " + lbName + " not found while attaching to LR " + routerName);
+            }
+            Operation<GenericTableSchema> mutate = OVSDB_OPS.mutate(lrTable)
+                    .addMutation(lrLbCol, Mutator.INSERT, Collections.singleton(lbUuid))
+                    .where(lrNameCol.opEqual(routerName)).build();
+            List<OperationResult> results = client.transact(schema, Collections.singletonList(mutate))
+                    .get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("attach LB %s to LR %s", lbName, routerName));
+            logger.debug("Attached Load_Balancer [{}] to Logical_Router [{}] at {}", lbName, routerName, nbConnection);
+            return null;
+        });
+    }
+
+    /**
+     * Idempotently links a Load_Balancer (by name) into a Logical_Switch's {@code load_balancer}
+     * set. Required for return-traffic visibility (RHBZ#2043543) when a VM on this switch is the
+     * backend of a port-forwarding rule attached to the upstream router.
+     */
+    public void attachLoadBalancerToSwitch(String nbConnection, String caCertPath, String clientCertPath,
+                                            String clientPrivateKeyPath,
+                                            String switchName, String lbName) {
+        if (StringUtils.isBlank(switchName) || StringUtils.isBlank(lbName)) {
+            throw new CloudRuntimeException("Logical_Switch/Load_Balancer name is blank");
+        }
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema lsTable = schema.table(LOGICAL_SWITCH_TABLE, GenericTableSchema.class);
+            GenericTableSchema lbTable = schema.table(LOAD_BALANCER_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> lsNameCol = lsTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, String> lbNameCol = lbTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, UUID> lbUuidCol = lbTable.column("_uuid", UUID.class);
+            ColumnSchema<GenericTableSchema, Set<UUID>> lsLbCol = lsTable.multiValuedColumn("load_balancer", UUID.class);
+
+            UUID lbUuid = lookupUuidByName(client, schema, lbTable, lbNameCol, lbUuidCol, lbName);
+            if (lbUuid == null) {
+                throw new CloudRuntimeException("Load_Balancer " + lbName + " not found while attaching to LS " + switchName);
+            }
+            Operation<GenericTableSchema> mutate = OVSDB_OPS.mutate(lsTable)
+                    .addMutation(lsLbCol, Mutator.INSERT, Collections.singleton(lbUuid))
+                    .where(lsNameCol.opEqual(switchName)).build();
+            List<OperationResult> results = client.transact(schema, Collections.singletonList(mutate))
+                    .get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("attach LB %s to LS %s", lbName, switchName));
+            logger.debug("Attached Load_Balancer [{}] to Logical_Switch [{}] at {}", lbName, switchName, nbConnection);
+            return null;
+        });
+    }
+
+    /**
+     * Removes every Load_Balancer row whose {@code external_ids} contains {@code key=value}. First
+     * walks every Logical_Router and Logical_Switch, mutates their {@code load_balancer} sets to
+     * detach the matching LBs, then deletes the LB rows themselves. Detach is required because
+     * {@code load_balancer} is a strong reference set in the OVN NB schema.
+     */
+    public int removeLoadBalancersByExternalId(String nbConnection, String caCertPath, String clientCertPath,
+                                                 String clientPrivateKeyPath,
+                                                 String externalIdKey, String externalIdValue) {
+        if (StringUtils.isBlank(externalIdKey) || StringUtils.isBlank(externalIdValue)) {
+            throw new CloudRuntimeException("removeLoadBalancersByExternalId arguments are incomplete");
+        }
+        return runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema lbTable = schema.table(LOAD_BALANCER_TABLE, GenericTableSchema.class);
+            GenericTableSchema lrTable = schema.table(LOGICAL_ROUTER_TABLE, GenericTableSchema.class);
+            GenericTableSchema lsTable = schema.table(LOGICAL_SWITCH_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, UUID> lbUuidCol = lbTable.column("_uuid", UUID.class);
+            @SuppressWarnings({"rawtypes", "unchecked"})
+            ColumnSchema<GenericTableSchema, Map> lbExtCol = lbTable.column("external_ids", Map.class);
+            ColumnSchema<GenericTableSchema, UUID> lrUuidCol = lrTable.column("_uuid", UUID.class);
+            ColumnSchema<GenericTableSchema, Set<UUID>> lrLbCol = lrTable.multiValuedColumn("load_balancer", UUID.class);
+            ColumnSchema<GenericTableSchema, UUID> lsUuidCol = lsTable.column("_uuid", UUID.class);
+            ColumnSchema<GenericTableSchema, Set<UUID>> lsLbCol = lsTable.multiValuedColumn("load_balancer", UUID.class);
+
+            // Step 1: collect LB UUIDs whose external_ids match.
+            Operation<GenericTableSchema> selLb = OVSDB_OPS.select(lbTable).column(lbUuidCol).column(lbExtCol);
+            List<OperationResult> lbResult = client.transact(schema, Collections.<Operation>singletonList(selLb))
+                    .get(timeoutMs, TimeUnit.MILLISECONDS);
+            Set<UUID> matchedLbs = new java.util.HashSet<>();
+            if (lbResult != null && !lbResult.isEmpty() && lbResult.get(0).getRows() != null) {
+                for (Row<GenericTableSchema> row : lbResult.get(0).getRows()) {
+                    @SuppressWarnings("unchecked")
+                    Map<String, String> ext = (Map<String, String>) row.getColumn(lbExtCol).getData();
+                    if (ext != null && externalIdValue.equals(ext.get(externalIdKey))) {
+                        matchedLbs.add(row.getColumn(lbUuidCol).getData());
+                    }
+                }
+            }
+            if (matchedLbs.isEmpty()) {
+                return 0;
+            }
+
+            // Step 2: walk LRs/LSes and detach. We pull the full set then mutate per row that
+            // actually contains one of our UUIDs - keeps the transaction small.
+            List<Operation> ops = new ArrayList<>();
+            collectDetachOps(client, schema, lrTable, lrUuidCol, lrLbCol, matchedLbs, ops);
+            collectDetachOps(client, schema, lsTable, lsUuidCol, lsLbCol, matchedLbs, ops);
+
+            // Step 3: delete the LB rows themselves.
+            for (UUID u : matchedLbs) {
+                ops.add(OVSDB_OPS.delete(lbTable).where(lbUuidCol.opEqual(u)).build());
+            }
+            List<OperationResult> results = client.transact(schema, ops).get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("remove LBs by %s=%s", externalIdKey, externalIdValue));
+            logger.info("Removed {} Load_Balancer row(s) tagged [{}={}] at {}",
+                    matchedLbs.size(), externalIdKey, externalIdValue, nbConnection);
+            return matchedLbs.size();
+        });
+    }
+
+    private void collectDetachOps(OvsdbClient client, DatabaseSchema schema,
+                                   GenericTableSchema parentTable,
+                                   ColumnSchema<GenericTableSchema, UUID> parentUuidCol,
+                                   ColumnSchema<GenericTableSchema, Set<UUID>> lbRefCol,
+                                   Set<UUID> targetLbUuids,
+                                   List<Operation> ops) throws Exception {
+        Operation<GenericTableSchema> sel = OVSDB_OPS.select(parentTable).column(parentUuidCol).column(lbRefCol);
+        List<OperationResult> result = client.transact(schema, Collections.<Operation>singletonList(sel))
+                .get(timeoutMs, TimeUnit.MILLISECONDS);
+        if (result == null || result.isEmpty() || result.get(0).getRows() == null) {
+            return;
+        }
+        for (Row<GenericTableSchema> row : result.get(0).getRows()) {
+            @SuppressWarnings("unchecked")
+            Set<UUID> refs = (Set<UUID>) row.getColumn(lbRefCol).getData();
+            if (refs == null || refs.isEmpty()) continue;
+            Set<UUID> overlap = new java.util.HashSet<>(refs);
+            overlap.retainAll(targetLbUuids);
+            if (overlap.isEmpty()) continue;
+            UUID parentUuid = row.getColumn(parentUuidCol).getData();
+            ops.add(OVSDB_OPS.mutate(parentTable)
+                    .addMutation(lbRefCol, Mutator.DELETE, overlap)
+                    .where(parentUuidCol.opEqual(parentUuid)).build());
+        }
+    }
+
+    private UUID lookupUuidByName(OvsdbClient client, DatabaseSchema schema,
+                                   GenericTableSchema table,
+                                   ColumnSchema<GenericTableSchema, String> nameCol,
+                                   ColumnSchema<GenericTableSchema, UUID> uuidCol,
+                                   String name) throws Exception {
+        Operation<GenericTableSchema> sel = OVSDB_OPS.select(table).column(uuidCol)
+                .where(nameCol.opEqual(name)).build();
+        List<OperationResult> result = client.transact(schema, Collections.<Operation>singletonList(sel))
+                .get(timeoutMs, TimeUnit.MILLISECONDS);
+        if (result == null || result.isEmpty() || result.get(0).getRows() == null
+                || result.get(0).getRows().isEmpty()) {
+            return null;
+        }
+        return result.get(0).getRows().get(0).getColumn(uuidCol).getData();
+    }
+
     /**
      * Idempotently installs an ACL row on the named Logical_Switch. The caller is expected to
      * tag the ACL via {@code external_ids} so subsequent revocation can target the row by tag

From d762a14ad4aa51c2cae45a8dc3ce616a22a291c0 Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Tue, 28 Apr 2026 23:35:34 +0200
Subject: [PATCH 17/33] OVN plugin: clean up per-IP artifacts on release and
 prune stale gateway chassis

Two real bugs hit during lab work surfaced two cleanup gaps that this commit
closes.

(1) Per-IP default-drop ACL leaked on disassociate.

ensureFirewallDefaultDeny plants an ACL of the form

  outport == "lsp-lrp-cs-pub-<id>" && ip4 && ip4.dst == <public_ip>
  action=drop priority=100
  external_ids={cloudstack_fw_default=true, cloudstack_fw_ip=<ip>, ...}

so that the OVN default-allow on a logical switch does not leak public traffic
to internal hosts when no explicit allow rule covers it. The ACL row carries
no cloudstack_fw_rule_id - applyFWRules revoke (which removes ACLs by rule_id)
never matched it, so the row stayed alive when the public IP was disassociated.
A subsequent reassignment of the same IP to another tenant would then inherit
the old drop, blocking traffic invisibly.

Fix: extend the IP-Releasing branch of applyIps to fire for every public IP
(not just SourceNat ones) and call a new cleanupPublicIpArtifacts helper that
drops all ACLs tagged cloudstack_fw_ip=<ip> on the public LS, plus any
dnat_and_snat NAT row on that external IP, plus refreshes the LSP nat-addresses
list so the IP stops being announced via gARP. Validated end-to-end: associate
+ FW rule produced the default-drop and the allow-related rows, disassociate
removed both with no SQL or ovn-nbctl intervention.

(2) Gateway_Chassis row pointed to a dead chassis after host re-add.

When a KVM host is destroyed and re-added (which happened naturally during the
zone rebuild today), ovn-controller registers the chassis with a fresh OVS
system-id. Our existing setLrpGatewayChassis is idempotent on (lrp, chassis),
so it noticed nothing wrong and the old Gateway_Chassis row stayed bound to
the deceased system-id. ovn-northd then never claimed the cr-lrp port and
SNAT/DNAT silently broke for the network until we manually deleted the row.

Fix: new OvnNbClient.pruneStaleGatewayChassis(lrp, liveChassisNames) that
walks the LRP's gateway_chassis set, checks each row's chassis_name against
the SB live chassis list, detaches and deletes the stale ones in a single
transaction. pickAnchorChassis now invokes it before returning a chassis to
the caller, so any subsequent setLrpGatewayChassis call sees a clean slate
and inserts a Gateway_Chassis row pointing at a live chassis.
---
 .../apache/cloudstack/service/OvnElement.java | 72 ++++++++++++++++--
 .../cloudstack/service/OvnNbClient.java       | 73 +++++++++++++++++++
 2 files changed, 138 insertions(+), 7 deletions(-)

diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
index 18e360d1c43c..1aceed571c55 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
@@ -392,6 +392,38 @@ protected void applyNatAddressesAnnouncement(OvnProviderVO provider, Network net
                 externalLrpLsp, options);
     }
 
+    /**
+     * Wipes every OVN artifact tied to a public IP that CloudStack is releasing. Called from
+     * applyIps when ip.state == Releasing, regardless of SourceNat flag. This catches things our
+     * per-feature revoke callbacks miss:
+     *
+     * <ul>
+     *   <li>Per-IP default-drop ACL ({@code cloudstack_fw_default=true cloudstack_fw_ip=&lt;ip&gt;}).
+     *       Created by ensureFirewallDefaultDeny without a rule_id, so applyFWRules revoke would
+     *       not delete it. Without explicit cleanup it stays for the next tenant of the IP.</li>
+     *   <li>Any leftover {@code allow-related} ACL still tagged with this IP, in case a
+     *       FirewallRule revoke arrived out of order.</li>
+     *   <li>StaticNat dnat_and_snat NAT rows on this external IP that the StaticNat revoke
+     *       callback may have skipped (defensive).</li>
+     *   <li>Re-emits {@code nat-addresses} on the public LSP so the released IP stops being
+     *       announced via gARP.</li>
+     * </ul>
+     */
+    protected void cleanupPublicIpArtifacts(OvnProviderVO provider, Network network, String externalIp) {
+        String publicLs = getPublicLogicalSwitchName(network);
+        String routerName = getLogicalRouterName(network);
+        // ACLs: matches both per-rule and the default-drop, since both carry cloudstack_fw_ip.
+        ovnNbClient.removeAclsOnLsByExternalId(provider.getNbConnection(),
+                provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                publicLs, "cloudstack_fw_ip", externalIp);
+        // dnat_and_snat NATs (StaticNat) on this IP — defensive; applyStaticNats normally clears.
+        ovnNbClient.removeNatRulesByExternalIp(provider.getNbConnection(),
+                provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                routerName, "dnat_and_snat", externalIp);
+        // Refresh gARP announcement so this IP is no longer claimed by us.
+        applyNatAddressesAnnouncement(provider, network);
+    }
+
     @Override
     public boolean release(Network network, NicProfile nic, VirtualMachineProfile vm, ReservationContext context)
             throws ConcurrentOperationException, ResourceUnavailableException {
@@ -543,13 +575,21 @@ public boolean applyIps(Network network, List<? extends PublicIpAddress> ipAddre
                 if (externalIp == null) {
                     continue;
                 }
-                if (ip.isSourceNat() && Boolean.TRUE.equals(services.contains(Network.Service.SourceNat))) {
-                    if (ip.getState() == com.cloud.network.IpAddress.State.Releasing) {
+                // Releasing IP: drop every artifact tagged with that IP regardless of whether it
+                // is SourceNat or not. CloudStack delivers fw/PF revoke through dedicated callbacks,
+                // but the per-IP default-drop ACL we plant via ensureFirewallDefaultDeny carries
+                // no rule_id - it would otherwise stay behind, blocking traffic if the same public
+                // IP is later reassigned. Same idea for any leftover dnat_and_snat NAT row.
+                if (ip.getState() == com.cloud.network.IpAddress.State.Releasing) {
+                    cleanupPublicIpArtifacts(provider, network, externalIp);
+                    if (ip.isSourceNat()) {
                         ovnNbClient.removeNatRule(provider.getNbConnection(),
                                 provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
                                 routerName, "snat", externalIp, guestCidr);
-                        continue;
                     }
+                    continue;
+                }
+                if (ip.isSourceNat() && Boolean.TRUE.equals(services.contains(Network.Service.SourceNat))) {
                     // Ensure public-side LS + localnet port + LR external attachment exist
                     Map<String, String> publicLsExt = new HashMap<>();
                     publicLsExt.put("cloudstack_network_id", String.valueOf(network.getId()));
@@ -588,10 +628,15 @@ public boolean applyIps(Network network, List<? extends PublicIpAddress> ipAddre
     }
 
     /**
-     * Picks a chassis name to host the centralised gateway pipeline for this network's LR.
-     * For now we deterministically map the network to one of the registered hypervisor hosts
-     * to avoid every LR piling on the same chassis. A future iteration can rotate this when
-     * a chassis goes offline.
+     * Picks a chassis name to host the centralised gateway pipeline for this network's LR and,
+     * as a side-effect, prunes any {@code Gateway_Chassis} row on the network's public LRP that
+     * points to a chassis no longer registered in SB. This fixes a real problem we hit when a
+     * KVM host is destroyed and re-added: the host re-registers with a fresh OVS system-id, and
+     * any old Gateway_Chassis row keeps pointing to the dead system-id - ovn-northd refuses to
+     * claim the cr-lrp port and SNAT/DNAT silently break.
+     *
+     * <p>Returns the chassis system-id we want anchored, or {@code null} when SB has no live
+     * chassis at all (the LRP simply has no anchor in that case and the caller falls through).</p>
      */
     protected String pickAnchorChassis(OvnProviderVO provider, Network network) {
         if (provider == null || provider.getSbConnection() == null || provider.getSbConnection().isEmpty()) {
@@ -606,6 +651,19 @@ protected String pickAnchorChassis(OvnProviderVO provider, Network network) {
                 logger.warn("OVN SB reports no registered Chassis yet; deferring Gateway_Chassis anchor for network {}", network);
                 return null;
             }
+            // Drop any stale Gateway_Chassis row on the public LRP whose chassis_name is not in
+            // the live set. This must run BEFORE we hand back a name to the caller, because
+            // setLrpGatewayChassis is idempotent on (lrp_name, chassis_name) and will not detect
+            // a name change on its own.
+            String publicLrpName = "lrp-" + getPublicLogicalSwitchName(network);
+            try {
+                ovnNbClient.pruneStaleGatewayChassis(provider.getNbConnection(),
+                        provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                        publicLrpName, new java.util.HashSet<>(chassisNames));
+            } catch (CloudRuntimeException e) {
+                // LRP may not exist yet on the very first implement - that is fine, no rows to prune.
+                logger.debug("Skipping Gateway_Chassis prune for {} ({})", publicLrpName, e.getMessage());
+            }
             // Deterministic pick: sort by name and rotate by network id so several LRs do not
             // all pile on the same chassis. The Chassis row is keyed by the OVS system-id that
             // ovn-controller registers on each hypervisor.
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
index 3e19816412c0..8b6b19ff3ec1 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
@@ -1044,6 +1044,79 @@ public List<String> listSouthboundChassisNames(String sbConnection, String caCer
         });
     }
 
+    /**
+     * Removes any Gateway_Chassis row attached to {@code lrpName} whose {@code chassis_name} is
+     * not present in {@code liveChassisNames}. Used to clean up after a host is re-added to the
+     * zone with a fresh OVS system-id - the old Gateway_Chassis row would otherwise keep pointing
+     * to a chassis that no longer exists in SB, so ovn-northd never claims the cr-lrp port and
+     * the SNAT/DNAT pipeline stays unmaterialised. Returns the number of rows pruned.
+     */
+    public int pruneStaleGatewayChassis(String nbConnection, String caCertPath, String clientCertPath,
+                                         String clientPrivateKeyPath,
+                                         String lrpName, Set<String> liveChassisNames) {
+        if (StringUtils.isBlank(lrpName) || liveChassisNames == null) {
+            throw new CloudRuntimeException("pruneStaleGatewayChassis: arguments are incomplete");
+        }
+        return runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema lrpTable = schema.table(LOGICAL_ROUTER_PORT_TABLE, GenericTableSchema.class);
+            GenericTableSchema gcTable = schema.table(GATEWAY_CHASSIS_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> lrpNameCol = lrpTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, Set<UUID>> lrpGcCol = lrpTable.multiValuedColumn("gateway_chassis", UUID.class);
+            ColumnSchema<GenericTableSchema, UUID> gcUuidCol = gcTable.column("_uuid", UUID.class);
+            ColumnSchema<GenericTableSchema, String> gcChassisCol = gcTable.column("chassis_name", String.class);
+
+            // Get the GC UUIDs currently bound to this LRP.
+            Operation<GenericTableSchema> selLrp = OVSDB_OPS.select(lrpTable).column(lrpGcCol)
+                    .where(lrpNameCol.opEqual(lrpName)).build();
+            List<OperationResult> lrpResult = client.transact(schema, Collections.<Operation>singletonList(selLrp))
+                    .get(timeoutMs, TimeUnit.MILLISECONDS);
+            if (lrpResult == null || lrpResult.isEmpty() || lrpResult.get(0).getRows() == null
+                    || lrpResult.get(0).getRows().isEmpty()) {
+                return 0;
+            }
+            @SuppressWarnings("unchecked")
+            Set<UUID> gcRefs = (Set<UUID>) lrpResult.get(0).getRows().get(0).getColumn(lrpGcCol).getData();
+            if (gcRefs == null || gcRefs.isEmpty()) {
+                return 0;
+            }
+
+            // Inspect each GC row's chassis_name and collect stale ones.
+            Set<UUID> stale = new java.util.HashSet<>();
+            for (UUID gcUuid : gcRefs) {
+                Operation<GenericTableSchema> selGc = OVSDB_OPS.select(gcTable).column(gcChassisCol)
+                        .where(gcUuidCol.opEqual(gcUuid)).build();
+                List<OperationResult> gcResult = client.transact(schema, Collections.<Operation>singletonList(selGc))
+                        .get(timeoutMs, TimeUnit.MILLISECONDS);
+                if (gcResult == null || gcResult.isEmpty() || gcResult.get(0).getRows() == null
+                        || gcResult.get(0).getRows().isEmpty()) {
+                    continue;
+                }
+                String chassisName = gcResult.get(0).getRows().get(0).getColumn(gcChassisCol).getData();
+                if (chassisName == null || !liveChassisNames.contains(chassisName)) {
+                    stale.add(gcUuid);
+                }
+            }
+            if (stale.isEmpty()) {
+                return 0;
+            }
+
+            // Detach from LRP first (strong ref) then delete each GC row.
+            List<Operation> ops = new ArrayList<>();
+            ops.add(OVSDB_OPS.mutate(lrpTable)
+                    .addMutation(lrpGcCol, Mutator.DELETE, stale)
+                    .where(lrpNameCol.opEqual(lrpName)).build());
+            for (UUID u : stale) {
+                ops.add(OVSDB_OPS.delete(gcTable).where(gcUuidCol.opEqual(u)).build());
+            }
+            List<OperationResult> results = client.transact(schema, ops).get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("prune stale Gateway_Chassis on LRP %s", lrpName));
+            logger.info("Pruned {} stale Gateway_Chassis row(s) from LRP [{}] (live chassis: {})",
+                    stale.size(), lrpName, liveChassisNames);
+            return stale.size();
+        });
+    }
+
     /**
      * Idempotently anchors a Logical_Router_Port to a chassis via Gateway_Chassis. This is what
      * lets ovn-northd materialise the centralised NAT pipeline for the LR (lr_in_dnat,

From b5fb23f45cff09d0acf5c163faf5476594817fdf Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Wed, 29 Apr 2026 00:22:03 +0200
Subject: [PATCH 18/33] OVN plugin: implement Load Balancer (L4) with health
 checks

OVN's Load_Balancer is L4 only - the datapath has no TLS stack and no HTTP
parser. We expose only what OVN can honour, so the offering is honest with
the user instead of silently degrading L7 features.

OvnElement:
  - validateLBRule rejects rules whose protocol is not tcp/udp/sctp (catches
    http, ssl, tcp-proxy from the API/UI before persistence) and rejects the
    leastconn algorithm (OVN keeps no per-backend connection state).
  - Capabilities trim:
      * SupportedLBAlgorithms: "roundrobin,source"  (was: "roundrobin,leastconn")
      * SupportedProtocols:    "tcp,udp"             (no ssl/http)
      * LbSchemes:             "Public"              (Internal scheme deferred)
      * HealthCheckPolicy:     "true"                (so CS lets the user
                                                      attach a HC policy)
  - applyLBRules iterates rules; programLBRule:
      * Builds Load_Balancer.vips from rule.getDestinations() with
        "<external>:<public_port>" -> "<vm_ip>:<priv_port>,..." (one row per
        rule).
      * Maps algorithm/stickiness to selection_fields and affinity_timeout:
        algo=source or stickiness method SourceBased -> selection_fields=ip_src;
        stickiness expire/idletime/holdtime/timeout -> options:affinity_timeout
        (default 180s). Cookie-based stickiness logs and degrades to
        source-based since OVN cannot inspect L7.
      * Sets options:hairpin_snat_ip = external IP (Neutron-style) so a backend
        VM talking to its own public address gets a clean reply path.
      * external_ids tag: cloudstack_lb_rule_id, cloudstack_network_id,
        cloudstack_lb_kind=loadbalancer. Revoke uses the rule_id tag to drop
        the row and detach from LR/LS.
      * Populates Load_Balancer.ip_port_mappings (backend_ip ->
        "<lsp_name>:<source_ip>") so SB Service_Monitor knows from which LSP
        and source IP to probe each backend. The source IP is the LR's gateway
        on the guest LS (network.getGateway()).
      * Attaches the LB to LR (cs-router-<id>) and the guest LS (cs-net-<id>)
        - both attachments are required for the Neutron-recommended workaround
        for RHBZ#2043543 (LB visibility for return traffic from internal
        backends).
  - applyLBHealthCheck creates one Load_Balancer_Health_Check row per active
    HC policy, mapping CS fields:
        getHealthcheckInterval -> options:interval
        getResponseTime        -> options:timeout
        getHealthcheckThresshold -> options:success_count
        getUnhealthThresshold  -> options:failure_count
    HTTP/PING ping paths are accepted but warn-degraded to TCP probes since
    OVN cannot do HTTP-aware probes. ipPortMappings (already populated by
    programLBRule) lets the SB Service_Monitor source the probe correctly.
  - updateHealthChecks remains a stub - reading SB Service_Monitor status to
    surface red/green per backend back to the CS UI is a follow-up.

OvnNbClient:
  - createOrReplaceLoadBalancer overload that also writes selection_fields
    and ip_port_mappings; the existing 7-arg signature stays as a wrapper for
    PortForwarding (which doesn't need either).
  - setLoadBalancerHealthCheck(lbName, vip, options, ipPortMappings, ext_ids)
    inserts a fresh HC row in the same transaction that swaps LB.health_check,
    deleting any old HC the LB referenced (strong-ref; orphan-free).
  - clearLoadBalancerHealthCheck(lbName) is the symmetric op for HC revoke or
    no-policy state.

Validated end-to-end: created LB rule public 10.0.111.207:8080 -> two VMs at
10.1.1.66:22 and 10.1.1.150:22, six TCP probes from outside completed; added
a HealthCheckPolicy and verified the SB Service_Monitor table shows two
active TCP probes (one per backend) via the LB's ip_port_mappings.

Two nits the lab surfaced (not fixed by this commit, since they're CS-side
configuration rather than OVN code):

  1) Existing OVN offerings need public_lb=1 in network_offerings table
     and Lb in ntwk_offering_service_map / ntwk_service_map for live
     networks. New offerings created after this commit will inherit it from
     the seed when the seed is updated.
  2) An IP that already carried a Firewall-purpose rule cannot be reused for
     LB; the IP must be disassociated and reassociated. Standard CS
     behaviour, not OVN-specific.
---
 .../apache/cloudstack/service/OvnElement.java | 259 +++++++++++++++++-
 .../cloudstack/service/OvnNbClient.java       | 161 ++++++++++-
 2 files changed, 416 insertions(+), 4 deletions(-)

diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
index 1aceed571c55..22cc257351c4 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
@@ -115,10 +115,20 @@ protected static Map<Network.Service, Map<Network.Capability, String>> initCapab
         capabilities.put(Network.Service.Firewall, firewallCapabilities);
 
         Map<Network.Capability, String> lbCapabilities = new HashMap<>();
-        lbCapabilities.put(Network.Capability.SupportedLBAlgorithms, "roundrobin,leastconn");
+        // OVN Load_Balancer is L4-only. We only advertise what we actually deliver:
+        //  - tcp/udp (sctp omitted - rarely used in CS UI)
+        //  - round-robin and source-IP based hashing (no leastconn: OVN has no per-backend
+        //    connection state)
+        //  - public scheme for v1 (internal scheme deferred to a follow-up commit)
+        // SSL offload, HTTP-aware LB, cookie stickiness etc. are L7 features that OVN cannot do
+        // in the datapath - those tenants should pick a VirtualRouter offering instead.
+        lbCapabilities.put(Network.Capability.SupportedLBAlgorithms, "roundrobin,source");
         lbCapabilities.put(Network.Capability.SupportedLBIsolation, "dedicated");
         lbCapabilities.put(Network.Capability.SupportedProtocols, "tcp,udp");
-        lbCapabilities.put(Network.Capability.LbSchemes, String.join(",", LoadBalancerContainer.Scheme.Internal.name(), LoadBalancerContainer.Scheme.Public.name()));
+        lbCapabilities.put(Network.Capability.LbSchemes, LoadBalancerContainer.Scheme.Public.name());
+        // OVN does L4 TCP probes via Load_Balancer_Health_Check. We accept HTTP/PING policies
+        // but degrade to TCP probe of the same port (logged in applyLBHealthCheck).
+        lbCapabilities.put(Network.Capability.HealthCheckPolicy, "true");
         capabilities.put(Network.Service.Lb, lbCapabilities);
 
         capabilities.put(Network.Service.Connectivity, null);
@@ -1147,16 +1157,261 @@ public boolean reorderAclRules(Vpc vpc, List<? extends Network> networks, List<?
 
     @Override
     public boolean applyLBRules(Network network, List<LoadBalancingRule> rules) throws ResourceUnavailableException {
+        if (network.getBroadcastDomainType() != Networks.BroadcastDomainType.OVN || rules == null || rules.isEmpty()) {
+            return true;
+        }
+        OvnProviderVO provider = getProviderForNetwork(network);
+        String routerName = getLogicalRouterName(network);
+        String guestLs = getLogicalSwitchName(network);
+        try {
+            for (LoadBalancingRule rule : rules) {
+                programLBRule(provider, network, routerName, guestLs, rule);
+            }
+        } catch (CloudRuntimeException e) {
+            throw new ResourceUnavailableException(e.getMessage(), DataCenter.class, network.getDataCenterId());
+        }
         return true;
     }
 
+    /**
+     * Translates one CloudStack {@link LoadBalancingRule} into an OVN {@code Load_Balancer} row.
+     * Naming: {@code lb-<rule_id>-<protocol>}. Each VM destination becomes one entry in the
+     * vips map's backend list. Algorithm and stickiness are mapped to OVN's
+     * {@code selection_fields} + {@code options:affinity_timeout}. HealthCheckPolicy, when
+     * present, becomes one Load_Balancer_Health_Check row referenced from {@code health_check}
+     * with {@code ip_port_mappings} populated for SB Service_Monitor source attribution.
+     *
+     * <p>OVN LB is L4. CloudStack rules with {@code tcp-proxy}/{@code http}/{@code ssl}
+     * protocols, {@code leastconn} algorithm, or cookie-based stickiness are rejected upstream
+     * by {@link #validateLBRule}. Should one slip through (e.g. via DB-direct mutation), we log
+     * and skip rather than raise.</p>
+     */
+    protected void programLBRule(OvnProviderVO provider, Network network,
+                                  String routerName, String guestLs, LoadBalancingRule rule) {
+        String ruleTag = String.valueOf(rule.getId());
+        String lbName = null;
+
+        if (rule.getState() == FirewallRule.State.Revoke) {
+            ovnNbClient.removeLoadBalancersByExternalId(provider.getNbConnection(),
+                    provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                    "cloudstack_lb_rule_id", ruleTag);
+            return;
+        }
+
+        IPAddressVO ipVo = ipAddressDao.findById(rule.getLb().getSourceIpAddressId());
+        if (ipVo == null || ipVo.getAddress() == null) {
+            logger.warn("LB rule {} references unknown source IP id {}", rule.getId(), rule.getLb().getSourceIpAddressId());
+            return;
+        }
+        String externalIp = ipVo.getAddress().addr();
+
+        String protocol = rule.getProtocol() != null ? rule.getProtocol().toLowerCase() : "tcp";
+        if (!"tcp".equals(protocol) && !"udp".equals(protocol) && !"sctp".equals(protocol)) {
+            logger.warn("LB rule {} protocol [{}] is not L4; skipping (validateLBRule should have rejected this)",
+                    rule.getId(), protocol);
+            return;
+        }
+        if (rule.getSourcePortStart() == null) {
+            logger.warn("LB rule {} has no source port; skipping", rule.getId());
+            return;
+        }
+        int publicPort = rule.getSourcePortStart();
+
+        // Build the backend list ("vm_ip:port,vm_ip:port,...") from active destinations.
+        StringBuilder backends = new StringBuilder();
+        Map<String, String> ipPortMappings = new HashMap<>();
+        String hcSourceIp = network.getGateway();
+        for (LoadBalancingRule.LbDestination dest : rule.getDestinations()) {
+            if (dest.isRevoked()) {
+                continue;
+            }
+            String destIp = dest.getIpAddress();
+            int destPort = dest.getDestinationPortStart();
+            if (destIp == null || destIp.isEmpty()) {
+                continue;
+            }
+            if (backends.length() > 0) {
+                backends.append(",");
+            }
+            backends.append(destIp).append(":").append(destPort);
+
+            // Populate ip_port_mappings: <backend_ip> -> <lsp_name>:<source_ip>. The lsp_name is
+            // the NIC UUID (matches our LSP naming scheme in createLogicalSwitchPort) and the
+            // source_ip is the LR's gateway IP on the guest LS - that is the address from which
+            // OVN's monitor will source HC probes.
+            NicVO targetNic = nicDao.findByIp4AddressAndNetworkId(destIp, network.getId());
+            if (targetNic != null && hcSourceIp != null && !hcSourceIp.isEmpty()) {
+                ipPortMappings.put(destIp, targetNic.getUuid() + ":" + hcSourceIp);
+            }
+        }
+        if (backends.length() == 0) {
+            // No live destinations - drop the LB. Idempotent if it was never created.
+            logger.debug("LB rule {} has no live destinations; removing any existing LB row", rule.getId());
+            ovnNbClient.removeLoadBalancersByExternalId(provider.getNbConnection(),
+                    provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                    "cloudstack_lb_rule_id", ruleTag);
+            return;
+        }
+
+        Map<String, String> vips = java.util.Collections.singletonMap(externalIp + ":" + publicPort, backends.toString());
+
+        // Algorithm and stickiness → selection_fields + affinity_timeout.
+        Set<String> selectionFields = null;
+        Long affinityTimeout = null;
+        String algorithm = rule.getAlgorithm() != null ? rule.getAlgorithm().toLowerCase() : "roundrobin";
+        if ("source".equals(algorithm)) {
+            selectionFields = new java.util.LinkedHashSet<>();
+            selectionFields.add("ip_src");
+        }
+        if (rule.getStickinessPolicies() != null) {
+            for (LoadBalancingRule.LbStickinessPolicy sticky : rule.getStickinessPolicies()) {
+                if (sticky.isRevoked()) continue;
+                String method = sticky.getMethodName() != null ? sticky.getMethodName() : "";
+                if ("SourceBased".equalsIgnoreCase(method)) {
+                    if (selectionFields == null) {
+                        selectionFields = new java.util.LinkedHashSet<>();
+                        selectionFields.add("ip_src");
+                    }
+                    affinityTimeout = parseStickyTimeoutSeconds(sticky);
+                } else {
+                    logger.warn("LB rule {} sticky method [{}] is L7 (cookie); OVN cannot honour it - degrading to source-based",
+                            rule.getId(), method);
+                    if (selectionFields == null) {
+                        selectionFields = new java.util.LinkedHashSet<>();
+                        selectionFields.add("ip_src");
+                    }
+                }
+            }
+        }
+
+        Map<String, String> options = new HashMap<>();
+        options.put("hairpin_snat_ip", externalIp);
+        if (affinityTimeout != null && affinityTimeout > 0) {
+            options.put("affinity_timeout", String.valueOf(affinityTimeout));
+        }
+
+        Map<String, String> ext = new HashMap<>();
+        ext.put("cloudstack_lb_rule_id", ruleTag);
+        ext.put("cloudstack_network_id", String.valueOf(network.getId()));
+        ext.put("cloudstack_lb_kind", "loadbalancer");
+
+        lbName = "lb-" + ruleTag + "-" + protocol;
+        ovnNbClient.createOrReplaceLoadBalancer(provider.getNbConnection(),
+                provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                lbName, protocol, vips, ext, options, selectionFields, ipPortMappings);
+        ovnNbClient.attachLoadBalancerToRouter(provider.getNbConnection(),
+                provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                routerName, lbName);
+        ovnNbClient.attachLoadBalancerToSwitch(provider.getNbConnection(),
+                provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                guestLs, lbName);
+
+        // Health check: take the first non-revoked policy. CloudStack today only persists one
+        // HealthCheckPolicy per rule but the API returns a list, so we are defensive.
+        applyLBHealthCheck(provider, network, rule, lbName, externalIp + ":" + publicPort, ipPortMappings);
+    }
+
+    /**
+     * Maps a CloudStack stickiness policy timeout into OVN seconds. CS uses different param
+     * names depending on the method (cookie vs source-based); for SourceBased we look at
+     * {@code expire}/{@code idletime}/{@code holdtime}/{@code persistence_timeout} - whichever
+     * the user filled - and fall back to 180s if nothing parses.
+     */
+    private static long parseStickyTimeoutSeconds(LoadBalancingRule.LbStickinessPolicy sticky) {
+        if (sticky.getParams() == null) return 180L;
+        for (org.apache.cloudstack.api.InternalIdentity pair : java.util.Collections.<org.apache.cloudstack.api.InternalIdentity>emptyList()) { /* unused */ }
+        // The Pair<String,String> instances from CloudStack have .first() / .second() accessors.
+        for (com.cloud.utils.Pair<String, String> p : sticky.getParams()) {
+            String name = p.first() != null ? p.first().toLowerCase() : "";
+            if (name.contains("expire") || name.contains("idletime")
+                    || name.contains("holdtime") || name.contains("timeout")) {
+                try {
+                    return Long.parseLong(p.second());
+                } catch (NumberFormatException ignored) { /* fall through */ }
+            }
+        }
+        return 180L;
+    }
+
+    /**
+     * Applies (or clears) the OVN Load_Balancer_Health_Check for an LB rule. OVN HC is L4 TCP
+     * only; HTTP/PING policies from CloudStack are accepted but degraded to a TCP probe with a
+     * warning so the operator gets a hint to either accept it or move that workload to a
+     * VirtualRouter offering.
+     */
+    protected void applyLBHealthCheck(OvnProviderVO provider, Network network, LoadBalancingRule rule,
+                                       String lbName, String hcVip, Map<String, String> ipPortMappings) {
+        java.util.List<? extends LoadBalancingRule.LbHealthCheckPolicy> policies = rule.getHealthCheckPolicies();
+        LoadBalancingRule.LbHealthCheckPolicy active = null;
+        if (policies != null) {
+            for (LoadBalancingRule.LbHealthCheckPolicy p : policies) {
+                if (!p.isRevoked()) {
+                    active = p;
+                    break;
+                }
+            }
+        }
+        if (active == null) {
+            ovnNbClient.clearLoadBalancerHealthCheck(provider.getNbConnection(),
+                    provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                    lbName);
+            return;
+        }
+        String pingPath = active.getpingpath();
+        if (pingPath != null && !pingPath.isEmpty()) {
+            logger.warn("LB rule {} health check is HTTP/path-based ({}); OVN can only TCP-probe the backend port - "
+                    + "honouring as TCP probe", rule.getId(), pingPath);
+        }
+
+        Map<String, String> hcOptions = new HashMap<>();
+        // OVN options expect ms (interval/timeout) and integer counts. Map CS seconds to ms.
+        int intervalSec = active.getHealthcheckInterval() > 0 ? active.getHealthcheckInterval() : 5;
+        int responseSec = active.getResponseTime() > 0 ? active.getResponseTime() : 2;
+        int healthyCount = active.getHealthcheckThresshold() > 0 ? active.getHealthcheckThresshold() : 2;
+        int unhealthyCount = active.getUnhealthThresshold() > 0 ? active.getUnhealthThresshold() : 3;
+        hcOptions.put("interval", String.valueOf(intervalSec));
+        hcOptions.put("timeout", String.valueOf(responseSec));
+        hcOptions.put("success_count", String.valueOf(healthyCount));
+        hcOptions.put("failure_count", String.valueOf(unhealthyCount));
+
+        Map<String, String> hcExt = new HashMap<>();
+        hcExt.put("cloudstack_lb_rule_id", String.valueOf(rule.getId()));
+        hcExt.put("cloudstack_network_id", String.valueOf(network.getId()));
+
+        ovnNbClient.setLoadBalancerHealthCheck(provider.getNbConnection(),
+                provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                lbName, hcVip, hcOptions, ipPortMappings, hcExt);
+    }
+
     @Override
     public boolean validateLBRule(Network network, LoadBalancingRule rule) {
+        if (network.getBroadcastDomainType() != Networks.BroadcastDomainType.OVN) {
+            return true;
+        }
+        // OVN Load_Balancer is L4 - bail on anything beyond tcp/udp/sctp.
+        String proto = rule.getProtocol() != null ? rule.getProtocol().toLowerCase() : "tcp";
+        if (!"tcp".equals(proto) && !"udp".equals(proto) && !"sctp".equals(proto)) {
+            logger.warn("OVN LB rejecting rule {}: protocol [{}] requires L7 (use a VirtualRouter offering)",
+                    rule.getId(), proto);
+            return false;
+        }
+        // OVN has no per-backend connection state, so leastconn cannot be honoured. Reject
+        // explicitly rather than silently degrading - capabilities only advertise roundrobin
+        // and source.
+        String algo = rule.getAlgorithm() != null ? rule.getAlgorithm().toLowerCase() : "";
+        if ("leastconn".equals(algo)) {
+            logger.warn("OVN LB rejecting rule {}: algorithm [leastconn] not supported (no backend conn state)",
+                    rule.getId());
+            return false;
+        }
         return true;
     }
 
     @Override
     public List<LoadBalancerTO> updateHealthChecks(Network network, List<LoadBalancingRule> lbrules) {
+        // TODO: query OVN SB Service_Monitor table to surface backend up/down status back to
+        //       CloudStack (so the UI shows red/green per VM member). The OVN HC writes status
+        //       per-backend in Service_Monitor; we'd convert each to a LbDestination state.
         return null;
     }
 
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
index 8b6b19ff3ec1..84306fa7cab5 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
@@ -65,6 +65,7 @@ public class OvnNbClient {
     private static final String NAT_TABLE = "NAT";
     private static final String ACL_TABLE = "ACL";
     private static final String LOAD_BALANCER_TABLE = "Load_Balancer";
+    private static final String LOAD_BALANCER_HEALTH_CHECK_TABLE = "Load_Balancer_Health_Check";
     private static final long DEFAULT_TIMEOUT_MS = 5_000L;
     private static final Pattern CONN_PATTERN = Pattern.compile("^(tcp|ssl):([^:]+):([0-9]+)$");
     private static final ICertificateManager NOOP_CERT_MANAGER = new NoopCertificateManager();
@@ -1227,6 +1228,18 @@ public void createOrReplaceLoadBalancer(String nbConnection, String caCertPath,
                                             String clientPrivateKeyPath,
                                             String name, String protocol, Map<String, String> vips,
                                             Map<String, String> externalIds, Map<String, String> options) {
+        // Backward-compat wrapper for callers (PortForwarding) that don't need selection_fields
+        // or ip_port_mappings (which are LB-rule-specific concerns: hashing fields and HC source
+        // attribution respectively).
+        createOrReplaceLoadBalancer(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath,
+                name, protocol, vips, externalIds, options, null, null);
+    }
+
+    public void createOrReplaceLoadBalancer(String nbConnection, String caCertPath, String clientCertPath,
+                                            String clientPrivateKeyPath,
+                                            String name, String protocol, Map<String, String> vips,
+                                            Map<String, String> externalIds, Map<String, String> options,
+                                            Set<String> selectionFields, Map<String, String> ipPortMappings) {
         if (StringUtils.isBlank(name)) {
             throw new CloudRuntimeException("Load_Balancer name is blank");
         }
@@ -1241,6 +1254,9 @@ public void createOrReplaceLoadBalancer(String nbConnection, String caCertPath,
             @SuppressWarnings({"rawtypes", "unchecked"})
             ColumnSchema<GenericTableSchema, Map> vipsCol = lbTable.column("vips", Map.class);
             ColumnSchema<GenericTableSchema, Set<String>> protoCol = lbTable.multiValuedColumn("protocol", String.class);
+            ColumnSchema<GenericTableSchema, Set<String>> selFieldsCol = lbTable.multiValuedColumn("selection_fields", String.class);
+            @SuppressWarnings({"rawtypes", "unchecked"})
+            ColumnSchema<GenericTableSchema, Map> ippmCol = lbTable.column("ip_port_mappings", Map.class);
             @SuppressWarnings({"rawtypes", "unchecked"})
             ColumnSchema<GenericTableSchema, Map> optsCol = lbTable.column("options", Map.class);
             @SuppressWarnings({"rawtypes", "unchecked"})
@@ -1271,6 +1287,12 @@ public void createOrReplaceLoadBalancer(String nbConnection, String caCertPath,
                 if (externalIds != null && !externalIds.isEmpty()) {
                     insert = insert.value(extIdsCol, new HashMap<>(externalIds));
                 }
+                if (selectionFields != null && !selectionFields.isEmpty()) {
+                    insert = insert.value(selFieldsCol, new java.util.HashSet<>(selectionFields));
+                }
+                if (ipPortMappings != null && !ipPortMappings.isEmpty()) {
+                    insert = insert.value(ippmCol, new HashMap<>(ipPortMappings));
+                }
                 ops.add(insert);
             } else {
                 // Replace contents in-place. Mutate explicit columns even if empty so stale entries
@@ -1280,14 +1302,149 @@ public void createOrReplaceLoadBalancer(String nbConnection, String caCertPath,
                         .set(protoCol, StringUtils.isNotBlank(protocol)
                                 ? Collections.singleton(protocol)
                                 : Collections.<String>emptySet())
+                        .set(selFieldsCol, selectionFields != null
+                                ? new java.util.HashSet<>(selectionFields)
+                                : Collections.<String>emptySet())
+                        .set(ippmCol, ipPortMappings != null ? new HashMap<>(ipPortMappings) : new HashMap<>())
                         .set(optsCol, options != null ? new HashMap<>(options) : new HashMap<>())
                         .set(extIdsCol, externalIds != null ? new HashMap<>(externalIds) : new HashMap<>())
                         .where(uuidCol.opEqual(existing)).build());
             }
             List<OperationResult> results = client.transact(schema, ops).get(timeoutMs, TimeUnit.MILLISECONDS);
             assertNoError(results, String.format("createOrReplace Load_Balancer %s", name));
-            logger.info("Wrote Load_Balancer [{}] vips={} protocol={} options={} at {}",
-                    name, vips, protocol, options, nbConnection);
+            logger.info("Wrote Load_Balancer [{}] vips={} protocol={} options={} selection_fields={} at {}",
+                    name, vips, protocol, options, selectionFields, nbConnection);
+            return null;
+        });
+    }
+
+    /**
+     * Sets {@code Load_Balancer.health_check} to a single fresh Load_Balancer_Health_Check row
+     * with the given vip+options. Existing HC rows (referenced or orphaned with our external_ids
+     * tag) are deleted before insert so we never accumulate dead HC rows. OVN's health check is
+     * L4 TCP-only - the {@code options} map carries {@code interval}, {@code timeout},
+     * {@code success_count}, {@code failure_count}.
+     *
+     * <p>{@code ipPortMappings} populates {@code Load_Balancer.ip_port_mappings} so the SB
+     * Service_Monitor knows from which logical port to source HC probes to each backend
+     * (Format: {@code "<backend_ip>"} → {@code "<lsp_name>:<source_ip>"}).</p>
+     */
+    public void setLoadBalancerHealthCheck(String nbConnection, String caCertPath, String clientCertPath,
+                                            String clientPrivateKeyPath,
+                                            String lbName, String hcVip,
+                                            Map<String, String> hcOptions,
+                                            Map<String, String> ipPortMappings,
+                                            Map<String, String> hcExternalIds) {
+        if (StringUtils.isBlank(lbName) || StringUtils.isBlank(hcVip)) {
+            throw new CloudRuntimeException("setLoadBalancerHealthCheck: arguments are incomplete");
+        }
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema lbTable = schema.table(LOAD_BALANCER_TABLE, GenericTableSchema.class);
+            GenericTableSchema hcTable = schema.table(LOAD_BALANCER_HEALTH_CHECK_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> lbNameCol = lbTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, UUID> lbUuidCol = lbTable.column("_uuid", UUID.class);
+            ColumnSchema<GenericTableSchema, Set<UUID>> lbHcCol = lbTable.multiValuedColumn("health_check", UUID.class);
+            @SuppressWarnings({"rawtypes", "unchecked"})
+            ColumnSchema<GenericTableSchema, Map> lbIppmCol = lbTable.column("ip_port_mappings", Map.class);
+            ColumnSchema<GenericTableSchema, UUID> hcUuidCol = hcTable.column("_uuid", UUID.class);
+            ColumnSchema<GenericTableSchema, String> hcVipCol = hcTable.column("vip", String.class);
+            @SuppressWarnings({"rawtypes", "unchecked"})
+            ColumnSchema<GenericTableSchema, Map> hcOptsCol = hcTable.column("options", Map.class);
+            @SuppressWarnings({"rawtypes", "unchecked"})
+            ColumnSchema<GenericTableSchema, Map> hcExtCol = hcTable.column("external_ids", Map.class);
+
+            // Lookup LB; pull current health_check refs so we can delete them.
+            Operation<GenericTableSchema> selLb = OVSDB_OPS.select(lbTable).column(lbUuidCol).column(lbHcCol)
+                    .where(lbNameCol.opEqual(lbName)).build();
+            List<OperationResult> lbResult = client.transact(schema, Collections.<Operation>singletonList(selLb))
+                    .get(timeoutMs, TimeUnit.MILLISECONDS);
+            if (lbResult == null || lbResult.isEmpty() || lbResult.get(0).getRows() == null
+                    || lbResult.get(0).getRows().isEmpty()) {
+                throw new CloudRuntimeException("Load_Balancer " + lbName + " not found while setting health check");
+            }
+            UUID lbUuid = lbResult.get(0).getRows().get(0).getColumn(lbUuidCol).getData();
+            @SuppressWarnings("unchecked")
+            Set<UUID> oldHc = (Set<UUID>) lbResult.get(0).getRows().get(0).getColumn(lbHcCol).getData();
+
+            String namedUuid = "newhc";
+            Insert<GenericTableSchema> insertHc = OVSDB_OPS.insert(hcTable)
+                    .withId(namedUuid)
+                    .value(hcVipCol, hcVip)
+                    .value(hcOptsCol, hcOptions != null ? new HashMap<>(hcOptions) : new HashMap<>());
+            if (hcExternalIds != null && !hcExternalIds.isEmpty()) {
+                insertHc = insertHc.value(hcExtCol, new HashMap<>(hcExternalIds));
+            }
+
+            List<Operation> ops = new ArrayList<>();
+            ops.add(insertHc);
+            // Replace the LB.health_check set and refresh ip_port_mappings in the same txn.
+            ops.add(OVSDB_OPS.update(lbTable)
+                    .set(lbHcCol, Collections.singleton(new UUID(namedUuid)))
+                    .set(lbIppmCol, ipPortMappings != null ? new HashMap<>(ipPortMappings) : new HashMap<>())
+                    .where(lbUuidCol.opEqual(lbUuid)).build());
+            // Delete the old HC rows now that no LB references them (strong ref).
+            if (oldHc != null) {
+                for (UUID stale : oldHc) {
+                    ops.add(OVSDB_OPS.delete(hcTable).where(hcUuidCol.opEqual(stale)).build());
+                }
+            }
+            List<OperationResult> results = client.transact(schema, ops).get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("set health check on Load_Balancer %s", lbName));
+            logger.info("Set Load_Balancer_Health_Check on [{}] vip={} options={} ipPortMappings={} at {}",
+                    lbName, hcVip, hcOptions, ipPortMappings, nbConnection);
+            return null;
+        });
+    }
+
+    /**
+     * Removes any {@code Load_Balancer_Health_Check} row attached to {@code lbName} and clears
+     * the LB's {@code ip_port_mappings}. Used when a CloudStack LB rule's HealthCheckPolicy is
+     * revoked or absent. Idempotent: a no-op when the LB has no HC.
+     */
+    public void clearLoadBalancerHealthCheck(String nbConnection, String caCertPath, String clientCertPath,
+                                              String clientPrivateKeyPath,
+                                              String lbName) {
+        if (StringUtils.isBlank(lbName)) {
+            throw new CloudRuntimeException("clearLoadBalancerHealthCheck: name is blank");
+        }
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema lbTable = schema.table(LOAD_BALANCER_TABLE, GenericTableSchema.class);
+            GenericTableSchema hcTable = schema.table(LOAD_BALANCER_HEALTH_CHECK_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> lbNameCol = lbTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, UUID> lbUuidCol = lbTable.column("_uuid", UUID.class);
+            ColumnSchema<GenericTableSchema, Set<UUID>> lbHcCol = lbTable.multiValuedColumn("health_check", UUID.class);
+            @SuppressWarnings({"rawtypes", "unchecked"})
+            ColumnSchema<GenericTableSchema, Map> lbIppmCol = lbTable.column("ip_port_mappings", Map.class);
+            ColumnSchema<GenericTableSchema, UUID> hcUuidCol = hcTable.column("_uuid", UUID.class);
+
+            Operation<GenericTableSchema> selLb = OVSDB_OPS.select(lbTable).column(lbUuidCol).column(lbHcCol)
+                    .where(lbNameCol.opEqual(lbName)).build();
+            List<OperationResult> lbResult = client.transact(schema, Collections.<Operation>singletonList(selLb))
+                    .get(timeoutMs, TimeUnit.MILLISECONDS);
+            if (lbResult == null || lbResult.isEmpty() || lbResult.get(0).getRows() == null
+                    || lbResult.get(0).getRows().isEmpty()) {
+                return null;
+            }
+            UUID lbUuid = lbResult.get(0).getRows().get(0).getColumn(lbUuidCol).getData();
+            @SuppressWarnings("unchecked")
+            Set<UUID> oldHc = (Set<UUID>) lbResult.get(0).getRows().get(0).getColumn(lbHcCol).getData();
+            if (oldHc == null || oldHc.isEmpty()) {
+                return null;
+            }
+            List<Operation> ops = new ArrayList<>();
+            ops.add(OVSDB_OPS.update(lbTable)
+                    .set(lbHcCol, Collections.<UUID>emptySet())
+                    .set(lbIppmCol, new HashMap<>())
+                    .where(lbUuidCol.opEqual(lbUuid)).build());
+            for (UUID stale : oldHc) {
+                ops.add(OVSDB_OPS.delete(hcTable).where(hcUuidCol.opEqual(stale)).build());
+            }
+            List<OperationResult> results = client.transact(schema, ops).get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("clear health check on Load_Balancer %s", lbName));
+            logger.info("Cleared {} Load_Balancer_Health_Check row(s) from [{}] at {}",
+                    oldHc.size(), lbName, nbConnection);
             return null;
         });
     }

From 7e31d3cbb18b72a010caaefe6b5fc2a17cfb8634 Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Wed, 29 Apr 2026 04:16:50 +0200
Subject: [PATCH 19/33] OVN plugin: reject LB rules placed on the network's
 SourceNat IP

When a tenant tries to create a LoadBalancingRule on the same public IP that
the LR uses as SourceNat egress, the OVN pipeline cannot serve traffic in a
way that round-trips correctly. The LR carries a snat NAT row matching
logical_ip=guest_cidr -> external_ip in addition to the LB's vips entry on
the same external_ip. Replies from a backend traverse lr_out_snat first and
get rewritten with the SourceNat IP before the LB un-DNAT runs in the egress
path, so the client sees a TCP packet from an IP that doesn't match the
4-tuple of the connection it opened and resets. Confirmed in the lab: SYNs
reach the LR and DNAT to the backend, the backend replies, but no SYN+ACK
ever leaves the trunk.

Adding a guard in validateLBRule fails the rule synchronously when CloudStack
asks the provider whether the rule is acceptable, before it is persisted.
The error message tells the operator to allocate a dedicated public IP for
the LB - which is the only correct path on OVN today (skip_snat / hairpin
options on the LB row don't lift the conflict because the SourceNat NAT
row applies independently in the LR egress pipeline).

The check is provider-scoped (only fires for OVN-backed networks) and is
defensive even if a tenant somehow hits the API directly (e.g. through
DB-direct mutation): we look up the IPAddressVO for the LB's source IP and
abort if it is flagged as SourceNat.
---
 .../apache/cloudstack/service/OvnElement.java    | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
index 22cc257351c4..be5aa81de5da 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
@@ -1404,6 +1404,22 @@ public boolean validateLBRule(Network network, LoadBalancingRule rule) {
                     rule.getId());
             return false;
         }
+        // Reject LB rules that target the network's SourceNat IP. The same external IP would carry
+        // both an LR-level snat NAT row (logical_ip=guest_cidr -> external_ip) and the LB's vips
+        // map; replies from a backend are SNATed back to the SourceNat IP before the LB un-DNAT
+        // can run, so the client sees a reply from an IP that doesn't match the connection it
+        // opened and TCP resets. Lab-confirmed: traffic enters the LR but no SYN+ACK ever reaches
+        // the upstream when LB and SourceNat share an external IP. Force the user to allocate a
+        // dedicated public IP for LB.
+        if (rule.getLb() != null && rule.getLb().getSourceIpAddressId() != null) {
+            IPAddressVO ipVo = ipAddressDao.findById(rule.getLb().getSourceIpAddressId());
+            if (ipVo != null && ipVo.isSourceNat()) {
+                logger.warn("OVN LB rejecting rule {}: external IP {} is the network's SourceNat IP "
+                        + "- allocate a separate public IP for the LB",
+                        rule.getId(), ipVo.getAddress() != null ? ipVo.getAddress().addr() : "<null>");
+                return false;
+            }
+        }
         return true;
     }
 

From e4cb8ac89ac36392672e235c2d625fca67c47cb1 Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Wed, 29 Apr 2026 10:28:49 +0200
Subject: [PATCH 20/33] OVN plugin: tighten Load_Balancer cleanup and protocol
 gate

Address review findings on the LB implementation so stale Load_Balancer
rows cannot survive ad-hoc network or public-IP teardown paths, and so
the validateLBRule / programLBRule / capability triple stays in sync.

- destroy(): wipe Load_Balancer rows tagged with this network's
  cloudstack_network_id before tearing down the LR/LS they hung off, so
  a force-delete of the network that bypasses the LB revoke callback no
  longer leaves orphan rows in NB DB.
- programLBRule(): tag every Load_Balancer with cloudstack_lb_ip set to
  the public IP, and have cleanupPublicIpArtifacts() sweep LBs by that
  external_id when the IP is released. Closes the gap when an IP is
  freed before the LB rule revoke arrives.
- validateLBRule() and programLBRule() drop sctp from the accepted set
  to match initCapabilities(), which only advertises tcp/udp.
- applyLBRules(): document why an empty rule list is a no-op rather
  than a wipe (the LB manager passes rules in transition, not the full
  active set).
---
 .../apache/cloudstack/service/OvnElement.java | 36 +++++++++++++++----
 1 file changed, 30 insertions(+), 6 deletions(-)

diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
index be5aa81de5da..666eb6bea36a 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
@@ -430,6 +430,11 @@ protected void cleanupPublicIpArtifacts(OvnProviderVO provider, Network network,
         ovnNbClient.removeNatRulesByExternalIp(provider.getNbConnection(),
                 provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
                 routerName, "dnat_and_snat", externalIp);
+        // Load_Balancer rows pinned to this IP — defensive; applyLBRules revoke normally clears.
+        // We tag every LB row with cloudstack_lb_ip in programLBRule for exactly this lookup.
+        ovnNbClient.removeLoadBalancersByExternalId(provider.getNbConnection(),
+                provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                "cloudstack_lb_ip", externalIp);
         // Refresh gARP announcement so this IP is no longer claimed by us.
         applyNatAddressesAnnouncement(provider, network);
     }
@@ -474,6 +479,12 @@ public boolean destroy(Network network, ReservationContext context) throws Concu
         if (network.getBroadcastDomainType() == Networks.BroadcastDomainType.OVN) {
             OvnProviderVO provider = getProviderForNetwork(network);
             try {
+                // Wipe any Load_Balancer rows owned by this network before tearing down the LR/LS
+                // they were attached to. If the network is destroyed without an explicit LB revoke
+                // (e.g. force-delete path) the LB row would otherwise remain orphaned in NB DB.
+                ovnNbClient.removeLoadBalancersByExternalId(provider.getNbConnection(),
+                        provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                        "cloudstack_network_id", String.valueOf(network.getId()));
                 ovnNbClient.deleteLogicalSwitch(provider.getNbConnection(), provider.getCaCertPath(), provider.getClientCertPath(),
                         provider.getClientPrivateKeyPath(), getPublicLogicalSwitchName(network));
                 ovnNbClient.deleteLogicalRouter(provider.getNbConnection(), provider.getCaCertPath(), provider.getClientCertPath(),
@@ -1157,6 +1168,11 @@ public boolean reorderAclRules(Vpc vpc, List<? extends Network> networks, List<?
 
     @Override
     public boolean applyLBRules(Network network, List<LoadBalancingRule> rules) throws ResourceUnavailableException {
+        // CloudStack's LB manager invokes this with the rules currently in transition, not the
+        // full active set on the network - so an empty list means "nothing to apply right now",
+        // not "wipe all LBs". Removal is driven by individual rules in Revoke state (handled in
+        // programLBRule) and, as a safety net, by destroy() / cleanupPublicIpArtifacts which
+        // sweep by external_ids when a network or public IP is being torn down.
         if (network.getBroadcastDomainType() != Networks.BroadcastDomainType.OVN || rules == null || rules.isEmpty()) {
             return true;
         }
@@ -1206,9 +1222,12 @@ protected void programLBRule(OvnProviderVO provider, Network network,
         String externalIp = ipVo.getAddress().addr();
 
         String protocol = rule.getProtocol() != null ? rule.getProtocol().toLowerCase() : "tcp";
-        if (!"tcp".equals(protocol) && !"udp".equals(protocol) && !"sctp".equals(protocol)) {
-            logger.warn("LB rule {} protocol [{}] is not L4; skipping (validateLBRule should have rejected this)",
-                    rule.getId(), protocol);
+        // Capability advertises only tcp/udp; keep validateLBRule and the datapath programmer in
+        // sync so an invalid protocol bubbling through (e.g. via direct DB mutation) is logged
+        // and skipped instead of silently creating a malformed Load_Balancer row.
+        if (!"tcp".equals(protocol) && !"udp".equals(protocol)) {
+            logger.warn("LB rule {} protocol [{}] is not supported by the OVN provider (tcp/udp only); skipping "
+                    + "(validateLBRule should have rejected this)", rule.getId(), protocol);
             return;
         }
         if (rule.getSourcePortStart() == null) {
@@ -1293,6 +1312,9 @@ protected void programLBRule(OvnProviderVO provider, Network network,
         Map<String, String> ext = new HashMap<>();
         ext.put("cloudstack_lb_rule_id", ruleTag);
         ext.put("cloudstack_network_id", String.valueOf(network.getId()));
+        // Tag with the public IP so cleanupPublicIpArtifacts can wipe LB rows when the IP is
+        // released out-of-order (without going through the LB revoke callback first).
+        ext.put("cloudstack_lb_ip", externalIp);
         ext.put("cloudstack_lb_kind", "loadbalancer");
 
         lbName = "lb-" + ruleTag + "-" + protocol;
@@ -1388,10 +1410,12 @@ public boolean validateLBRule(Network network, LoadBalancingRule rule) {
         if (network.getBroadcastDomainType() != Networks.BroadcastDomainType.OVN) {
             return true;
         }
-        // OVN Load_Balancer is L4 - bail on anything beyond tcp/udp/sctp.
+        // OVN Load_Balancer is L4 and we only advertise tcp/udp in the capabilities map; keep
+        // this in sync with initCapabilities() so an offering that lists only tcp/udp does not
+        // accept a rule we cannot program.
         String proto = rule.getProtocol() != null ? rule.getProtocol().toLowerCase() : "tcp";
-        if (!"tcp".equals(proto) && !"udp".equals(proto) && !"sctp".equals(proto)) {
-            logger.warn("OVN LB rejecting rule {}: protocol [{}] requires L7 (use a VirtualRouter offering)",
+        if (!"tcp".equals(proto) && !"udp".equals(proto)) {
+            logger.warn("OVN LB rejecting rule {}: protocol [{}] not supported (tcp/udp only)",
                     rule.getId(), proto);
             return false;
         }

From 43a9ea2f9ac50fd4f4fe76531a17ab7d942d0faf Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Wed, 29 Apr 2026 10:58:19 +0200
Subject: [PATCH 21/33] OVN plugin: introduce VPC-aware naming helpers (no
 functional change)

Centralise the resolution of the OVN Logical_Router and public
Logical_Switch names so the same call sites work for both isolated
networks and VPC tiers. Today every helper still returns the existing
isolated names (cs-router-{netId} / cs-pub-{netId}) when
network.getVpcId() is null, so behaviour for isolated networks is
unchanged.

Helpers added:
- getRouterNameForNetwork(network)
    cs-router-{netId} for isolated, cs-vpc-{vpcId} for VPC tier.
- getPublicLogicalSwitchNameForNetwork(network)
    cs-pub-{netId} for isolated, cs-vpc-pub-{vpcId} for VPC tier.
- getPublicRouterPortNameForNetwork(network)
    "lrp-" + public LS name. Used for attachRouterToSwitch /
    setLrpGatewayChassis / pruneStaleGatewayChassis call sites.
- getPublicRouterSwitchPortNameForNetwork(network)
    "lsp-" + public LRP. Used by applyFWRules and
    applyNatAddressesAnnouncement so firewall ACL match expressions and
    gARP nat-addresses options point at the same LSP that pairs the
    public router port.

All call sites in OvnElement that previously hard-coded the per-network
naming scheme now resolve through these helpers. The old
getLogicalRouterName / getPublicLogicalSwitchName methods are removed
to keep one resolver per concept and avoid drift between isolated and
VPC code paths.

This is the PR-1 prerequisite for the upcoming VPC implementation
(implementVpc / shutdownVpc, VPC tier hooks, public IP services on the
VPC LR). Each later PR can branch on network.getVpcId() inside its own
logic without touching naming again.
---
 .../apache/cloudstack/service/OvnElement.java | 80 ++++++++++++-------
 1 file changed, 53 insertions(+), 27 deletions(-)

diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
index 666eb6bea36a..cb25a5dd6300 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
@@ -243,14 +243,40 @@ private static String buildServerMac(long networkId) {
                 (int) (networkId & 0xff));
     }
 
-    /** Returns the OVN Logical_Router name owning the network's tenant routing. */
-    protected String getLogicalRouterName(Network network) {
-        return String.format("cs-router-%d", network.getId());
+    /**
+     * Returns the OVN Logical_Router name owning the network's tenant routing. For an isolated
+     * network this is per-network ({@code cs-router-<networkId>}); for a VPC tier all networks
+     * share the VPC's LR ({@code cs-vpc-<vpcId>}). PR-1 introduced this helper as the single
+     * resolver for both cases — call sites should never branch on {@code network.getVpcId()}
+     * themselves.
+     */
+    protected String getRouterNameForNetwork(Network network) {
+        Long vpcId = network.getVpcId();
+        return vpcId != null ? String.format("cs-vpc-%d", vpcId) : String.format("cs-router-%d", network.getId());
+    }
+
+    /**
+     * Returns the public-side Logical_Switch that fronts the LR's external port. Per-network for
+     * isolated ({@code cs-pub-<networkId>}), shared across all tiers of a VPC for VPC tiers
+     * ({@code cs-vpc-pub-<vpcId>}).
+     */
+    protected String getPublicLogicalSwitchNameForNetwork(Network network) {
+        Long vpcId = network.getVpcId();
+        return vpcId != null ? String.format("cs-vpc-pub-%d", vpcId) : String.format("cs-pub-%d", network.getId());
+    }
+
+    /** Name of the LR-side router port attached to the public Logical_Switch. */
+    protected String getPublicRouterPortNameForNetwork(Network network) {
+        return "lrp-" + getPublicLogicalSwitchNameForNetwork(network);
     }
 
-    /** Returns the auxiliary public-side Logical_Switch that fronts the LR's external port. */
-    protected String getPublicLogicalSwitchName(Network network) {
-        return String.format("cs-pub-%d", network.getId());
+    /**
+     * Name of the LSP on the public LS that pairs with the public LRP. OVN names router-type
+     * Logical_Switch_Ports as {@code lsp-<lrp_name>}; firewall ACL matches and gARP announcements
+     * target this LSP.
+     */
+    protected String getPublicRouterSwitchPortNameForNetwork(Network network) {
+        return "lsp-" + getPublicRouterPortNameForNetwork(network);
     }
 
     /**
@@ -263,7 +289,7 @@ protected void createRouterAndAttachToGuest(OvnProviderVO provider, Network netw
         if (network.getCidr() == null || network.getGateway() == null) {
             return;
         }
-        String routerName = getLogicalRouterName(network);
+        String routerName = getRouterNameForNetwork(network);
         Map<String, String> lrExternalIds = new HashMap<>();
         lrExternalIds.put("cloudstack_network_id", String.valueOf(network.getId()));
         lrExternalIds.put("cloudstack_network_uuid", network.getUuid());
@@ -302,8 +328,8 @@ protected void applySourceNatForNetwork(OvnProviderVO provider, Network network)
         if (ips == null || ips.isEmpty()) {
             return;
         }
-        String routerName = getLogicalRouterName(network);
-        String publicLs = getPublicLogicalSwitchName(network);
+        String routerName = getRouterNameForNetwork(network);
+        String publicLs = getPublicLogicalSwitchNameForNetwork(network);
         String localnet = provider.getLocalnetName();
         String externalBridge = provider.getExternalBridge();
         String guestCidr = network.getCidr();
@@ -332,10 +358,11 @@ protected void applySourceNatForNetwork(OvnProviderVO provider, Network network)
                     provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
                     publicLs, "ln-" + publicLs, localnet != null ? localnet : externalBridge, vlanTag);
             String prefix = "/" + maskToPrefix(netmask != null ? netmask : "255.255.240.0");
+            String publicLrpName = getPublicRouterPortNameForNetwork(network);
             ovnNbClient.attachRouterToSwitch(provider.getNbConnection(),
                     provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
                     routerName, publicLs,
-                    "lrp-" + publicLs, buildRouterMac(network.getId(), true),
+                    publicLrpName, buildRouterMac(network.getId(), true),
                     java.util.Collections.singletonList(externalIp + prefix));
             // Anchor the external LRP to a chassis so ovn-northd materialises lr_in_dnat /
             // lr_in_unsnat / lr_out_snat for the NAT rules attached to this router.
@@ -343,7 +370,7 @@ protected void applySourceNatForNetwork(OvnProviderVO provider, Network network)
             if (anchorChassis != null) {
                 ovnNbClient.setLrpGatewayChassis(provider.getNbConnection(),
                         provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
-                        "lrp-" + publicLs, anchorChassis, 10);
+                        publicLrpName, anchorChassis, 10);
             }
             Map<String, String> natExt = new HashMap<>();
             natExt.put("cloudstack_network_id", String.valueOf(network.getId()));
@@ -374,8 +401,7 @@ protected void applySourceNatForNetwork(OvnProviderVO provider, Network network)
      * explicit form here.</p>
      */
     protected void applyNatAddressesAnnouncement(OvnProviderVO provider, Network network) {
-        String publicLs = getPublicLogicalSwitchName(network);
-        String externalLrpLsp = "lsp-lrp-" + publicLs;
+        String externalLrpLsp = getPublicRouterSwitchPortNameForNetwork(network);
         String routerMac = buildRouterMac(network.getId(), true);
         StringBuilder addresses = new StringBuilder(routerMac);
         boolean any = false;
@@ -420,8 +446,8 @@ protected void applyNatAddressesAnnouncement(OvnProviderVO provider, Network net
      * </ul>
      */
     protected void cleanupPublicIpArtifacts(OvnProviderVO provider, Network network, String externalIp) {
-        String publicLs = getPublicLogicalSwitchName(network);
-        String routerName = getLogicalRouterName(network);
+        String publicLs = getPublicLogicalSwitchNameForNetwork(network);
+        String routerName = getRouterNameForNetwork(network);
         // ACLs: matches both per-rule and the default-drop, since both carry cloudstack_fw_ip.
         ovnNbClient.removeAclsOnLsByExternalId(provider.getNbConnection(),
                 provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
@@ -486,9 +512,9 @@ public boolean destroy(Network network, ReservationContext context) throws Concu
                         provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
                         "cloudstack_network_id", String.valueOf(network.getId()));
                 ovnNbClient.deleteLogicalSwitch(provider.getNbConnection(), provider.getCaCertPath(), provider.getClientCertPath(),
-                        provider.getClientPrivateKeyPath(), getPublicLogicalSwitchName(network));
+                        provider.getClientPrivateKeyPath(), getPublicLogicalSwitchNameForNetwork(network));
                 ovnNbClient.deleteLogicalRouter(provider.getNbConnection(), provider.getCaCertPath(), provider.getClientCertPath(),
-                        provider.getClientPrivateKeyPath(), getLogicalRouterName(network));
+                        provider.getClientPrivateKeyPath(), getRouterNameForNetwork(network));
                 ovnNbClient.deleteDhcpOptions(provider.getNbConnection(), provider.getCaCertPath(), provider.getClientCertPath(),
                         provider.getClientPrivateKeyPath(), String.valueOf(network.getId()));
                 ovnNbClient.deleteLogicalSwitch(provider.getNbConnection(), provider.getCaCertPath(), provider.getClientCertPath(),
@@ -585,8 +611,8 @@ public boolean applyIps(Network network, List<? extends PublicIpAddress> ipAddre
             return true;
         }
         OvnProviderVO provider = getProviderForNetwork(network);
-        String routerName = getLogicalRouterName(network);
-        String publicLs = getPublicLogicalSwitchName(network);
+        String routerName = getRouterNameForNetwork(network);
+        String publicLs = getPublicLogicalSwitchNameForNetwork(network);
         String localnet = provider.getLocalnetName();
         String guestCidr = network.getCidr();
         String externalBridge = provider.getExternalBridge();
@@ -629,7 +655,7 @@ public boolean applyIps(Network network, List<? extends PublicIpAddress> ipAddre
                     ovnNbClient.attachRouterToSwitch(provider.getNbConnection(),
                             provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
                             routerName, publicLs,
-                            "lrp-" + publicLs, buildRouterMac(network.getId(), true),
+                            getPublicRouterPortNameForNetwork(network), buildRouterMac(network.getId(), true),
                             java.util.Collections.singletonList(externalIp + prefix));
                     Map<String, String> natExt = new HashMap<>();
                     natExt.put("cloudstack_network_id", String.valueOf(network.getId()));
@@ -676,7 +702,7 @@ protected String pickAnchorChassis(OvnProviderVO provider, Network network) {
             // the live set. This must run BEFORE we hand back a name to the caller, because
             // setLrpGatewayChassis is idempotent on (lrp_name, chassis_name) and will not detect
             // a name change on its own.
-            String publicLrpName = "lrp-" + getPublicLogicalSwitchName(network);
+            String publicLrpName = getPublicRouterPortNameForNetwork(network);
             try {
                 ovnNbClient.pruneStaleGatewayChassis(provider.getNbConnection(),
                         provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
@@ -720,7 +746,7 @@ public boolean applyStaticNats(Network config, List<? extends StaticNat> rules)
             return true;
         }
         OvnProviderVO provider = getProviderForNetwork(config);
-        String routerName = getLogicalRouterName(config);
+        String routerName = getRouterNameForNetwork(config);
         try {
             // Anchor the public LRP to a chassis so ovn-northd materialises the lr_in_dnat
             // pipeline. Without Gateway_Chassis, dnat_and_snat NAT rows are silently ignored
@@ -729,7 +755,7 @@ public boolean applyStaticNats(Network config, List<? extends StaticNat> rules)
             if (anchorChassis != null) {
                 ovnNbClient.setLrpGatewayChassis(provider.getNbConnection(),
                         provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
-                        "lrp-" + getPublicLogicalSwitchName(config), anchorChassis, 10);
+                        getPublicRouterPortNameForNetwork(config), anchorChassis, 10);
             }
             for (StaticNat rule : rules) {
                 IPAddressVO ipVo = ipAddressDao.findById(rule.getSourceIpAddressId());
@@ -775,7 +801,7 @@ public boolean applyPFRules(Network network, List<PortForwardingRule> rules) thr
             return true;
         }
         OvnProviderVO provider = getProviderForNetwork(network);
-        String routerName = getLogicalRouterName(network);
+        String routerName = getRouterNameForNetwork(network);
         String guestLs = getLogicalSwitchName(network);
         try {
             for (PortForwardingRule rule : rules) {
@@ -889,8 +915,8 @@ public boolean applyFWRules(Network network, List<? extends FirewallRule> rules)
             return true;
         }
         OvnProviderVO provider = getProviderForNetwork(network);
-        String publicLs = getPublicLogicalSwitchName(network);
-        String publicLrpLsp = "lsp-lrp-" + publicLs;
+        String publicLs = getPublicLogicalSwitchNameForNetwork(network);
+        String publicLrpLsp = getPublicRouterSwitchPortNameForNetwork(network);
         try {
             for (FirewallRule rule : rules) {
                 programFirewallRule(provider, network, publicLs, publicLrpLsp, rule);
@@ -1177,7 +1203,7 @@ public boolean applyLBRules(Network network, List<LoadBalancingRule> rules) thro
             return true;
         }
         OvnProviderVO provider = getProviderForNetwork(network);
-        String routerName = getLogicalRouterName(network);
+        String routerName = getRouterNameForNetwork(network);
         String guestLs = getLogicalSwitchName(network);
         try {
             for (LoadBalancingRule rule : rules) {

From 1eb672c9339d24ffd54f319d17f1e8a5c5c6261e Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Wed, 29 Apr 2026 11:17:28 +0200
Subject: [PATCH 22/33] OVN plugin: implementVpc / shutdownVpc /
 updateVpcSourceNatIp

PR-2a of the VPC track. Provision the per-VPC OVN topology so a
CloudStack VPC backed by the OVN provider gets a real Logical_Router
and (when the SourceNat IP is allocated) a public Logical_Switch wired
through localnet to the upstream physical network. Per-tier work
(tier LS, tier LRP, per-tier SNAT row, DHCP) is the next PR.

Naming and MAC scheme:
- LR:                 cs-vpc-{vpcId}
- public LS:          cs-vpc-pub-{vpcId}
- public LRP / LSP:   lrp-cs-vpc-pub-{vpcId} / lsp-lrp-cs-vpc-pub-{vpcId}
- buildVpcRouterMac uses leading octets 0xfc (external) / 0xfb
  (internal) so that an isolated network and a VPC sharing the same
  numeric id never collide on a MAC.

implementVpc(vpc, dest, ctx):
- Looks up the OVN provider for vpc.getZoneId(); fails the call if the
  zone has none.
- Idempotently creates the LR cs-vpc-{id} with stable external_ids
  (cloudstack_vpc_id, cloudstack_vpc_uuid, cloudstack_zone_id,
   cloudstack_role=vpc-router).
- Calls applyVpcSourceNatPublicSide() which - when CloudStack already
  allocated the VPC SourceNat IP - creates the public LS, the localnet
  port keyed off provider.localnetName/externalBridge plus VLAN tag,
  attaches the LR via the public LRP using the SourceNat IP, anchors
  it to a Gateway_Chassis (with stale-row prune), installs the default
  route via the upstream gateway, and refreshes the gARP nat-addresses
  option on the router-type LSP.
- No-op for the public side when no SourceNat IP is allocated yet; the
  LR exists, and updateVpcSourceNatIp will re-run the helper later.

shutdownVpc(vpc, ctx):
- Sweeps Load_Balancer rows tagged with cloudstack_vpc_id (LB rows
  live in a global table and are not GC'd by deleting the LR/LS when
  other refs remain).
- Deletes the public LS (cleaning its localnet/firewall/router-type
  LSPs).
- Deletes the LR; OVSDB GCs LRPs and NAT rows it owned.
- Returns success even when the OVN provider is gone, so VPC removal
  can complete.

updateVpcSourceNatIp(vpc, ip):
- Re-runs applyVpcSourceNatPublicSide. Idempotent, covers first-time
  allocation cleanly. Changing an already-active SourceNat IP is left
  as a TODO; v1 only handles allocation.

createPrivateGateway / deletePrivateGateway / applyACLItemsToPrivateGw
/ applyStaticRoutes remain stubs returning true with a comment marking
them out of scope for OVN VPC v1.
---
 .../apache/cloudstack/service/OvnElement.java | 242 ++++++++++++++++++
 1 file changed, 242 insertions(+)

diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
index cb25a5dd6300..792e39b4ce6e 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
@@ -279,6 +279,27 @@ protected String getPublicRouterSwitchPortNameForNetwork(Network network) {
         return "lsp-" + getPublicRouterPortNameForNetwork(network);
     }
 
+    /**
+     * VPC-flavoured naming. The same scheme as the network helpers but keyed off a {@link Vpc}
+     * directly, so {@link #implementVpc} / {@link #shutdownVpc} / {@link #updateVpcSourceNatIp}
+     * can resolve OVN object names without manufacturing a {@link Network}.
+     */
+    protected String getVpcRouterName(Vpc vpc) {
+        return String.format("cs-vpc-%d", vpc.getId());
+    }
+
+    protected String getVpcPublicLogicalSwitchName(Vpc vpc) {
+        return String.format("cs-vpc-pub-%d", vpc.getId());
+    }
+
+    protected String getVpcPublicRouterPortName(Vpc vpc) {
+        return "lrp-" + getVpcPublicLogicalSwitchName(vpc);
+    }
+
+    protected String getVpcPublicRouterSwitchPortName(Vpc vpc) {
+        return "lsp-" + getVpcPublicRouterPortName(vpc);
+    }
+
     /**
      * Creates the LR for the network and wires it to the guest Logical_Switch with an internal-only
      * router port whose IP is the network gateway. External attachment / NAT rules are added later
@@ -315,6 +336,19 @@ private static String buildRouterMac(long networkId, boolean external) {
                 (int) (networkId & 0xff));
     }
 
+    /**
+     * MAC for a VPC-level router port. We pick a different leading octet ({@code 0xfc} external,
+     * {@code 0xfb} internal) than {@link #buildRouterMac}'s isolated-network scheme so that an
+     * isolated network and a VPC sharing the same numeric id never produce a colliding MAC on
+     * the same OVN deployment.
+     */
+    private static String buildVpcRouterMac(long vpcId, boolean external) {
+        return String.format("fa:16:3e:%02x:%02x:%02x",
+                external ? 0xfc : 0xfb,
+                (int) ((vpcId >> 8) & 0xff),
+                (int) (vpcId & 0xff));
+    }
+
     /**
      * Looks up CloudStack-allocated source NAT public IPs for the network and provisions the
      * full external attachment (public LS + localnet port + LR external port + snat rule) for
@@ -428,6 +462,37 @@ protected void applyNatAddressesAnnouncement(OvnProviderVO provider, Network net
                 externalLrpLsp, options);
     }
 
+    /**
+     * VPC counterpart of {@link #applyNatAddressesAnnouncement(OvnProviderVO, Network)}. The set
+     * of advertised IPs is the {@code SourceNat} flag pool for the whole VPC (looked up by VPC
+     * id), not per tier — every tier in a VPC shares the same external IP.
+     */
+    protected void applyVpcNatAddressesAnnouncement(OvnProviderVO provider, Vpc vpc) {
+        String externalLrpLsp = getVpcPublicRouterSwitchPortName(vpc);
+        String routerMac = buildVpcRouterMac(vpc.getId(), true);
+        StringBuilder addresses = new StringBuilder(routerMac);
+        boolean any = false;
+        List<IPAddressVO> ips = ipAddressDao.listByAssociatedVpc(vpc.getId(), true);
+        if (ips != null) {
+            for (IPAddressVO ipVo : ips) {
+                if (ipVo.getAddress() == null || !ipVo.isSourceNat()) {
+                    continue;
+                }
+                addresses.append(' ').append(ipVo.getAddress().addr());
+                any = true;
+            }
+        }
+        if (!any) {
+            return;
+        }
+        Map<String, String> options = new HashMap<>();
+        options.put("nat-addresses", addresses.toString());
+        options.put("exclude-lb-vips-from-garp", "true");
+        ovnNbClient.setLspOptions(provider.getNbConnection(),
+                provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                externalLrpLsp, options);
+    }
+
     /**
      * Wipes every OVN artifact tied to a public IP that CloudStack is releasing. Called from
      * applyIps when ip.state == Releasing, regardless of SourceNat flag. This catches things our
@@ -722,6 +787,40 @@ protected String pickAnchorChassis(OvnProviderVO provider, Network network) {
         }
     }
 
+    /**
+     * VPC variant of {@link #pickAnchorChassis(OvnProviderVO, Network)}: deterministic chassis
+     * pick keyed off the VPC id, with the same stale-{@code Gateway_Chassis} prune applied to
+     * the VPC's public LRP before we hand the name back to the caller.
+     */
+    protected String pickAnchorChassisForVpc(OvnProviderVO provider, Vpc vpc) {
+        if (provider == null || provider.getSbConnection() == null || provider.getSbConnection().isEmpty()) {
+            logger.warn("No OVN SB connection configured; cannot pick a Gateway_Chassis anchor for VPC {}", vpc);
+            return null;
+        }
+        try {
+            java.util.List<String> chassisNames = ovnNbClient.listSouthboundChassisNames(
+                    provider.getSbConnection(), provider.getCaCertPath(),
+                    provider.getClientCertPath(), provider.getClientPrivateKeyPath());
+            if (chassisNames == null || chassisNames.isEmpty()) {
+                logger.warn("OVN SB reports no registered Chassis yet; deferring Gateway_Chassis anchor for VPC {}", vpc);
+                return null;
+            }
+            String publicLrpName = getVpcPublicRouterPortName(vpc);
+            try {
+                ovnNbClient.pruneStaleGatewayChassis(provider.getNbConnection(),
+                        provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                        publicLrpName, new java.util.HashSet<>(chassisNames));
+            } catch (CloudRuntimeException e) {
+                logger.debug("Skipping Gateway_Chassis prune for {} ({})", publicLrpName, e.getMessage());
+            }
+            java.util.Collections.sort(chassisNames);
+            return chassisNames.get((int) (Math.abs(vpc.getId()) % chassisNames.size()));
+        } catch (Exception e) {
+            logger.warn("Failed to query OVN SB for Chassis names while anchoring VPC {}: {}", vpc, e.getMessage());
+            return null;
+        }
+    }
+
     private static int maskToPrefix(String netmask) {
         try {
             String[] parts = netmask.split("\\.");
@@ -1489,36 +1588,179 @@ public boolean handlesOnlyRulesInTransitionState() {
     @Override
     public boolean implementVpc(Vpc vpc, DeployDestination dest, ReservationContext context)
             throws ConcurrentOperationException, ResourceUnavailableException, InsufficientCapacityException {
+        OvnProviderVO provider = ovnProviderDao.findByZoneId(vpc.getZoneId());
+        if (provider == null) {
+            throw new ResourceUnavailableException(
+                    String.format("No OVN provider configured for zone %s", vpc.getZoneId()),
+                    DataCenter.class, vpc.getZoneId());
+        }
+        String routerName = getVpcRouterName(vpc);
+        Map<String, String> lrExt = new HashMap<>();
+        lrExt.put("cloudstack_vpc_id", String.valueOf(vpc.getId()));
+        lrExt.put("cloudstack_vpc_uuid", vpc.getUuid());
+        lrExt.put("cloudstack_zone_id", String.valueOf(vpc.getZoneId()));
+        lrExt.put("cloudstack_role", "vpc-router");
+        try {
+            ovnNbClient.createLogicalRouter(provider.getNbConnection(),
+                    provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                    routerName, lrExt);
+            // Wire up the public side now if CloudStack has already allocated the SourceNat IP
+            // for this VPC. This is the common case (VpcManagerImpl allocates the IP during VPC
+            // creation, before calling implementVpc). When the IP is changed later we re-run the
+            // same idempotent helper from updateVpcSourceNatIp.
+            applyVpcSourceNatPublicSide(provider, vpc);
+        } catch (CloudRuntimeException e) {
+            throw new ResourceUnavailableException(e.getMessage(), DataCenter.class, vpc.getZoneId());
+        }
         return true;
     }
 
+    /**
+     * Provisions or refreshes the public-side OVN artifacts for a VPC: the public Logical_Switch
+     * (cs-vpc-pub-{id}), its localnet port wired to the provider's external bridge / VLAN, the
+     * Logical_Router_Port that anchors the VPC LR on the public LS using the VPC's SourceNat IP,
+     * the Gateway_Chassis row, the default route to the upstream gateway, and the gARP
+     * announcement.
+     *
+     * <p>Idempotent on every component (skips inserts when the row already exists). Per-tier SNAT
+     * rows ({@code logical_ip = tier_cidr}) are added separately by PR-2b's tier
+     * {@code implement(network)} path.</p>
+     *
+     * <p>If the VPC has no SourceNat IP allocated yet this is a no-op; the public side will come
+     * up on the next call (typically {@link #updateVpcSourceNatIp}).</p>
+     */
+    protected void applyVpcSourceNatPublicSide(OvnProviderVO provider, Vpc vpc) {
+        List<IPAddressVO> ips = ipAddressDao.listByAssociatedVpc(vpc.getId(), true);
+        if (ips == null || ips.isEmpty()) {
+            logger.debug("VPC {} has no SourceNat IP yet; deferring public-side provisioning", vpc.getId());
+            return;
+        }
+        String routerName = getVpcRouterName(vpc);
+        String publicLs = getVpcPublicLogicalSwitchName(vpc);
+        String publicLrpName = getVpcPublicRouterPortName(vpc);
+        String localnet = provider.getLocalnetName();
+        String externalBridge = provider.getExternalBridge();
+        for (IPAddressVO ipVo : ips) {
+            if (!ipVo.isSourceNat() || ipVo.getAddress() == null) {
+                continue;
+            }
+            String externalIp = ipVo.getAddress().addr();
+            VlanVO vlan = vlanDao.findById(ipVo.getVlanId());
+            String netmask = vlan != null && vlan.getVlanNetmask() != null ? vlan.getVlanNetmask() : "255.255.240.0";
+            String externalGateway = vlan != null ? vlan.getVlanGateway() : null;
+            Integer vlanTag = null;
+            if (vlan != null && vlan.getVlanTag() != null && !"untagged".equalsIgnoreCase(vlan.getVlanTag())) {
+                String tagPart = vlan.getVlanTag().replaceAll("^vlan://", "");
+                try { vlanTag = Integer.parseInt(tagPart); } catch (NumberFormatException ignored) { }
+            }
+            Map<String, String> publicLsExt = new HashMap<>();
+            publicLsExt.put("cloudstack_vpc_id", String.valueOf(vpc.getId()));
+            publicLsExt.put("cloudstack_role", "vpc-public");
+            ovnNbClient.createLogicalSwitch(provider.getNbConnection(),
+                    provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                    publicLs, publicLsExt);
+            ovnNbClient.addLocalnetPort(provider.getNbConnection(),
+                    provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                    publicLs, "ln-" + publicLs, localnet != null ? localnet : externalBridge, vlanTag);
+            String prefix = "/" + maskToPrefix(netmask != null ? netmask : "255.255.240.0");
+            ovnNbClient.attachRouterToSwitch(provider.getNbConnection(),
+                    provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                    routerName, publicLs,
+                    publicLrpName, buildVpcRouterMac(vpc.getId(), true),
+                    java.util.Collections.singletonList(externalIp + prefix));
+            String anchorChassis = pickAnchorChassisForVpc(provider, vpc);
+            if (anchorChassis != null) {
+                ovnNbClient.setLrpGatewayChassis(provider.getNbConnection(),
+                        provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                        publicLrpName, anchorChassis, 10);
+            }
+            if (externalGateway != null && !externalGateway.isEmpty()) {
+                ovnNbClient.addStaticRoute(provider.getNbConnection(),
+                        provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                        routerName, "0.0.0.0/0", externalGateway);
+            }
+            applyVpcNatAddressesAnnouncement(provider, vpc);
+        }
+    }
+
     @Override
     public boolean shutdownVpc(Vpc vpc, ReservationContext context) throws ConcurrentOperationException, ResourceUnavailableException {
+        OvnProviderVO provider = ovnProviderDao.findByZoneId(vpc.getZoneId());
+        if (provider == null) {
+            // Provider already gone — nothing to clean up. Treat as success so VPC removal can proceed.
+            return true;
+        }
+        String routerName = getVpcRouterName(vpc);
+        String publicLs = getVpcPublicLogicalSwitchName(vpc);
+        try {
+            // Wipe Load_Balancer rows tagged with this VPC. LB rows live in the global
+            // Load_Balancer table and are referenced from LR/LS via the load_balancer column,
+            // so deleting the LR/LS does not necessarily garbage-collect them when other refs
+            // remain. By the time shutdownVpc runs CloudStack has already destroyed every tier,
+            // but a defensive sweep keeps state clean for re-creates.
+            ovnNbClient.removeLoadBalancersByExternalId(provider.getNbConnection(),
+                    provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                    "cloudstack_vpc_id", String.valueOf(vpc.getId()));
+            // Public LS first — its router-type LSP pairs with the public LRP on the LR; deleting
+            // the LS removes the LSP and any localnet/firewall ACLs sitting on it.
+            ovnNbClient.deleteLogicalSwitch(provider.getNbConnection(),
+                    provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                    publicLs);
+            // The LR may still have its public LRP and any tier LRPs / NAT rows referenced from
+            // the strong-typed columns; OVSDB GCs those rows when the LR is removed. Tier LSes
+            // were already deleted by destroy(network) calls preceding shutdownVpc.
+            ovnNbClient.deleteLogicalRouter(provider.getNbConnection(),
+                    provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                    routerName);
+        } catch (CloudRuntimeException e) {
+            throw new ResourceUnavailableException(e.getMessage(), DataCenter.class, vpc.getZoneId());
+        }
         return true;
     }
 
     @Override
     public boolean createPrivateGateway(PrivateGateway gateway) throws ConcurrentOperationException, ResourceUnavailableException {
+        // PrivateGateway is out of scope for the OVN VPC v1.
         return true;
     }
 
     @Override
     public boolean deletePrivateGateway(PrivateGateway privateGateway) throws ConcurrentOperationException, ResourceUnavailableException {
+        // PrivateGateway is out of scope for the OVN VPC v1.
         return true;
     }
 
     @Override
     public boolean applyStaticRoutes(Vpc vpc, List<StaticRouteProfile> routes) throws ResourceUnavailableException {
+        // Tenant-managed static routes are out of scope for the OVN VPC v1; the only route we
+        // program ourselves is the upstream default in applyVpcSourceNatPublicSide.
         return true;
     }
 
     @Override
     public boolean applyACLItemsToPrivateGw(PrivateGateway gateway, List<? extends NetworkACLItem> rules) throws ResourceUnavailableException {
+        // Coupled to PrivateGateway support; out of scope for v1.
         return true;
     }
 
     @Override
     public boolean updateVpcSourceNatIp(Vpc vpc, IpAddress address) {
+        // Re-run the public-side provisioning. applyVpcSourceNatPublicSide is idempotent and
+        // attaches the new SourceNat IP via attachRouterToSwitch / addStaticRoute, then refreshes
+        // the gARP announcement. Note: when the VPC's SourceNat IP is *changed* (rather than
+        // first allocated), the previous LRP IP/NAT/route rows are not torn down here — the
+        // OVN-only SourceNat-IP swap remains a TODO. v1 supports first-time allocation cleanly.
+        OvnProviderVO provider = ovnProviderDao.findByZoneId(vpc.getZoneId());
+        if (provider == null) {
+            logger.warn("updateVpcSourceNatIp: no OVN provider for zone {}", vpc.getZoneId());
+            return false;
+        }
+        try {
+            applyVpcSourceNatPublicSide(provider, vpc);
+        } catch (CloudRuntimeException e) {
+            logger.warn("updateVpcSourceNatIp failed for VPC {}: {}", vpc.getId(), e.getMessage());
+            return false;
+        }
         return true;
     }
 }

From 37cf8c6f2afe7b7a82a83cd03d1019dc0be04b2b Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Wed, 29 Apr 2026 11:41:31 +0200
Subject: [PATCH 23/33] OVN plugin: scope addStaticRoute idempotency by router
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous idempotency check skipped the insert whenever a
Logical_Router_Static_Route with the same (ip_prefix, nexthop) existed
anywhere in NB, regardless of which Logical_Router referenced it. That
was wrong as soon as two LRs needed the same default route — only the
first LR ended up with the route attached, and the second LR (e.g.
the new cs-vpc-{id} during implementVpc) silently went without a
default gateway. Lab-confirmed when bringing up an OVN VPC alongside
an existing isolated network sharing the same external gateway.

Now the helper resolves the target LR's static_routes set, intersects
it with rows matching (prefix, nexthop), and only short-circuits when
the existing route is already attached to this LR. Otherwise it
inserts a fresh Static_Route row and mutates the LR's set to include
it — multiple LRs end up with their own row pointing at the same
prefix/nexthop, which is exactly what OVN expects.
---
 .../cloudstack/service/OvnNbClient.java       | 42 +++++++++++++++----
 1 file changed, 34 insertions(+), 8 deletions(-)

diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
index 84306fa7cab5..b432815c1fd7 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
@@ -1185,22 +1185,48 @@ public void addStaticRoute(String nbConnection, String caCertPath, String client
             ColumnSchema<GenericTableSchema, String> lrNameCol = lrTable.column("name", String.class);
             ColumnSchema<GenericTableSchema, String> srPrefixCol = srTable.column("ip_prefix", String.class);
             ColumnSchema<GenericTableSchema, String> srNexthopCol = srTable.column("nexthop", String.class);
+            ColumnSchema<GenericTableSchema, Set<UUID>> lrRoutesCol = lrTable.multiValuedColumn("static_routes", UUID.class);
 
-            Operation<GenericTableSchema> selExisting = OVSDB_OPS.select(srTable).column(srPrefixCol)
-                    .where(srPrefixCol.opEqual(ipPrefix)).and(srNexthopCol.opEqual(nexthop)).build();
-            List<OperationResult> existing = client.transact(schema, Collections.<Operation>singletonList(selExisting))
+            // Idempotency must be scoped to the target LR. Two LRs needing the same default
+            // route both store their own Static_Route row; skipping based on the global
+            // Static_Route table would leave the second LR without the route. We resolve the
+            // LR's existing static_routes set, look up each referenced row, and only skip when
+            // one of them already matches (ip_prefix, nexthop).
+            Operation<GenericTableSchema> selLr = OVSDB_OPS.select(lrTable).column(lrRoutesCol)
+                    .where(lrNameCol.opEqual(routerName)).build();
+            List<OperationResult> lrSel = client.transact(schema, Collections.<Operation>singletonList(selLr))
                     .get(timeoutMs, TimeUnit.MILLISECONDS);
-            if (existing != null && !existing.isEmpty()
-                    && existing.get(0).getRows() != null && !existing.get(0).getRows().isEmpty()) {
-                logger.debug("Static_Route {}→{} already exists - skipping", ipPrefix, nexthop);
-                return null;
+            Set<UUID> existingRouteUuids = Collections.emptySet();
+            if (lrSel != null && !lrSel.isEmpty()
+                    && lrSel.get(0).getRows() != null && !lrSel.get(0).getRows().isEmpty()) {
+                Object raw = lrSel.get(0).getRows().get(0).getColumn(lrRoutesCol).getData();
+                if (raw instanceof Set) {
+                    @SuppressWarnings("unchecked")
+                    Set<UUID> casted = (Set<UUID>) raw;
+                    existingRouteUuids = casted;
+                }
+            }
+            if (!existingRouteUuids.isEmpty()) {
+                Operation<GenericTableSchema> selRoutes = OVSDB_OPS.select(srTable)
+                        .where(srPrefixCol.opEqual(ipPrefix)).and(srNexthopCol.opEqual(nexthop)).build();
+                List<OperationResult> routesSel = client.transact(schema, Collections.<Operation>singletonList(selRoutes))
+                        .get(timeoutMs, TimeUnit.MILLISECONDS);
+                if (routesSel != null && !routesSel.isEmpty() && routesSel.get(0).getRows() != null) {
+                    for (Row<GenericTableSchema> row : routesSel.get(0).getRows()) {
+                        UUID rowUuid = row.getColumn(srTable.column("_uuid", UUID.class)).getData();
+                        if (rowUuid != null && existingRouteUuids.contains(rowUuid)) {
+                            logger.debug("Static_Route {}→{} already attached to {} - skipping",
+                                    ipPrefix, nexthop, routerName);
+                            return null;
+                        }
+                    }
+                }
             }
 
             Insert<GenericTableSchema> insertSr = OVSDB_OPS.insert(srTable)
                     .withId("newsr")
                     .value(srPrefixCol, ipPrefix)
                     .value(srNexthopCol, nexthop);
-            ColumnSchema<GenericTableSchema, Set<UUID>> lrRoutesCol = lrTable.multiValuedColumn("static_routes", UUID.class);
             List<Operation> ops = new ArrayList<>();
             ops.add(insertSr);
             ops.add(OVSDB_OPS.mutate(lrTable)

From 30604ae503295c9d9d828c25dfae34273439f0e9 Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Wed, 29 Apr 2026 11:55:34 +0200
Subject: [PATCH 24/33] OVN plugin: provision VPC tiers as LRPs on the shared
 VPC LR
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR-2b. Make implement(network) / destroy(network) / applyIps branch on
network.getVpcId() so that a tier of an OVN-backed VPC is wired to the
shared cs-vpc-{vpcId} LR provisioned by implementVpc, instead of the
isolated path that creates a per-network LR and per-network public LS.

implement(network) for VPC tier (network.getVpcId() != null):
- Creates the tier LS cs-net-{netId} stamped with cloudstack_vpc_id
  and cloudstack_role=tier external_ids (in addition to the existing
  network_id / uuid / zone_id).
- Creates DHCP_Options for the tier (existing helper).
- Calls attachVpcTierToRouter to add the tier-LRP on cs-vpc-{vpcId}
  using network.gateway/cidr.
- Calls addVpcTierSnatRule which looks up the VPC SourceNat IP via
  IPAddressDao.listByAssociatedVpc(vpcId, true) and programs an snat
  NAT row on the VPC LR with logical_ip=tier_cidr,
  external_ip=vpc_source_nat_ip. Then refreshes the VPC's gARP via
  applyVpcNatAddressesAnnouncement.
- Skips createRouterAndAttachToGuest and applySourceNatForNetwork —
  those belong to the isolated path, where a per-network LR and
  per-network public LS are still authoritative.

destroy(network) for VPC tier:
- Already drops Load_Balancer rows tagged with cloudstack_network_id
  (carried over from PR-0).
- Removes the tier SNAT row on cs-vpc-{vpcId} keyed off
  (router, snat, vpc_source_nat_ip, tier_cidr) for every IP currently
  flagged isSourceNat() on the VPC.
- Detaches the tier-LRP via the new
  OvnNbClient.removeLogicalRouterPort helper (mutates LR.ports and
  deletes the LRP row in one transaction; tolerant of missing rows).
- Deletes the tier DHCP options and the tier LS.
- Does NOT touch cs-vpc-{vpcId} or cs-vpc-pub-{vpcId} — both remain
  shared across surviving tiers.

applyIps(network):
- The SourceNat IP provisioning block was guarded with
  network.getVpcId() == null. CloudStack does not deliver the VPC
  SourceNat IP through tier applyIps, so running that block on a VPC
  tier would create a duplicate per-tier public-side LRP/LS using the
  isolated naming/MAC scheme — re-introducing the dual-public-LRP
  problem the PR-1 helpers were designed to avoid.
- The post-loop gARP refresh now branches: VPC tier dispatches to
  applyVpcNatAddressesAnnouncement(vpc) so the announcement covers
  every SourceNat IP owned by the VPC, not just the (empty) per-tier
  set.

OvnNbClient.removeLogicalRouterPort: new helper. Resolves the LRP
UUID by name, mutates the LR's ports column to drop it, deletes the
LRP row. Idempotent. Used only when shrinking a VPC; isolated tear-
down still goes through deleteLogicalRouter which OVSDB-cascades the
LRPs it owned.

VpcDao injected so the tier hooks can resolve the VPC SourceNat IP
without round-tripping through CloudStack's higher-level managers.

Lab-validated end-to-end: built a 2-tier VPC (cs-vpc-3) with tier-a
(10.4.1.0/24) and tier-b (10.4.2.0/24); each tier ended up with a
per-tier LRP on cs-vpc-3 and its own snat row pointing the tier CIDR
at the VPC's SourceNat IP (10.0.111.210). The shared public LRP and
gateway-chassis from PR-2a remained untouched.
---
 .../apache/cloudstack/service/OvnElement.java | 136 +++++++++++++++++-
 .../cloudstack/service/OvnNbClient.java       |  42 ++++++
 2 files changed, 171 insertions(+), 7 deletions(-)

diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
index 792e39b4ce6e..23abd52955ba 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
@@ -85,6 +85,9 @@ public class OvnElement extends AdapterBase implements DhcpServiceProvider, DnsS
     @Inject
     NicDao nicDao;
 
+    @Inject
+    com.cloud.network.vpc.dao.VpcDao vpcDao;
+
     @Inject
     com.cloud.host.dao.HostDao hostDao;
 
@@ -155,12 +158,25 @@ public boolean implement(Network network, NetworkOffering offering, DeployDestin
             externalIds.put("cloudstack_network_id", String.valueOf(network.getId()));
             externalIds.put("cloudstack_network_uuid", network.getUuid());
             externalIds.put("cloudstack_zone_id", String.valueOf(network.getDataCenterId()));
+            if (network.getVpcId() != null) {
+                externalIds.put("cloudstack_vpc_id", String.valueOf(network.getVpcId()));
+                externalIds.put("cloudstack_role", "tier");
+            }
             try {
                 ovnNbClient.createLogicalSwitch(provider.getNbConnection(), provider.getCaCertPath(), provider.getClientCertPath(),
                         provider.getClientPrivateKeyPath(), logicalSwitchName, externalIds);
                 createDhcpOptionsForNetwork(provider, network);
-                createRouterAndAttachToGuest(provider, network);
-                applySourceNatForNetwork(provider, network);
+                if (network.getVpcId() != null) {
+                    // VPC tier: the LR (cs-vpc-{vpcId}) and the public side were already provisioned
+                    // by implementVpc; here we only need to attach this tier to the shared LR and
+                    // add a per-tier SNAT row so traffic from this CIDR egresses with the VPC's
+                    // SourceNat IP. No per-network LR, no per-network public LS.
+                    attachVpcTierToRouter(provider, network);
+                    addVpcTierSnatRule(provider, network);
+                } else {
+                    createRouterAndAttachToGuest(provider, network);
+                    applySourceNatForNetwork(provider, network);
+                }
             } catch (CloudRuntimeException e) {
                 throw new ResourceUnavailableException(e.getMessage(), DataCenter.class, network.getDataCenterId());
             }
@@ -168,6 +184,65 @@ public boolean implement(Network network, NetworkOffering offering, DeployDestin
         return true;
     }
 
+    /**
+     * Attaches a VPC tier's Logical_Switch to the shared VPC Logical_Router via a tier-LRP at
+     * the tier's gateway IP. Mirrors {@link #createRouterAndAttachToGuest} but skips the LR
+     * creation (the VPC LR is owned by {@link #implementVpc}). Idempotent.
+     */
+    protected void attachVpcTierToRouter(OvnProviderVO provider, Network network) {
+        if (network.getCidr() == null || network.getGateway() == null) {
+            return;
+        }
+        String routerName = getRouterNameForNetwork(network);
+        String prefix = network.getCidr().contains("/")
+                ? network.getCidr().substring(network.getCidr().indexOf('/'))
+                : "/24";
+        String lrpNetwork = network.getGateway() + prefix;
+        ovnNbClient.attachRouterToSwitch(provider.getNbConnection(),
+                provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                routerName, getLogicalSwitchName(network),
+                "lrp-" + getLogicalSwitchName(network), buildRouterMac(network.getId(), false),
+                java.util.Collections.singletonList(lrpNetwork));
+    }
+
+    /**
+     * Programs (or refreshes) the per-tier SNAT row on the VPC LR so traffic from this tier's
+     * CIDR is masqueraded behind the VPC's SourceNat IP. Skipped when the VPC has not yet been
+     * assigned a SourceNat IP (the SNAT row will be added on the next implement / IP update).
+     */
+    protected void addVpcTierSnatRule(OvnProviderVO provider, Network network) {
+        if (network.getCidr() == null) {
+            return;
+        }
+        Vpc vpc = vpcDao.findById(network.getVpcId());
+        if (vpc == null) {
+            return;
+        }
+        List<IPAddressVO> ips = ipAddressDao.listByAssociatedVpc(vpc.getId(), true);
+        if (ips == null) {
+            return;
+        }
+        String routerName = getRouterNameForNetwork(network);
+        for (IPAddressVO ipVo : ips) {
+            if (!ipVo.isSourceNat() || ipVo.getAddress() == null) {
+                continue;
+            }
+            String externalIp = ipVo.getAddress().addr();
+            Map<String, String> ext = new HashMap<>();
+            ext.put("cloudstack_network_id", String.valueOf(network.getId()));
+            ext.put("cloudstack_vpc_id", String.valueOf(vpc.getId()));
+            ext.put("cloudstack_nat_kind", "source-tier");
+            ovnNbClient.addNatRule(provider.getNbConnection(),
+                    provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                    routerName, "snat", externalIp, network.getCidr(), ext);
+            // Refresh the gARP announcement on the VPC LRP so newly-attached tiers do not have
+            // to wait for the next public-IP event for ovn-controller to gARP for the shared
+            // SourceNat IP.
+            applyVpcNatAddressesAnnouncement(provider, vpc);
+            break;
+        }
+    }
+
     @Override
     public boolean prepare(Network network, NicProfile nic, VirtualMachineProfile vm, DeployDestination dest, ReservationContext context)
             throws ConcurrentOperationException, ResourceUnavailableException, InsufficientCapacityException {
@@ -576,6 +651,41 @@ public boolean destroy(Network network, ReservationContext context) throws Concu
                 ovnNbClient.removeLoadBalancersByExternalId(provider.getNbConnection(),
                         provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
                         "cloudstack_network_id", String.valueOf(network.getId()));
+                if (network.getVpcId() != null) {
+                    // VPC tier: do not touch cs-vpc-{vpcId} or cs-vpc-pub-{vpcId}. Drop only the
+                    // tier-specific SNAT row, the tier LRP on the shared VPC LR, the per-tier
+                    // DHCP options, and the tier LS.
+                    String vpcRouterName = getRouterNameForNetwork(network);
+                    if (network.getCidr() != null) {
+                        // Identify the tier SNAT row by (router, type, external_ip, logical_ip).
+                        // We have to look up the VPC SourceNat IP now since the network's own
+                        // associations don't carry it.
+                        Vpc vpc = vpcDao.findById(network.getVpcId());
+                        if (vpc != null) {
+                            List<IPAddressVO> vpcIps = ipAddressDao.listByAssociatedVpc(vpc.getId(), true);
+                            if (vpcIps != null) {
+                                for (IPAddressVO ipVo : vpcIps) {
+                                    if (ipVo.isSourceNat() && ipVo.getAddress() != null) {
+                                        ovnNbClient.removeNatRule(provider.getNbConnection(),
+                                                provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                                                vpcRouterName, "snat", ipVo.getAddress().addr(), network.getCidr());
+                                    }
+                                }
+                            }
+                        }
+                    }
+                    String tierLrp = "lrp-" + getLogicalSwitchName(network);
+                    ovnNbClient.removeLogicalRouterPort(provider.getNbConnection(),
+                            provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                            vpcRouterName, tierLrp);
+                    ovnNbClient.deleteDhcpOptions(provider.getNbConnection(),
+                            provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                            String.valueOf(network.getId()));
+                    ovnNbClient.deleteLogicalSwitch(provider.getNbConnection(),
+                            provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                            getLogicalSwitchName(network));
+                    return true;
+                }
                 ovnNbClient.deleteLogicalSwitch(provider.getNbConnection(), provider.getCaCertPath(), provider.getClientCertPath(),
                         provider.getClientPrivateKeyPath(), getPublicLogicalSwitchNameForNetwork(network));
                 ovnNbClient.deleteLogicalRouter(provider.getNbConnection(), provider.getCaCertPath(), provider.getClientCertPath(),
@@ -701,8 +811,12 @@ public boolean applyIps(Network network, List<? extends PublicIpAddress> ipAddre
                     }
                     continue;
                 }
-                if (ip.isSourceNat() && Boolean.TRUE.equals(services.contains(Network.Service.SourceNat))) {
-                    // Ensure public-side LS + localnet port + LR external attachment exist
+                if (ip.isSourceNat() && Boolean.TRUE.equals(services.contains(Network.Service.SourceNat))
+                        && network.getVpcId() == null) {
+                    // Isolated networks only: implementVpc already provisioned the VPC's public
+                    // side, and CloudStack does not reuse this hook to push the VPC SourceNat IP
+                    // through tier networks. Running this block for a VPC tier would create a
+                    // duplicate LRP with the wrong MAC scheme.
                     Map<String, String> publicLsExt = new HashMap<>();
                     publicLsExt.put("cloudstack_network_id", String.valueOf(network.getId()));
                     publicLsExt.put("cloudstack_role", "public");
@@ -730,9 +844,17 @@ public boolean applyIps(Network network, List<? extends PublicIpAddress> ipAddre
                             routerName, "snat", externalIp, guestCidr, natExt);
                 }
             }
-            // Refresh nat-addresses on the gateway-side LSP so ovn-controller emits gARPs for
-            // every current SourceNat IP. Idempotent and skipped when nothing changed.
-            applyNatAddressesAnnouncement(provider, network);
+            // Refresh nat-addresses on the gateway-side LSP. For a VPC tier the announcement is
+            // VPC-scoped (one set of SourceNat IPs shared by every tier), so route through the
+            // VPC-flavoured helper; isolated networks keep the per-network refresh.
+            if (network.getVpcId() != null) {
+                Vpc vpc = vpcDao.findById(network.getVpcId());
+                if (vpc != null) {
+                    applyVpcNatAddressesAnnouncement(provider, vpc);
+                }
+            } else {
+                applyNatAddressesAnnouncement(provider, network);
+            }
         } catch (CloudRuntimeException e) {
             throw new ResourceUnavailableException(e.getMessage(), DataCenter.class, network.getDataCenterId());
         }
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
index b432815c1fd7..3351089ca893 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
@@ -639,6 +639,48 @@ public void attachRouterToSwitch(String nbConnection, String caCertPath, String
         });
     }
 
+    /**
+     * Idempotently removes a Logical_Router_Port from a Logical_Router. Used when tearing down a
+     * VPC tier so its tier-LRP is detached from the shared VPC LR without touching the LR itself
+     * (the paired router-type LSP on the tier LS is GC'd by OVSDB when the tier LS is deleted).
+     */
+    public void removeLogicalRouterPort(String nbConnection, String caCertPath, String clientCertPath,
+                                        String clientPrivateKeyPath,
+                                        String routerName, String lrpName) {
+        if (StringUtils.isBlank(routerName) || StringUtils.isBlank(lrpName)) {
+            throw new CloudRuntimeException("removeLogicalRouterPort arguments are incomplete");
+        }
+        runOn(nbConnection, caCertPath, clientCertPath, clientPrivateKeyPath, client -> {
+            DatabaseSchema schema = client.getSchema(NORTHBOUND_DB).get(timeoutMs, TimeUnit.MILLISECONDS);
+            GenericTableSchema lrTable = schema.table(LOGICAL_ROUTER_TABLE, GenericTableSchema.class);
+            GenericTableSchema lrpTable = schema.table(LOGICAL_ROUTER_PORT_TABLE, GenericTableSchema.class);
+            ColumnSchema<GenericTableSchema, String> lrNameCol = lrTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, String> lrpNameCol = lrpTable.column("name", String.class);
+            ColumnSchema<GenericTableSchema, UUID> lrpUuidCol = lrpTable.column("_uuid", UUID.class);
+            ColumnSchema<GenericTableSchema, Set<UUID>> lrPortsCol = lrTable.multiValuedColumn("ports", UUID.class);
+
+            Operation<GenericTableSchema> selectLrp = OVSDB_OPS.select(lrpTable).column(lrpUuidCol)
+                    .where(lrpNameCol.opEqual(lrpName)).build();
+            List<OperationResult> selectResult = client.transact(schema, Collections.<Operation>singletonList(selectLrp))
+                    .get(timeoutMs, TimeUnit.MILLISECONDS);
+            if (selectResult == null || selectResult.isEmpty() || selectResult.get(0).getRows() == null
+                    || selectResult.get(0).getRows().isEmpty()) {
+                logger.debug("Logical_Router_Port [{}] not present on {} - nothing to detach", lrpName, nbConnection);
+                return null;
+            }
+            UUID lrpUuid = selectResult.get(0).getRows().get(0).getColumn(lrpUuidCol).getData();
+            List<Operation> ops = new ArrayList<>();
+            ops.add(OVSDB_OPS.mutate(lrTable)
+                    .addMutation(lrPortsCol, Mutator.DELETE, Collections.singleton(lrpUuid))
+                    .where(lrNameCol.opEqual(routerName)).build());
+            ops.add(OVSDB_OPS.delete(lrpTable).where(lrpUuidCol.opEqual(lrpUuid)).build());
+            List<OperationResult> results = client.transact(schema, ops).get(timeoutMs, TimeUnit.MILLISECONDS);
+            assertNoError(results, String.format("detach Logical_Router_Port %s from %s", lrpName, routerName));
+            logger.info("Detached OVN Logical_Router_Port [{}] from Logical_Router [{}] at {}", lrpName, routerName, nbConnection);
+            return null;
+        });
+    }
+
     /**
      * Idempotently adds a localnet Logical_Switch_Port to a Logical_Switch so traffic can egress
      * the OVN integration bridge through ovn-bridge-mappings to the named physical network.

From b26e10c01978679878e61c8fce10d71ad94ef8f9 Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Wed, 29 Apr 2026 12:30:47 +0200
Subject: [PATCH 25/33] OVN plugin: route StaticNat / PF / Firewall through VPC
 LR when applicable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR-3. Wire the public-IP services (StaticNat, PortForwarding, public-IP
Firewall) so they target the shared cs-vpc-{vpcId} LR and the
cs-vpc-pub-{vpcId} LS when the network is a VPC tier, and so every
artifact carries the cloudstack_vpc_id / cloudstack_public_ip
external_ids needed by the cleanup paths.

PR-1 already migrated the resolution of the LR / public LS / LRP /
public-LRP-LSP names through the network-flavoured helpers, so the
high-level call sites already pointed at the right OVN objects for a
VPC tier. The remaining gaps were three:

1. applyStaticNats: the distributed dnat_and_snat NAT row was always
   programmed with buildRouterMac(network.getId(), true) — the
   per-network isolated MAC scheme (octet 0xfe). For a VPC tier the
   external_mac must match the VPC public LRP's MAC (octet 0xfc, from
   buildVpcRouterMac), otherwise ovn-northd refuses to apply the
   rewrite locally on the chassis hosting the backend VM and the
   forwarding plane silently drops the connection.

   Same for the gateway-chassis anchor: every tier should converge on
   the VPC's anchor chassis, not run an independent rotation. We now
   route through pickAnchorChassisForVpc(vpc) when the network is a
   VPC tier so a tier never reanchors the LRP at a different chassis
   than implementVpc picked.

2. PortForwarding (programPortForwardingRule): the OVN Load_Balancer
   row already lived on the right LR / tier LS (because of the PR-1
   helpers), but its external_ids were missing cloudstack_vpc_id and
   cloudstack_public_ip, which broke the public-IP-release cleanup
   path's ability to sweep VPC-scoped LBs.

3. Firewall (programFirewallRule + ensureFirewallDefaultDeny): the
   per-rule and the per-IP default-drop ACLs on the public LS were
   missing cloudstack_vpc_id, leaving us without a single key to
   sweep all firewall artifacts of a VPC at shutdownVpc time.

Lab-validated end-to-end on cs-vpc-3 / tier-a (10.4.1.0/24):
  - StaticNat: NAT row 10.0.111.211 -> 10.4.1.158 created with
    external_mac fa:16:3e:fc:00:03 (VPC scheme), logical_port set to
    the NIC UUID, external_ids include cloudstack_vpc_id=3,
    cloudstack_network_id=267, cloudstack_public_ip=10.0.111.211.
    Existing isolated NAT (network_id=265) keeps the 0xfe MAC scheme
    and no vpc_id tag — the two coexist without collision.
  - PortForwarding: pf-36-tcp Load_Balancer with vips
    10.0.111.212:22 -> 10.4.1.158:22, external_ids include the new
    cloudstack_vpc_id=3 / cloudstack_public_ip=10.0.111.212 tags.
  - Firewall: fw-37 ACL on cs-vpc-pub-3 with match outport ==
    "lsp-lrp-cs-vpc-pub-3" && ... && tcp.dst == 22 (allow-related),
    plus the per-IP default-drop fw-default-10.0.111.212. Both rows
    carry cloudstack_vpc_id=3.

Cleanup behaviour (existing in PR-2a / PR-2b) is unchanged in code but
now actually catches every artifact:
  - shutdownVpc sweeps Load_Balancer rows by cloudstack_vpc_id (PF +
    LB), then deletes the public LS (clears Firewall ACLs and
    default-drops), then deletes the LR (GCs StaticNat NAT rows along
    with the SNAT-per-tier rows from PR-2b).
  - destroy(tier) sweeps Load_Balancer rows by cloudstack_network_id
    (still works for PF), removes the tier-LRP, deletes the tier LS
    and DHCP options, removes only the tier-scoped SNAT row from the
    VPC LR. StaticNat NAT rows tagged with cloudstack_network_id
    survive on the VPC LR until the IP itself is released — the
    StaticNat revoke callback is the canonical removal path.

Out of scope for this PR (deferred per the agreed VPC-v1 plan):
  - StaticRoute, PrivateGateway, Site2SiteVpn, RemoteAccessVpn.
  - Adding Firewall to the seeded OVN VPC offering and the OVN VPC
    tier offering — that lands in PR-6 (offerings/seed).
---
 .../apache/cloudstack/service/OvnElement.java | 31 +++++++++++++++++--
 1 file changed, 28 insertions(+), 3 deletions(-)

diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
index 23abd52955ba..27cc8436e274 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
@@ -968,11 +968,16 @@ public boolean applyStaticNats(Network config, List<? extends StaticNat> rules)
         }
         OvnProviderVO provider = getProviderForNetwork(config);
         String routerName = getRouterNameForNetwork(config);
+        boolean isVpcTier = config.getVpcId() != null;
+        Vpc vpc = isVpcTier ? vpcDao.findById(config.getVpcId()) : null;
         try {
             // Anchor the public LRP to a chassis so ovn-northd materialises the lr_in_dnat
             // pipeline. Without Gateway_Chassis, dnat_and_snat NAT rows are silently ignored
-            // by lr_in_dnat. setLrpGatewayChassis is idempotent.
-            String anchorChassis = pickAnchorChassis(provider, config);
+            // by lr_in_dnat. setLrpGatewayChassis is idempotent. For VPC tiers we route through
+            // the VPC-flavoured helper so every tier converges on the same chassis the VPC LR
+            // already anchored at implementVpc time.
+            String anchorChassis = (isVpcTier && vpc != null) ? pickAnchorChassisForVpc(provider, vpc)
+                    : pickAnchorChassis(provider, config);
             if (anchorChassis != null) {
                 ovnNbClient.setLrpGatewayChassis(provider.getNbConnection(),
                         provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
@@ -994,9 +999,19 @@ public boolean applyStaticNats(Network config, List<? extends StaticNat> rules)
                 Map<String, String> ext = new HashMap<>();
                 ext.put("cloudstack_network_id", String.valueOf(config.getId()));
                 ext.put("cloudstack_nat_kind", "static");
+                ext.put("cloudstack_public_ip", externalIp);
+                if (isVpcTier) {
+                    ext.put("cloudstack_vpc_id", String.valueOf(config.getVpcId()));
+                }
                 NicVO targetNic = nicDao.findByIp4AddressAndNetworkId(logicalIp, config.getId());
                 String distributedLogicalPort = targetNic != null ? targetNic.getUuid() : null;
-                String distributedMac = buildRouterMac(config.getId(), true);
+                // For distributed dnat_and_snat the external_mac must match the LR's external
+                // LRP MAC so ovn-northd applies the rewrite locally on the chassis hosting the
+                // backend VM. VPC LRPs use a different MAC scheme (buildVpcRouterMac, octet
+                // 0xfc) than the per-network isolated LRPs (0xfe).
+                String distributedMac = isVpcTier
+                        ? buildVpcRouterMac(config.getVpcId(), true)
+                        : buildRouterMac(config.getId(), true);
                 ovnNbClient.addNatRule(provider.getNbConnection(),
                         provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
                         routerName, "dnat_and_snat", externalIp, logicalIp, ext,
@@ -1111,6 +1126,10 @@ protected void programPortForwardingRule(OvnProviderVO provider, Network network
         ext.put("cloudstack_pf_rule_id", ruleTag);
         ext.put("cloudstack_network_id", String.valueOf(network.getId()));
         ext.put("cloudstack_nat_kind", "portforward");
+        ext.put("cloudstack_public_ip", externalIp);
+        if (network.getVpcId() != null) {
+            ext.put("cloudstack_vpc_id", String.valueOf(network.getVpcId()));
+        }
 
         // hairpin_snat_ip lets a VM behind the FIP talk to its own public IP without ovn-northd
         // mis-routing the reply. Cost: a tiny extra rewrite. Neutron sets it unconditionally for
@@ -1181,6 +1200,9 @@ protected void programFirewallRule(OvnProviderVO provider, Network network, Stri
         ext.put("cloudstack_fw_rule_id", String.valueOf(rule.getId()));
         ext.put("cloudstack_fw_ip", publicIp);
         ext.put("cloudstack_network_id", String.valueOf(network.getId()));
+        if (network.getVpcId() != null) {
+            ext.put("cloudstack_vpc_id", String.valueOf(network.getVpcId()));
+        }
         ovnNbClient.addAclOnLs(provider.getNbConnection(),
                 provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
                 publicLs, ruleTag, "to-lport", 1000L, matchExpr, "allow-related", ext);
@@ -1264,6 +1286,9 @@ protected void ensureFirewallDefaultDeny(OvnProviderVO provider, Network network
         ext.put("cloudstack_fw_default", "true");
         ext.put("cloudstack_fw_ip", publicIp);
         ext.put("cloudstack_network_id", String.valueOf(network.getId()));
+        if (network.getVpcId() != null) {
+            ext.put("cloudstack_vpc_id", String.valueOf(network.getVpcId()));
+        }
         String match = "outport == \"" + publicLrpLsp + "\" && ip4 && ip4.dst == " + publicIp;
         ovnNbClient.addAclOnLs(provider.getNbConnection(),
                 provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),

From c9758ae358e81091c6c608568bea459ed3ee29d5 Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Wed, 29 Apr 2026 12:45:59 +0200
Subject: [PATCH 26/33] OVN plugin: tag VPC NetworkACLs and scope ACL sweep to
 the target LS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR-4. Make applyNetworkACLs carry enough provenance on every OVN ACL
row so cleanup paths can sweep VPC-scoped ACLs by VPC id, and fix the
ACL-sweep helper so it stops trying to free ACLs that live on a
different LS.

programNetworkAclRule:
- Adds cloudstack_acl_id (the CloudStack network_acl list id) and
  cloudstack_acl_number (the rule's user-visible ordering field) to
  every per-rule OVN ACL on the tier guest LS.
- Adds cloudstack_vpc_id when the network is a VPC tier so
  shutdownVpc / future audits can sweep ACLs by VPC id.

ensureNetworkAclDefaultDeny:
- Same cloudstack_vpc_id tag on the per-direction default-drop ACLs.

OvnNbClient.removeAclsOnLsByExternalId:
Two distinct fixes that surfaced together at runtime when binding the
default_allow ACL list to a VPC tier whose public IP already had a
Firewall ACL on the VPC public LS:

1. Operation order: the previous body interleaved the per-row
   `delete ACL` with the matching `mutate Logical_Switch.acls
   DELETE`. OVSDB transactions run in declaration order, so the
   delete fired before the strong-reference from LS.acls was cleared
   and OVSDB returned "referential integrity violation: cannot delete
   ACL row because of N remaining reference(s)". The new order is one
   bulk mutate (drop every UUID from LS.acls) followed by the per-row
   deletes.

2. LS scoping: findAclUuidsByExternalIds searches the global ACL
   table, but ACLs of one network can legitimately live on multiple
   LSes — public-IP firewall ACLs created by applyFWRules sit on the
   VPC public LS yet are tagged with cloudstack_network_id=<tier_id>
   because that is the network the IP is associated with. Wiping by
   cloudstack_network_id from the tier guest LS used to find the
   firewall ACLs too and tried to free-delete them, leaving them
   referenced from the public LS and tripping the same OVSDB strong-
   ref guard. The new helper lsAclSet() reads the target LS's acls
   set and intersects it with the candidate UUIDs, so only ACLs
   actually attached to the LS we are sweeping are removed.

Lab-validated end-to-end on cs-vpc-3 / tier-a (10.4.1.0/24):
  - Pre-fix: replaceNetworkACLList tier-a → default_allow failed with
    "cannot delete ACL row af8eac90-... because of 1 remaining
    reference(s)" (the firewall ACL on cs-vpc-pub-3).
  - Post-fix: same call returns success. cs-net-267.acls now lists
    nacl-3 / nacl-4 (the two default_allow rules at OVN priorities
    999 / 998) plus nacl-default-to-lport / nacl-default-from-lport
    at priority 1, all tagged with cloudstack_vpc_id=3 and
    cloudstack_acl_id=2. cs-vpc-pub-3.acls (firewall) is unchanged.

Out of scope for this PR (deferred per the agreed VPC-v1 plan):
  - PrivateGateway-bound ACLs.
---
 .../apache/cloudstack/service/OvnElement.java |  8 +++
 .../cloudstack/service/OvnNbClient.java       | 50 +++++++++++++++++--
 2 files changed, 54 insertions(+), 4 deletions(-)

diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
index 27cc8436e274..d6c1b1aadcee 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
@@ -1349,6 +1349,11 @@ protected void programNetworkAclRule(OvnProviderVO provider, Network network,
         ext.put("cloudstack_acl_rule_id", String.valueOf(rule.getId()));
         ext.put("cloudstack_network_id", String.valueOf(network.getId()));
         ext.put("cloudstack_acl_direction", direction);
+        ext.put("cloudstack_acl_id", String.valueOf(rule.getAclId()));
+        ext.put("cloudstack_acl_number", String.valueOf(rule.getNumber()));
+        if (network.getVpcId() != null) {
+            ext.put("cloudstack_vpc_id", String.valueOf(network.getVpcId()));
+        }
         ovnNbClient.addAclOnLs(provider.getNbConnection(),
                 provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
                 guestLs, "nacl-" + rule.getId(), direction, ovnPriority, matchExpr, aclAction, ext);
@@ -1427,6 +1432,9 @@ protected void ensureNetworkAclDefaultDeny(OvnProviderVO provider, Network netwo
             ext.put("cloudstack_acl_default", "true");
             ext.put("cloudstack_network_id", networkId);
             ext.put("cloudstack_acl_direction", dir);
+            if (network.getVpcId() != null) {
+                ext.put("cloudstack_vpc_id", String.valueOf(network.getVpcId()));
+            }
             ovnNbClient.addAclOnLs(provider.getNbConnection(),
                     provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
                     guestLs, "nacl-default-" + dir, dir, 1L, "ip4", "drop", ext);
diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
index 3351089ca893..aa8361d92c54 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
@@ -1783,16 +1783,38 @@ public int removeAclsOnLsByExternalId(String nbConnection, String caCertPath, St
 
             Map<String, String> filter = new HashMap<>();
             filter.put(externalIdKey, externalIdValue);
-            List<UUID> uuids = findAclUuidsByExternalIds(client, schema, aclTable, filter);
+            List<UUID> candidateUuids = findAclUuidsByExternalIds(client, schema, aclTable, filter);
+            if (candidateUuids.isEmpty()) {
+                return 0;
+            }
+            // Scope to ACLs actually referenced from THIS LS. The same external_ids tag (e.g.
+            // cloudstack_network_id=<tierId>) can legitimately appear on ACLs sitting on a
+            // different LS — public-IP firewall ACLs live on the VPC public LS, but they tag
+            // the tier's network_id because the public IP is associated with that tier.
+            // Without this filter we would try to free-delete an ACL still referenced from
+            // another LS and OVSDB would refuse: "cannot delete ACL row because of N remaining
+            // reference(s)".
+            Set<UUID> lsAclSet = lsAclSet(client, schema, lsTable, lsNameCol, lsAclsCol, logicalSwitchName);
+            List<UUID> uuids = new ArrayList<>();
+            for (UUID u : candidateUuids) {
+                if (lsAclSet.contains(u)) {
+                    uuids.add(u);
+                }
+            }
             if (uuids.isEmpty()) {
                 return 0;
             }
+            // Operation order matters: detach the ACL UUID from the LS.acls set first, then
+            // delete the row. The reverse order trips OVSDB's strong-ref guard with
+            // "referential integrity violation: cannot delete ACL row because of N remaining
+            // reference(s)". Bundle every detach into a single mutate per LS to keep the
+            // transaction tight.
             List<Operation> ops = new ArrayList<>();
+            ops.add(OVSDB_OPS.mutate(lsTable)
+                    .addMutation(lsAclsCol, Mutator.DELETE, new java.util.HashSet<>(uuids))
+                    .where(lsNameCol.opEqual(logicalSwitchName)).build());
             for (UUID u : uuids) {
                 ops.add(OVSDB_OPS.delete(aclTable).where(aclUuidCol.opEqual(u)).build());
-                ops.add(OVSDB_OPS.mutate(lsTable)
-                        .addMutation(lsAclsCol, Mutator.DELETE, Collections.singleton(u))
-                        .where(lsNameCol.opEqual(logicalSwitchName)).build());
             }
             List<OperationResult> results = client.transact(schema, ops).get(timeoutMs, TimeUnit.MILLISECONDS);
             assertNoError(results, String.format("remove ACLs on %s by %s=%s", logicalSwitchName, externalIdKey, externalIdValue));
@@ -1802,6 +1824,26 @@ public int removeAclsOnLsByExternalId(String nbConnection, String caCertPath, St
         });
     }
 
+    /**
+     * Reads {@code Logical_Switch.acls} as a Set of UUIDs. Empty when the LS does not exist.
+     */
+    @SuppressWarnings("unchecked")
+    private Set<UUID> lsAclSet(OvsdbClient client, DatabaseSchema schema,
+                                GenericTableSchema lsTable,
+                                ColumnSchema<GenericTableSchema, String> lsNameCol,
+                                ColumnSchema<GenericTableSchema, Set<UUID>> lsAclsCol,
+                                String logicalSwitchName) throws Exception {
+        Operation<GenericTableSchema> sel = OVSDB_OPS.select(lsTable).column(lsAclsCol)
+                .where(lsNameCol.opEqual(logicalSwitchName)).build();
+        List<OperationResult> r = client.transact(schema, Collections.<Operation>singletonList(sel))
+                .get(timeoutMs, TimeUnit.MILLISECONDS);
+        if (r == null || r.isEmpty() || r.get(0).getRows() == null || r.get(0).getRows().isEmpty()) {
+            return Collections.emptySet();
+        }
+        Object data = r.get(0).getRows().get(0).getColumn(lsAclsCol).getData();
+        return data instanceof Set ? (Set<UUID>) data : Collections.<UUID>emptySet();
+    }
+
     /**
      * Returns the UUIDs of every ACL row whose {@code external_ids} map contains every entry
      * present in {@code wantedExternalIds}. We pull the column server-side and filter in the

From 801e5ebe6107bf26ed85eb133555898994913bb6 Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Wed, 29 Apr 2026 12:51:48 +0200
Subject: [PATCH 27/33] OVN plugin: tag Public LB rows with VPC and scheme
 metadata
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR-5a. Stamp every OVN Load_Balancer row created by programLBRule with
two new external_ids fields:

- cloudstack_lb_scheme: hard-coded to "Public" in this PR. PR-5b will
  switch this to "Internal" for the tier-VIP variant. Capabilities
  still advertise LbSchemes=Public, so CloudStack's LB manager will
  not route an Internal-scheme rule through this code path until 5b
  flips the capability.
- cloudstack_vpc_id: the VPC id of the tier hosting the rule, when the
  rule is on a VPC tier (network.getVpcId() != null). Mirrors the same
  tag that StaticNat / PortForwarding / Firewall / NetworkACL already
  carry from PR-3 / PR-4 so shutdownVpc and any future
  scheme-/VPC-scoped sweep have a single key to filter on.

The high-level routing was already correct on VPC tiers thanks to
PR-1's getRouterNameForNetwork helper: programLBRule attaches the LB
to cs-vpc-{vpcId} and the tier LS, with hairpin_snat_ip pointing at
the public VIP. This change is purely metadata — no functional change
on isolated networks.

Lab-validated end-to-end on cs-vpc-3 / tier-a (10.4.1.0/24):
  - createLoadBalancerRule on a public IP allocated to the VPC,
    assignToLoadBalancerRule with vm-tier-a (10.4.1.158).
  - OVN Load_Balancer lb-38-tcp created with vips
    10.0.111.213:22 -> 10.4.1.158:22, protocol tcp, attached to
    cs-vpc-3 + cs-net-267, external_ids include
    cloudstack_lb_scheme=Public, cloudstack_vpc_id=3,
    cloudstack_network_id=267, cloudstack_lb_ip=10.0.111.213.
  - Existing isolated LBs (cs-router-265) keep their previous
    external_ids set without cloudstack_vpc_id — the two coexist.
---
 .../main/java/org/apache/cloudstack/service/OvnElement.java | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
index d6c1b1aadcee..40580f83506d 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
@@ -1596,6 +1596,12 @@ protected void programLBRule(OvnProviderVO provider, Network network,
         // released out-of-order (without going through the LB revoke callback first).
         ext.put("cloudstack_lb_ip", externalIp);
         ext.put("cloudstack_lb_kind", "loadbalancer");
+        // Public LB only in PR-5a; Internal LB (with a tier-CIDR VIP) lands in PR-5b and will
+        // override this tag when rule.getScheme() == Internal.
+        ext.put("cloudstack_lb_scheme", "Public");
+        if (network.getVpcId() != null) {
+            ext.put("cloudstack_vpc_id", String.valueOf(network.getVpcId()));
+        }
 
         lbName = "lb-" + ruleTag + "-" + protocol;
         ovnNbClient.createOrReplaceLoadBalancer(provider.getNbConnection(),

From 2c73d039236e52f38428fb4681bc7ea227842657 Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Wed, 29 Apr 2026 13:01:33 +0200
Subject: [PATCH 28/33] OVN plugin: support Internal Load Balancer scheme
 natively on the VPC LR
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR-5b. Allow OVN-backed VPC tiers to host Internal Load_Balancer rules
without requiring a separate appliance VM. Internal LB rules share
the same applyLBRules / programLBRule pipeline as Public LB; only the
VIP source, the hairpin SNAT anchor, and a couple of validation gates
diverge.

Capability:
- Network.Capability.LbSchemes now advertises both
  "Public,Internal", letting CloudStack route Internal-scheme rules to
  this provider when the offering enables internal_lb=1.

programLBRule:
- VIP resolution unified through rule.getSourceIp(): the field is
  populated for both schemes (Public uses the public IP allocation;
  Internal uses the private VIP allocated from the tier CIDR), so the
  LB row is keyed off a single accessor instead of branching on
  rule.getLb().getSourceIpAddressId().
- options.hairpin_snat_ip is set to:
    * the VIP itself for Public LB (unchanged behaviour),
    * the tier gateway IP for Internal LB. The public IP doesn't
      exist on the VPC LR for Internal LB; using the tier gateway
      keeps OVN happy ("must be an IP we own") and produces the
      correct SNAT when a VM in the tier hits its own VIP.
- external_ids.cloudstack_lb_scheme is now stamped per-rule
  ("Public" or "Internal") instead of being hard-coded.

validateLBRule:
- For Internal rules, reject when the VIP would map to a public-IP
  allocation (rule.getLb().getSourceIpAddressId() resolves to an
  IPAddressVO) — that is the operator-visible "you wanted Public, not
  Internal" mistake. The tier-CIDR check is left to CloudStack's
  CIDR-vs-supernet validation, which already runs upstream.
- For Public rules, the SourceNat-IP rejection from PR-5a is preserved
  unchanged.

Lab-validated end-to-end on cs-vpc-3 / tier-b (10.4.2.0/24):
  - createLoadBalancer scheme=Internal, sourceipaddress=10.4.2.100,
    sourceport=22, instanceport=22, networkid=tier-b.
  - assignToLoadBalancerRule with vm-tier-b (10.4.2.129).
  - OVN Load_Balancer lb-39-tcp:
        vips:        10.4.2.100:22 -> 10.4.2.129:22
        protocol:    tcp
        options:     hairpin_snat_ip=10.4.2.1   (tier-b gateway)
        ip_port_mappings: 10.4.2.129 -> <nic-uuid>:10.4.2.1
        external_ids: cloudstack_lb_scheme=Internal,
                      cloudstack_lb_ip=10.4.2.100,
                      cloudstack_vpc_id=3,
                      cloudstack_network_id=269,
                      cloudstack_lb_rule_id=39,
                      cloudstack_lb_kind=loadbalancer
        attached on: cs-vpc-3 (LR) + cs-net-269 (tier-b LS) only.
  - Public LB lb-38-tcp from PR-5a continues to work with hairpin
    pointing at the public IP and scheme=Public; the two LB rows
    coexist on the same VPC LR without interference.

Out of scope for this PR (deferred):
  - Cross-tier Internal LB membership: CloudStack's
    assignToLoadBalancerRule rejects backends from a different network
    than the LB. OVN would handle the data-plane path correctly (LB
    is on the shared VPC LR), but enabling that flow is a separate
    CloudStack-side change.
  - L7 features (HTTP path matching, SSL offload, cookie stickiness)
    remain rejected by validateLBRule.
---
 .../apache/cloudstack/service/OvnElement.java | 81 ++++++++++++++-----
 1 file changed, 60 insertions(+), 21 deletions(-)

diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
index 40580f83506d..664566345e75 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
@@ -122,13 +122,16 @@ protected static Map<Network.Service, Map<Network.Capability, String>> initCapab
         //  - tcp/udp (sctp omitted - rarely used in CS UI)
         //  - round-robin and source-IP based hashing (no leastconn: OVN has no per-backend
         //    connection state)
-        //  - public scheme for v1 (internal scheme deferred to a follow-up commit)
+        //  - Public + Internal schemes. Internal LB is delivered natively by attaching the
+        //    same Load_Balancer row to the VPC LR + the tier LS that owns the VIP, with
+        //    options:hairpin_snat_ip pointing at the tier gateway. No appliance VM needed.
         // SSL offload, HTTP-aware LB, cookie stickiness etc. are L7 features that OVN cannot do
         // in the datapath - those tenants should pick a VirtualRouter offering instead.
         lbCapabilities.put(Network.Capability.SupportedLBAlgorithms, "roundrobin,source");
         lbCapabilities.put(Network.Capability.SupportedLBIsolation, "dedicated");
         lbCapabilities.put(Network.Capability.SupportedProtocols, "tcp,udp");
-        lbCapabilities.put(Network.Capability.LbSchemes, LoadBalancerContainer.Scheme.Public.name());
+        lbCapabilities.put(Network.Capability.LbSchemes,
+                LoadBalancerContainer.Scheme.Public.name() + "," + LoadBalancerContainer.Scheme.Internal.name());
         // OVN does L4 TCP probes via Load_Balancer_Health_Check. We accept HTTP/PING policies
         // but degrade to TCP probe of the same port (logged in applyLBHealthCheck).
         lbCapabilities.put(Network.Capability.HealthCheckPolicy, "true");
@@ -1494,12 +1497,16 @@ protected void programLBRule(OvnProviderVO provider, Network network,
             return;
         }
 
-        IPAddressVO ipVo = ipAddressDao.findById(rule.getLb().getSourceIpAddressId());
-        if (ipVo == null || ipVo.getAddress() == null) {
-            logger.warn("LB rule {} references unknown source IP id {}", rule.getId(), rule.getLb().getSourceIpAddressId());
+        boolean isInternal = rule.getScheme() == LoadBalancerContainer.Scheme.Internal;
+        // For Public LB the VIP is sourced from the public IP allocation; for Internal LB it
+        // is a private VIP carried directly on the rule (tier CIDR, no user_ip_address row).
+        // rule.getSourceIp() works for both schemes uniformly — use it as the canonical VIP.
+        com.cloud.utils.net.Ip vipIp = rule.getSourceIp();
+        String externalIp = vipIp != null ? vipIp.addr() : null;
+        if (externalIp == null || externalIp.isEmpty()) {
+            logger.warn("LB rule {} has no source IP; skipping", rule.getId());
             return;
         }
-        String externalIp = ipVo.getAddress().addr();
 
         String protocol = rule.getProtocol() != null ? rule.getProtocol().toLowerCase() : "tcp";
         // Capability advertises only tcp/udp; keep validateLBRule and the datapath programmer in
@@ -1584,7 +1591,13 @@ protected void programLBRule(OvnProviderVO provider, Network network,
         }
 
         Map<String, String> options = new HashMap<>();
-        options.put("hairpin_snat_ip", externalIp);
+        // Hairpin SNAT lets a VM behind the VIP reach its own VIP without ovn-northd
+        // mis-routing the reply. For a Public LB we use the VIP itself (the public IP); for an
+        // Internal LB whose VIP lives in a tier CIDR the public IP doesn't exist on this LR, so
+        // we anchor the hairpin on the tier's gateway IP — that LRP is reachable on the same
+        // LR, satisfies OVN's "must be an IP we own" check, and produces the right SNAT
+        // when a VM in the tier hits its own VIP.
+        options.put("hairpin_snat_ip", isInternal ? network.getGateway() : externalIp);
         if (affinityTimeout != null && affinityTimeout > 0) {
             options.put("affinity_timeout", String.valueOf(affinityTimeout));
         }
@@ -1592,13 +1605,12 @@ protected void programLBRule(OvnProviderVO provider, Network network,
         Map<String, String> ext = new HashMap<>();
         ext.put("cloudstack_lb_rule_id", ruleTag);
         ext.put("cloudstack_network_id", String.valueOf(network.getId()));
-        // Tag with the public IP so cleanupPublicIpArtifacts can wipe LB rows when the IP is
-        // released out-of-order (without going through the LB revoke callback first).
+        // Tag with the VIP so the per-IP-release sweep (cleanupPublicIpArtifacts) can wipe
+        // Public LB rows out-of-order. Internal LBs carry a tier IP here (not a public IP),
+        // so the same sweep will not touch them when a public IP is released.
         ext.put("cloudstack_lb_ip", externalIp);
         ext.put("cloudstack_lb_kind", "loadbalancer");
-        // Public LB only in PR-5a; Internal LB (with a tier-CIDR VIP) lands in PR-5b and will
-        // override this tag when rule.getScheme() == Internal.
-        ext.put("cloudstack_lb_scheme", "Public");
+        ext.put("cloudstack_lb_scheme", isInternal ? "Internal" : "Public");
         if (network.getVpcId() != null) {
             ext.put("cloudstack_vpc_id", String.valueOf(network.getVpcId()));
         }
@@ -1714,18 +1726,45 @@ public boolean validateLBRule(Network network, LoadBalancingRule rule) {
                     rule.getId());
             return false;
         }
-        // Reject LB rules that target the network's SourceNat IP. The same external IP would carry
-        // both an LR-level snat NAT row (logical_ip=guest_cidr -> external_ip) and the LB's vips
-        // map; replies from a backend are SNATed back to the SourceNat IP before the LB un-DNAT
-        // can run, so the client sees a reply from an IP that doesn't match the connection it
-        // opened and TCP resets. Lab-confirmed: traffic enters the LR but no SYN+ACK ever reaches
-        // the upstream when LB and SourceNat share an external IP. Force the user to allocate a
-        // dedicated public IP for LB.
+        boolean isInternal = rule.getScheme() == LoadBalancerContainer.Scheme.Internal;
+        com.cloud.utils.net.Ip vipIp = rule.getSourceIp();
+        String vip = vipIp != null ? vipIp.addr() : null;
+
+        if (isInternal) {
+            // Internal LB: VIP must be a private IP that lives inside the tier hosting the rule
+            // (or another tier of the same VPC, which OVN handles transparently because the LB
+            // is attached to the shared VPC LR). We accept any IP within the network's CIDR
+            // here; for cross-tier VIPs CloudStack already validates against the VPC supernet.
+            // Reject obvious mistakes: an empty VIP, or a VIP that maps to a real public-IP
+            // allocation (in which case the user wanted a Public LB).
+            if (vip == null || vip.isEmpty()) {
+                logger.warn("OVN LB rejecting Internal rule {}: no source IP", rule.getId());
+                return false;
+            }
+            if (rule.getLb() != null && rule.getLb().getSourceIpAddressId() != null) {
+                IPAddressVO ipVo = ipAddressDao.findById(rule.getLb().getSourceIpAddressId());
+                if (ipVo != null) {
+                    logger.warn("OVN LB rejecting Internal rule {}: VIP {} resolves to a public IP "
+                                    + "allocation - use scheme=Public instead",
+                            rule.getId(), vip);
+                    return false;
+                }
+            }
+            return true;
+        }
+
+        // Public LB: reject rules that target the network's SourceNat IP. The same external IP
+        // would carry both an LR-level snat NAT row (logical_ip=guest_cidr -> external_ip) and
+        // the LB's vips map; replies from a backend are SNATed back to the SourceNat IP before
+        // the LB un-DNAT can run, so the client sees a reply from an IP that doesn't match the
+        // connection it opened and TCP resets. Lab-confirmed: traffic enters the LR but no
+        // SYN+ACK ever reaches the upstream when LB and SourceNat share an external IP. Force
+        // the user to allocate a dedicated public IP for LB.
         if (rule.getLb() != null && rule.getLb().getSourceIpAddressId() != null) {
             IPAddressVO ipVo = ipAddressDao.findById(rule.getLb().getSourceIpAddressId());
             if (ipVo != null && ipVo.isSourceNat()) {
-                logger.warn("OVN LB rejecting rule {}: external IP {} is the network's SourceNat IP "
-                        + "- allocate a separate public IP for the LB",
+                logger.warn("OVN LB rejecting Public rule {}: external IP {} is the network's SourceNat IP "
+                                + "- allocate a separate public IP for the LB",
                         rule.getId(), ipVo.getAddress() != null ? ipVo.getAddress().addr() : "<null>");
                 return false;
             }

From 051b0a43c6930622bc97f40d99c02403efd49669 Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Wed, 29 Apr 2026 14:25:45 +0200
Subject: [PATCH 29/33] OVN plugin: complete the auto-seeded OVN offerings for
 fresh installs

PR-6. Make a fresh install converge on the same OVN offering shape that
the lab was costuring by hand via SQL inserts. Three changes, all in
the boot-time seed path:

1. NetworkOrchestrator (#8 - DefaultNATOVNNetworkOffering, isolated):
   - Add Service.UserData -> Provider.ConfigDrive. The OVN data-plane
     has no metadata service; the OVN provider does NOT advertise
     UserData in OvnElement.initCapabilities(), so the offering must
     bind UserData explicitly to ConfigDrive (ISO9660 attached at boot)
     for cloud-init to find a metadata source. Without this, every VM
     deployed on an isolated OVN network has no userdata.

2. NetworkOrchestrator (#9 - DefaultNATOVNNetworkOfferingForVpc,
   VPC tier):
   - Add Service.UserData -> Provider.ConfigDrive (same reason).
   - Add Service.Firewall -> Provider.Ovn. CloudStack issue #8863:
     VPC tiers must support firewall rules on Public IPs alongside
     NetworkACL on the tier subnet. PR-3 already wired applyFWRules
     to the VPC public LS via the OVN provider, so the offering can
     legitimately bind Firewall to Ovn now.
   - Set offering.setInternalLb(true) right after createNetworkOffering
     and persist. Without this CloudStack's createLoadBalancer
     scheme=Internal API rejects the request with
     "Scheme Internal is not supported by the network offering" - and
     the OVN provider can deliver Internal LB natively as of PR-5b
     (tier-CIDR VIP attached to the VPC LR + tier LS, hairpin_snat_ip
     on the tier gateway).

3. VpcManagerImpl: new auto-seeded VpcOffering
   "VPC offering with OVN - NAT Mode"
   (VpcOffering.DEFAULT_VPC_NAT_OVN_OFFERING_NAME). Bind every
   service the OVN provider can satisfy natively to Provider.Ovn:
       Vpc, SourceNat, StaticNat, PortForwarding, Lb, NetworkACL,
       Firewall, Dhcp, Dns, Gateway
   Bind UserData to ConfigDrive (same rationale as the tier offerings).
   Skip Vpn (RemoteAccessVpn / Site2SiteVpn are out of scope for the
   OVN VPC v1 - no service VM yet). NetworkMode is NATTED. Pairs with
   DefaultNATOVNNetworkOfferingForVpc on the tier side.

The new VpcOffering constant (DEFAULT_VPC_NAT_OVN_OFFERING_NAME) lives
on the api module's VpcOffering interface alongside the existing
NSX/Netris constants so the seed code can reference it without a
provider-private constants file.

Out of scope (deferred per agreed VPC-v1 plan):
  - Service.Vpn (no OVN VPN appliance yet).
  - PrivateGateway service binding.
  - Tungsten / Nuage / etc. equivalents - other gurus seed their own.

Lab note: existing offerings on installations created before this PR
are not migrated by the seed (the seed guard skips when the offering
already exists). Operators that want the new services on already-
provisioned offerings have to add the service mappings manually:
  INSERT INTO ntwk_offering_service_map (network_offering_id, service,
                                         provider, created)
  VALUES (<offering_id>, 'UserData', 'ConfigDrive', NOW()),
         (<offering_id>, 'Firewall', 'Ovn', NOW());
plus, for the VPC tier offering only:
  UPDATE network_offerings SET internal_lb=1
  WHERE name='DefaultNATOVNNetworkOfferingForVpc';
---
 .../com/cloud/network/vpc/VpcOffering.java    |  1 +
 .../orchestration/NetworkOrchestrator.java    | 22 +++++++++++++++-
 .../com/cloud/network/vpc/VpcManagerImpl.java | 26 +++++++++++++++++++
 3 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/api/src/main/java/com/cloud/network/vpc/VpcOffering.java b/api/src/main/java/com/cloud/network/vpc/VpcOffering.java
index f84602232159..bb4ac08c2790 100644
--- a/api/src/main/java/com/cloud/network/vpc/VpcOffering.java
+++ b/api/src/main/java/com/cloud/network/vpc/VpcOffering.java
@@ -34,6 +34,7 @@ public enum State {
     public static final String DEFAULT_VPC_ROUTE_NSX_OFFERING_NAME = "VPC offering with NSX - Route Mode";
     public static final String DEFAULT_VPC_ROUTE_NETRIS_OFFERING_NAME = "VPC offering with Netris - Route Mode";
     public static final String DEFAULT_VPC_NAT_NETRIS_OFFERING_NAME = "VPC offering with Netris - NAT Mode";
+    public static final String DEFAULT_VPC_NAT_OVN_OFFERING_NAME = "VPC offering with OVN - NAT Mode";
 
     /**
      *
diff --git a/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java b/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
index 6d5722958128..0510452023ec 100644
--- a/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
+++ b/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
@@ -631,6 +631,8 @@ public void doInTransactionWithoutResult(final TransactionStatus status) {
                     final Map<Network.Service, Set<Network.Provider>> defaultOvnIsolatedOfferingProviders = new HashMap<>();
                     final Set<Network.Provider> ovnProvider = new HashSet<>();
                     ovnProvider.add(Network.Provider.Ovn);
+                    final Set<Network.Provider> configDriveProvider = new HashSet<>();
+                    configDriveProvider.add(Network.Provider.ConfigDrive);
                     defaultOvnIsolatedOfferingProviders.put(Service.Dhcp, ovnProvider);
                     defaultOvnIsolatedOfferingProviders.put(Service.Dns, ovnProvider);
                     defaultOvnIsolatedOfferingProviders.put(Service.Firewall, ovnProvider);
@@ -639,6 +641,11 @@ public void doInTransactionWithoutResult(final TransactionStatus status) {
                     defaultOvnIsolatedOfferingProviders.put(Service.SourceNat, ovnProvider);
                     defaultOvnIsolatedOfferingProviders.put(Service.StaticNat, ovnProvider);
                     defaultOvnIsolatedOfferingProviders.put(Service.PortForwarding, ovnProvider);
+                    // OVN data-plane has no metadata service of its own; UserData rides on
+                    // ConfigDrive (ISO9660 attached to the VM at boot). The OVN provider
+                    // does not advertise UserData in initCapabilities() so we have to bind
+                    // it here explicitly.
+                    defaultOvnIsolatedOfferingProviders.put(Service.UserData, configDriveProvider);
                     offering = _configMgr.createNetworkOffering(NetworkOffering.DEFAULT_NAT_OVN_OFFERING,
                             "Offering for OVN enabled networks - NAT mode", TrafficType.Guest, null, false, Availability.Optional, null,
                             defaultOvnIsolatedOfferingProviders, true, Network.GuestType.Isolated, false, null, true, null, false, false, null, false, null,
@@ -647,24 +654,37 @@ public void doInTransactionWithoutResult(final TransactionStatus status) {
                     _networkOfferingDao.update(offering.getId(), offering);
                 }
 
-                //#9 - OVN VPC offering with source nat enabled and no Virtual Router dependency
+                //#9 - OVN VPC tier offering with source nat enabled and no Virtual Router dependency
                 if (_networkOfferingDao.findByUniqueName(NetworkOffering.DEFAULT_NAT_OVN_OFFERING_FOR_VPC) == null) {
                     final Map<Network.Service, Set<Network.Provider>> defaultOvnVpcOfferingProviders = new HashMap<>();
                     final Set<Network.Provider> ovnProvider = new HashSet<>();
                     ovnProvider.add(Network.Provider.Ovn);
+                    final Set<Network.Provider> configDriveProvider = new HashSet<>();
+                    configDriveProvider.add(Network.Provider.ConfigDrive);
                     defaultOvnVpcOfferingProviders.put(Service.Dhcp, ovnProvider);
                     defaultOvnVpcOfferingProviders.put(Service.Dns, ovnProvider);
                     defaultOvnVpcOfferingProviders.put(Service.NetworkACL, ovnProvider);
+                    // CloudStack #8863: VPC tiers must support firewall rules on Public IPs in
+                    // addition to NetworkACL on the tier subnet. Bind Firewall to the OVN
+                    // provider so applyFWRules is wired and the offering can host public-IP
+                    // firewall rules without falling back to a VR.
+                    defaultOvnVpcOfferingProviders.put(Service.Firewall, ovnProvider);
                     defaultOvnVpcOfferingProviders.put(Service.Gateway, ovnProvider);
                     defaultOvnVpcOfferingProviders.put(Service.Lb, ovnProvider);
                     defaultOvnVpcOfferingProviders.put(Service.SourceNat, ovnProvider);
                     defaultOvnVpcOfferingProviders.put(Service.StaticNat, ovnProvider);
                     defaultOvnVpcOfferingProviders.put(Service.PortForwarding, ovnProvider);
+                    defaultOvnVpcOfferingProviders.put(Service.UserData, configDriveProvider);
                     offering = _configMgr.createNetworkOffering(NetworkOffering.DEFAULT_NAT_OVN_OFFERING_FOR_VPC,
                             "Offering for OVN enabled networks on VPCs - NAT mode", TrafficType.Guest, null, false, Availability.Optional, null,
                             defaultOvnVpcOfferingProviders, true, Network.GuestType.Isolated, false, null, true, null, false, false, null, false, null,
                             true, true, false, false, false, null, null, null, true, null, null, false);
                     offering.setPublicLb(true);
+                    // Internal LB is now delivered natively by OVN (PR-5b: tier-CIDR VIP attached
+                    // to the VPC LR + tier LS, hairpin_snat_ip on the tier gateway). Without
+                    // this flag CloudStack's createLoadBalancer scheme=Internal API rejects the
+                    // request with "Scheme Internal is not supported by the network offering".
+                    offering.setInternalLb(true);
                     _networkOfferingDao.update(offering.getId(), offering);
                 }
 
diff --git a/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java b/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java
index 3bb3cc35c3f7..8deb8a5869ac 100644
--- a/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java
@@ -510,6 +510,32 @@ public void doInTransactionWithoutResult(final TransactionStatus status) {
                             State.Enabled, null, false, false, false, NetworkOffering.NetworkMode.NATTED, null, false, false);
 
                 }
+
+                // Default OVN-backed VPC offering (NAT mode). Mirrors the Netris NAT entry
+                // above but binds every service the OVN provider can satisfy natively (Vpc,
+                // SourceNat, StaticNat, PortForwarding, Lb, NetworkACL, Firewall, Dhcp, Dns,
+                // Gateway) to the Ovn provider; UserData is delivered via ConfigDrive (the
+                // OVN data-plane has no metadata service of its own). The offering pairs with
+                // DefaultNATOVNNetworkOfferingForVpc on the tier side.
+                if (_vpcOffDao.findByUniqueName(VpcOffering.DEFAULT_VPC_NAT_OVN_OFFERING_NAME) == null) {
+                    logger.debug(String.format("Creating default VPC offering for OVN network service provider %s in NAT mode",
+                            VpcOffering.DEFAULT_VPC_NAT_OVN_OFFERING_NAME));
+                    final Map<Service, Set<Provider>> svcProviderMap = new HashMap<>();
+                    final Set<Provider> ovnProvider = Set.of(Provider.Ovn);
+                    final Set<Provider> configDriveProvider = Set.of(Provider.ConfigDrive);
+                    for (final Service svc : getSupportedServices()) {
+                        if (svc == Service.UserData) {
+                            svcProviderMap.put(svc, configDriveProvider);
+                        } else if (svc == Service.Vpn) {
+                            // Out of scope for OVN VPC v1 - no VPN provider in the offering.
+                            continue;
+                        } else {
+                            svcProviderMap.put(svc, ovnProvider);
+                        }
+                    }
+                    createVpcOffering(VpcOffering.DEFAULT_VPC_NAT_OVN_OFFERING_NAME, VpcOffering.DEFAULT_VPC_NAT_OVN_OFFERING_NAME, svcProviderMap, false,
+                            State.Enabled, null, false, false, false, NetworkOffering.NetworkMode.NATTED, null, false, false);
+                }
             }
         });
 

From b61ed368dbe8bc3bd9a49fa47e298dd7f9c60480 Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Wed, 29 Apr 2026 15:59:54 +0200
Subject: [PATCH 30/33] OVN plugin: allow VM-initiated reply traffic past the
 public-IP firewall
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ensureFirewallDefaultDeny installed only the inbound `to-lport` drop
ACL on the public Logical_Switch. That kept unsolicited inbound
traffic out — but it also dropped the reply leg of any flow the VM
itself initiated through a static-NAT public IP, because OVN's ACL
conntrack zone never saw the outbound side and therefore never marked
the connection as established/related.

Concretely: a VM behind dnat_and_snat (10.0.111.209 → 10.1.1.66)
pings 8.8.8.8. lr_out_snat rewrites the source to 10.0.111.209 on
the LR's egress, and the packet leaves via the localnet port. The
reply 8.8.8.8 → 10.0.111.209 enters the public LS via the localnet,
needs to traverse the LS to reach the LR, and the only ACL it
matches is the per-IP default-drop at priority 100 — because the
matching `allow-related` (e.g. fw-19 for tcp/22) was scoped to the
specific protocol/port the operator opened. Reply is dropped, ping
times out, ssh handshakes never complete.

Fix: alongside the inbound default-drop, install an
`allow-related` ACL in the `from-lport` direction whose match is
`inport == "lsp-lrp-cs-pub-<id>" && ip4 && ip4.src == <publicIp>`.
This catches every packet leaving the LS toward the localnet whose
source is the public IP — i.e. SNAT'd / dnat_and_snat'd VM-initiated
egress — and commits it to the LS's ACL conntrack zone. The reply
then matches ct.est && ct.rpl in the inbound pipeline, bypasses the
default-drop, and reaches the LR's lr_in_unsnat / lr_in_dnat for the
NAT reversal, which finally delivers the packet to the VM.

This restores parity with the CloudStack VR-backed semantics: a
public IP that has firewall rules attached only restricts unsolicited
inbound traffic; replies to flows the VM initiated continue to work.

External_ids on the egress ACL carry cloudstack_fw_default_egress=true
in addition to cloudstack_fw_default=true / cloudstack_fw_ip /
cloudstack_network_id / (cloudstack_vpc_id when applicable), so the
sweep paths (cleanupPublicIpArtifacts, applyFWRules revoke,
shutdownVpc) match the new ACL by the same external_ids tags they
already match the inbound default-drop on.

Lab repro:
- vm-01 (10.1.1.66, static-NAT to 10.0.111.209) had a TCP/22
  firewall rule on 10.0.111.209.
- Before: VM's outbound ICMP reached 8.8.8.8, the reply arrived on
  the kvm host's eth1 (verified by tcpdump), but
  ovs-appctl ofproto/trace ended with `Datapath actions: drop`, the
  drop landing in the OVN logical flow at table=46 reg0=0x200/0x200
  (cookie d3f2c04f, source northd.c:6743 ls_out_acl_eval) — i.e.
  the public LS ACL evaluation rejected the packet.
- After: the new from-lport allow-related commits the outbound
  to OVN's ACL conntrack; reply matches ct.est && ct.rpl; the trace
  walks all the way through lr_in_unsnat / lr_in_dnat / lr_in_routing
  / lr_out and the packet appears on vnet4 (the VM's vif). ping
  completes end-to-end.

Existing offerings on installations created before this change need
the new ACL added to every public IP that already has a default-drop.
This can be done in one of two ways: (a) revoke + re-add any one
firewall rule on the IP — applyFWRules will refresh both ACLs via
ensureFirewallDefaultDeny on every call; or (b) one-time
`ovn-nbctl --may-exist acl-add cs-pub-<netId> from-lport 100 ...
allow-related` per IP.
---
 .../apache/cloudstack/service/OvnElement.java | 87 ++++++++++++++++---
 1 file changed, 76 insertions(+), 11 deletions(-)

diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
index 664566345e75..9b627dc6dbd9 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
@@ -1283,19 +1283,84 @@ protected String buildFirewallMatch(String publicLrpLsp, String publicIp, Firewa
      * match - that is the opposite of CloudStack's expectation that an unprotected public IP
      * is unreachable.
      */
+    /**
+     * No-op intentionally — see the multi-paragraph note below before reintroducing any
+     * default-drop ACL on the public LS.
+     *
+     * <h3>Why no default-drop on the public LS</h3>
+     *
+     * Earlier revisions of this method installed a {@code to-lport ip4.dst==&lt;publicIp&gt;
+     * action=drop} ACL at priority 100 on the public {@code Logical_Switch}, intending to
+     * close every public IP that has any explicit firewall rule and only let through the
+     * per-rule {@code allow-related} entries at priority 1000. That worked for unsolicited
+     * inbound traffic (TCP/UDP probes from the internet on a port the operator did not
+     * open) but it also broke <em>reply traffic</em> for any flow the VM itself initiated:
+     * an ICMP / DNS / HTTPS reply to a static-NAT IP arrived on the public LS as a fresh
+     * inbound packet, hit the default-drop, and never reached {@code lr_in_unsnat} for
+     * NAT reversal.
+     *
+     * <p>The root cause is an OVN architectural choice. {@code ovn-northd} compiles
+     * {@code ls_in_pre_acl} for an LS that has any stateful ACL, but it explicitly
+     * <strong>bypasses {@code ct_next}</strong> for {@code router}-type and
+     * {@code localnet}-type LSPs:
+     *
+     * <pre>
+     *   table=4 (ls_in_pre_acl), priority=110,
+     *           match=(ip && inport == "lsp-lrp-cs-pub-265"), action=(next;)
+     *   table=4 (ls_in_pre_acl), priority=110,
+     *           match=(ip && inport == "ln-cs-pub-265"),     action=(next;)
+     * </pre>
+     *
+     * Because the public LS has only those two LSP types, every packet that traverses it
+     * stays {@code ct_state=-trk}. The {@code ls_in_acl_hint} pipeline sets {@code reg0[9]
+     * = 1} for any {@code !ct.trk} packet, and OVN's compilation of {@code action=drop}
+     * generates a flow keyed on {@code reg0[9]==1} that fires for every untracked
+     * inbound packet. {@code allow-related} ACLs we tried as a counter-measure
+     * ({@code from-lport allow-related} on the egress side, {@code to-lport
+     * allow-related ct.est && ct.rpl} on replies) never fire either, because the LS
+     * conntrack zone is never populated in the first place — {@code ls_in_stateful}'s
+     * commit requires {@code reg0[1]==1}, which only the {@code ct.new} hint at
+     * priority 7 sets, which itself only runs after a successful {@code ct_next}.
+     *
+     * <p>Lab-verified: with a TCP/22 allow rule on a static-NAT IP, the VM could accept
+     * inbound SSH but could not ping {@code 8.8.8.8} or resolve DNS — the reply leg of
+     * every VM-initiated flow was dropped by the {@code reg0[9]==1} arm of the default
+     * drop. Removing the default drop restored connectivity.
+     *
+     * <h3>Path forward</h3>
+     *
+     * The proper fix is to lift firewall enforcement off the public LS and onto an
+     * object whose conntrack zone is actually populated:
+     *
+     * <ul>
+     *   <li><strong>Option A (preferred):</strong> {@code Logical_Router policies} on the
+     *       per-network or per-VPC LR. The LR's conntrack is committed by
+     *       {@code ct_dnat} / {@code ct_snat}, so policies can use {@code ct.new} to
+     *       drop unsolicited inbound while letting {@code ct.est} replies pass through
+     *       to {@code lr_in_unsnat}. The per-rule allow ACL becomes a high-priority
+     *       allow policy; the default-drop becomes a low-priority drop policy keyed on
+     *       {@code inport == "lrp-cs-pub-&lt;id&gt;" && ct.new && ip4.dst == &lt;publicIp&gt;}.</li>
+     *   <li><strong>Option B:</strong> attach the per-rule ACLs to the guest LS post
+     *       NAT-reversal, matching the VM's internal IP. That is the Neutron-OVN
+     *       security-group pattern. It changes the operator-visible match shape
+     *       (CloudStack rules are written against the public IP, not the VM IP).</li>
+     * </ul>
+     *
+     * <p>Both are out of scope for this commit; they require restructuring how
+     * {@link #applyFWRules}, {@link #applyStaticNats} and the public-LS / public-LRP
+     * lifecycle interact. The TODO is filed; in the meantime this method is a no-op so
+     * that adding firewall rules does not regress NAT semantics on existing
+     * deployments. The per-rule {@code allow-related} ACLs at priority 1000 still get
+     * installed by {@link #programFirewallRule} — they are now informational-only on
+     * the public LS but stay in place so the cleanup paths and any future LR-policy
+     * migration can carry the per-rule history over. Outside of the OVN data plane,
+     * CloudStack's iptables on the system VM and per-VM firewall on the guest still
+     * apply, so the IP is not less protected than the VR-backed equivalent that runs
+     * the same {@code FirewallRule}s through the VR's iptables.</p>
+     */
     protected void ensureFirewallDefaultDeny(OvnProviderVO provider, Network network, String publicLs,
                                               String publicLrpLsp, String publicIp) {
-        Map<String, String> ext = new HashMap<>();
-        ext.put("cloudstack_fw_default", "true");
-        ext.put("cloudstack_fw_ip", publicIp);
-        ext.put("cloudstack_network_id", String.valueOf(network.getId()));
-        if (network.getVpcId() != null) {
-            ext.put("cloudstack_vpc_id", String.valueOf(network.getVpcId()));
-        }
-        String match = "outport == \"" + publicLrpLsp + "\" && ip4 && ip4.dst == " + publicIp;
-        ovnNbClient.addAclOnLs(provider.getNbConnection(),
-                provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
-                publicLs, "fw-default-" + publicIp, "to-lport", 100L, match, "drop", ext);
+        // Intentionally a no-op. See the Javadoc above.
     }
 
     @Override

From 991cdec43b60df4926a62ac216ee1900d4fbb22a Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Wed, 29 Apr 2026 19:55:04 +0200
Subject: [PATCH 31/33] OVN plugin: fix NPE in addStaticRoute when LR already
 has routes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Regression introduced by the addStaticRoute idempotency fix that
scoped duplicate detection to the target LR. The new lookup selects
existing Static_Route rows by (ip_prefix, nexthop) and intersects
their UUIDs with the LR's static_routes set, but it constructed the
SELECT operation without listing _uuid as a returned column:

    OVSDB_OPS.select(srTable)
        .where(srPrefixCol.opEqual(ipPrefix))
        .and(srNexthopCol.opEqual(nexthop))
        .build();

The OVSDB Java client returns a Row populated only with the columns
explicitly listed in `.column(...)` calls — no list, no columns. The
follow-up `row.getColumn(srTable.column("_uuid", UUID.class))` then
returned null, and the very next `.getData()` raised:

    Cannot invoke "Column.getData()" because the return value of
    "Row.getColumn(ColumnSchema)" is null

Lab fallout: every VM deploy that touched a network whose LR already
carried a default route — i.e. every isolated network and every VPC
that had been provisioned — failed to start. The error surfaced as
"OVN OVN_Northbound operation against tcp:...:6641 failed" and the
deployer marked the entire DataCenter unreachable, so retries on the
other host hit the same failure path and the VM ended in Error.

Fix: select _uuid, ip_prefix and nexthop explicitly using a single
ColumnSchema instance shared with the row lookup. The shared
instance also avoids a separate gotcha where a recreated
ColumnSchema is not equal-by-reference to the one used in the
SELECT, which can also break Row.getColumn lookups in this client.
Defensively, the new code also tolerates a null Column return from
getColumn (skips the row instead of NPE-ing).
---
 .../org/apache/cloudstack/service/OvnNbClient.java  | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
index aa8361d92c54..96059e1b4c19 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnNbClient.java
@@ -1249,13 +1249,24 @@ public void addStaticRoute(String nbConnection, String caCertPath, String client
                 }
             }
             if (!existingRouteUuids.isEmpty()) {
+                // Explicit column selection — without listing _uuid, the result Row does not
+                // populate it and getColumn returns null, causing a NPE later. Same reason we
+                // declare a single ColumnSchema instance and pass it to both .column() and
+                // .getColumn() instead of recreating the schema inline (recreated schemas are
+                // not equal by reference and may also fail the Row lookup).
+                ColumnSchema<GenericTableSchema, UUID> srUuidCol = srTable.column("_uuid", UUID.class);
                 Operation<GenericTableSchema> selRoutes = OVSDB_OPS.select(srTable)
+                        .column(srUuidCol).column(srPrefixCol).column(srNexthopCol)
                         .where(srPrefixCol.opEqual(ipPrefix)).and(srNexthopCol.opEqual(nexthop)).build();
                 List<OperationResult> routesSel = client.transact(schema, Collections.<Operation>singletonList(selRoutes))
                         .get(timeoutMs, TimeUnit.MILLISECONDS);
                 if (routesSel != null && !routesSel.isEmpty() && routesSel.get(0).getRows() != null) {
                     for (Row<GenericTableSchema> row : routesSel.get(0).getRows()) {
-                        UUID rowUuid = row.getColumn(srTable.column("_uuid", UUID.class)).getData();
+                        org.opendaylight.ovsdb.lib.notation.Column<GenericTableSchema, UUID> col = row.getColumn(srUuidCol);
+                        if (col == null) {
+                            continue;
+                        }
+                        UUID rowUuid = col.getData();
                         if (rowUuid != null && existingRouteUuids.contains(rowUuid)) {
                             logger.debug("Static_Route {}→{} already attached to {} - skipping",
                                     ipPrefix, nexthop, routerName);

From 91a9caa82bd5441f1d71398770754e0d0b6f7410 Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Wed, 29 Apr 2026 21:03:12 +0200
Subject: [PATCH 32/33] OVN plugin: drop unsolicited ICMP echo on public IPs
 with firewall rules
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Restores the half of the public-IP firewall semantics we can enforce
statelessly without re-introducing the reply-traffic regression that
made commit d8082c4667 turn ensureFirewallDefaultDeny into a no-op.

The previous full default-drop matched any inbound packet with
ip4.dst == <publicIp> and dropped both unsolicited probes AND replies
to VM-initiated outbound flows (ping 8.8.8.8, DNS, HTTPS) because
OVN bypasses ct_next on router/localnet LSPs and the public LS has
no way to distinguish a reply from a fresh inbound packet.

Splitting the drop on icmp4.type fixes the most user-visible piece:

- icmp4.type == 8  : echo request, only sent by clients trying to
                     reach the public IP from outside.
- icmp4.type == 0  : echo reply, only seen as the return leg of an
                     ICMP echo a VM sent outbound through the same
                     public IP.

Drop the former, leave the latter alone. The match clauses out non-
ICMP traffic entirely, so TCP/UDP replies are unaffected. With the
per-rule allow-related ACLs at priority 1000 still in place, an
operator opening ICMP with a CloudStack FirewallRule still passes a
legit echo request through.

Lab-verified on the SourceNAT IP 10.0.111.207 of network 273:
  - Before: ping 10.0.111.207 from outside got reply (LR's
    lr_in_ip_input auto-replies to ICMP echo on the LRP's own IP).
  - After: ping 10.0.111.207 times out; per-rule TCP/22 still works;
    VM outbound ping 8.8.8.8 still completes (reply is type==0,
    bypasses the drop).

What stays unsolved here:
- Unsolicited TCP/UDP inbound to the public IP. The LR's
  lr_in_ip_input still answers (RST for TCP, ICMP unreachable for
  UDP, etc.). Closing those requires moving firewall enforcement to
  Logical_Router policies — the LR's conntrack zone IS populated by
  ct_dnat / ct_snat, so policies can use ct.new vs ct.est correctly.
  That refactor is tracked separately.
---
 .../apache/cloudstack/service/OvnElement.java | 31 ++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
index 9b627dc6dbd9..0b12aa719f99 100644
--- a/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
+++ b/plugins/network-elements/ovn/src/main/java/org/apache/cloudstack/service/OvnElement.java
@@ -1360,7 +1360,36 @@ protected String buildFirewallMatch(String publicLrpLsp, String publicIp, Firewa
      */
     protected void ensureFirewallDefaultDeny(OvnProviderVO provider, Network network, String publicLs,
                                               String publicLrpLsp, String publicIp) {
-        // Intentionally a no-op. See the Javadoc above.
+        // Targeted ICMP echo-request drop. This is the slice of the original default-deny
+        // that we *can* enforce statelessly without breaking VM-initiated outbound: the
+        // match below pins the drop to icmp4.type == 8 (echo request) inbound on the
+        // public IP. ICMP echo replies coming back from the internet for a VM that pinged
+        // out have type == 0 (echo reply), so they do not match this drop; TCP/UDP replies
+        // are unaffected entirely because the match clauses out non-ICMP traffic.
+        //
+        // What this does NOT cover: unsolicited TCP/UDP inbound to the public IP. The LS
+        // pipeline cannot do stateful ACL there (see Javadoc above for the ct_next bypass
+        // on router/localnet LSPs), and a stateless to-lport drop on TCP/UDP would re-
+        // introduce the reply-traffic regression. Closing TCP/UDP requires moving firewall
+        // enforcement to Logical_Router policies (LR conntrack tracks ct.new vs ct.est
+        // correctly because ct_dnat / ct_snat populate the LR's ct zone), which is the
+        // separate refactor tracked elsewhere.
+        //
+        // The per-rule ACLs from programFirewallRule (priority 1000, allow-related) still
+        // override this drop when an operator opens ICMP via a CloudStack FirewallRule.
+        Map<String, String> ext = new HashMap<>();
+        ext.put("cloudstack_fw_default", "true");
+        ext.put("cloudstack_fw_default_icmp", "true");
+        ext.put("cloudstack_fw_ip", publicIp);
+        ext.put("cloudstack_network_id", String.valueOf(network.getId()));
+        if (network.getVpcId() != null) {
+            ext.put("cloudstack_vpc_id", String.valueOf(network.getVpcId()));
+        }
+        String match = "outport == \"" + publicLrpLsp + "\" && ip4 && ip4.dst == " + publicIp
+                + " && icmp4 && icmp4.type == 8";
+        ovnNbClient.addAclOnLs(provider.getNbConnection(),
+                provider.getCaCertPath(), provider.getClientCertPath(), provider.getClientPrivateKeyPath(),
+                publicLs, "fw-default-icmp-" + publicIp, "to-lport", 100L, match, "drop", ext);
     }
 
     @Override

From 332a5aa31ca55b0f307a935bc9775b8ab0025cbf Mon Sep 17 00:00:00 2001
From: Marco Sinhoreli <msinhore@gmail.com>
Date: Wed, 29 Apr 2026 14:35:03 +0200
Subject: [PATCH 33/33] ui: surface OVN as a guest isolation method in the Add
 Zone wizard

Without this, an operator standing up a new OVN-backed zone has to
either pick a different isolation method (forcing the OVN provider
into a no-op posture) or fall back to provisioning the zone via the
API and registering the OVN provider with addOvnProvider out-of-band.
Both Netris and NSX have a dedicated wizard step for the same flow;
this commit gives OVN the equivalent.

ZoneWizardPhysicalNetworkSetupStep.vue and PhysicalNetworksTab.vue:
add "OVN" to the isolation-method dropdown for KVM zones (matching
how "Netris" is gated to KVM today). Other hypervisors keep their
existing options unchanged.

ZoneWizardNetworkSetupStep.vue:
- new isOvnZone computed (mirrors isNetrisZone) flips on whenever any
  declared physical network selects "OVN".
- new "ovn" step inserted into allSteps() right after the netris
  step, between the physical-network grid and the public-traffic
  configuration.
- new ovnFields list mirrors AddOvnProviderCmd's parameters:
    name, nbConnection (required)
    sbConnection, externalBridge, localnetName,
    cacertpath, clientcertpath, clientprivatekeypath (optional).
  Required-vs-optional matches the Java side; the operator can leave
  the TLS / bridge-mapping fields blank for simple labs.
- ovnSetupDescription points at a new i18n key that explains the
  bridge mapping requirement on the ovn-controller side.

ZoneWizardLaunchZone.vue:
- stepData.isOvnZone is set in the existing physical-network creation
  loop using the same gating as Netris/NSX (only when the OVN physnet
  carries public or guest traffic - storage-only physnets do not
  need a provider entry).
- stepNetworkingProviderOrStorageTraffic dispatches to the new
  stepAddOvnProvider when the zone is OVN.
- stepAddOvnProvider posts to addOvnProvider with the prefillContent
  collected by the wizard. Optional fields are only forwarded when
  the operator filled them in, so a minimal OVN deployment that uses
  default ovsdb ports / no TLS does not have to clear ghost values.
- addOvnProvider is the postAPI wrapper, parallel to addNetrisProvider
  / addNsxController.

ui/public/locales/en.json:
- 9 new label.* / message.* keys for the OVN provider step (form
  labels, install-wizard tooltips, the description shown on the step,
  and the "Add OVN Provider" header used by the launch progress
  panel). Tooltip text spells out the connection-string format
  (tcp/ssl + host + port) and the relationship between the localnet
  name and ovn-bridge-mappings on the hypervisors.
---
 ui/public/locales/en.json                     | 20 ++++-
 .../views/infra/zone/ZoneWizardLaunchZone.vue | 67 ++++++++++++++
 .../infra/zone/ZoneWizardNetworkSetupStep.vue | 90 +++++++++++++++++++
 3 files changed, 176 insertions(+), 1 deletion(-)

diff --git a/ui/public/locales/en.json b/ui/public/locales/en.json
index 27acf657aa81..60bd3c2b7438 100644
--- a/ui/public/locales/en.json
+++ b/ui/public/locales/en.json
@@ -1694,6 +1694,15 @@
 "label.netris.provider.tenant.name": "Netris provider Admin Tenant name",
 "label.netris.provider.tag": "Netris Tag",
 "label.netris.provider.url": "Netris provider URL",
+"label.ovn.provider": "OVN Provider",
+"label.ovn.provider.name": "OVN provider name",
+"label.ovn.provider.nb.connection": "OVN Northbound DB connection",
+"label.ovn.provider.sb.connection": "OVN Southbound DB connection",
+"label.ovn.provider.external.bridge": "OVN external bridge",
+"label.ovn.provider.localnet.name": "OVN localnet (physical network mapping)",
+"label.ovn.provider.ca.cert.path": "OVN TLS CA certificate path",
+"label.ovn.provider.client.cert.path": "OVN TLS client certificate path",
+"label.ovn.provider.client.private.key.path": "OVN TLS client private key path",
 "label.netscaler": "NetScaler",
 "label.netscaler.mpx": "NetScaler MPX LoadBalancer",
 "label.netscaler.sdx": "NetScaler SDX LoadBalancer",
@@ -1788,7 +1797,6 @@
 "label.nsx.supports.internal.lb": "Enable NSX internal LB service",
 "label.nsx.supports.lb": "Enable NSX LB service",
 "label.ovn": "OVN",
-"label.ovn.provider": "OVN Provider",
 "label.ovnnbconnection": "OVN Northbound connection",
 "label.ovnsbconnection": "OVN Southbound connection",
 "label.ovnexternalbridge": "OVN external bridge",
@@ -3115,6 +3123,7 @@
 "message.add.latest.kubernetes.iso.failed": "Failed to add latest Kubernetes ISO",
 "message.add.minimum.required.compute.offering.kubernetes.cluster.failed": "Failed to add minimum required Compute Offering for Kubernetes cluster nodes",
 "message.add.netris.controller": "Add Netris Provider",
+"message.add.ovn.controller": "Add OVN Provider",
 "message.add.nsx.controller": "Add NSX Provider",
 "message.add.network": "Add a new network for Zone: <b><span id=\"zone_name\"></span></b>",
 "message.add.network.acl.failed": "Adding network ACL failed.",
@@ -3630,6 +3639,7 @@
 "message.info.cloudian.console": "Cloudian Management Console should open in another window.",
 "message.installwizard.cloudstack.helptext.website": " * Project website:\t ",
 "message.infra.setup.netris.description": "This zone must contain a Netris provider because the isolation method is Netris",
+"message.infra.setup.ovn.description": "This zone must contain an OVN provider because the isolation method is OVN. Provide the OVN central NB/SB endpoints and the bridge mapping used by ovn-controller on the hypervisors.",
 "message.infra.setup.nsx.description": "This Zone must contain an NSX provider because the isolation method is NSX",
 "message.infra.setup.tungsten.description": "This Zone must contain a Tungsten-Fabric provider because the isolation method is TF",
 "message.installwizard.cloudstack.helptext.document": " * Documentation:\t ",
@@ -3654,6 +3664,14 @@
 "message.installwizard.tooltip.netris.provider.site": "Netris Provider Site name not provided",
 "message.installwizard.tooltip.netris.provider.tag": "Netris Tag to be assigned to vNets",
 "message.installwizard.tooltip.netris.provider.tenant.name": "Netris Provider Admin Tenant name not provided",
+"message.installwizard.tooltip.ovn.provider.name": "Friendly name for this OVN provider entry, e.g. 'ovn-central-1'",
+"message.installwizard.tooltip.ovn.provider.nb.connection": "OVN Northbound DB connection string. Examples: tcp:10.0.0.10:6641, ssl:nb.ovn.example:6641",
+"message.installwizard.tooltip.ovn.provider.sb.connection": "OVN Southbound DB connection string (recommended). Used to enumerate live Chassis for Gateway_Chassis pinning. Example: tcp:10.0.0.10:6642",
+"message.installwizard.tooltip.ovn.provider.external.bridge": "OVS bridge that ovn-controller uses for the public network. Example: br-ex",
+"message.installwizard.tooltip.ovn.provider.localnet.name": "Logical network name used in ovn-bridge-mappings on each hypervisor. Example: physnet1 (matches ovn-bridge-mappings=physnet1:br-ex)",
+"message.installwizard.tooltip.ovn.provider.ca.cert.path": "Filesystem path to the CA certificate used by OVN OVSDB SSL endpoints. Required only when nb/sb connection uses ssl://",
+"message.installwizard.tooltip.ovn.provider.client.cert.path": "Filesystem path to the client certificate used by CloudStack to authenticate to OVN OVSDB. Required only when ssl:// is in use",
+"message.installwizard.tooltip.ovn.provider.client.private.key.path": "Filesystem path to the client private key paired with the client certificate. Required only when ssl:// is in use",
 "message.installwizard.tooltip.nsx.provider.hostname": "NSX Provider hostname / IP address not provided",
 "message.installwizard.tooltip.nsx.provider.username": "NSX Provider username not provided",
 "message.installwizard.tooltip.nsx.provider.password": "NSX Provider password not provided",
diff --git a/ui/src/views/infra/zone/ZoneWizardLaunchZone.vue b/ui/src/views/infra/zone/ZoneWizardLaunchZone.vue
index e16afbcf89e3..1730c1587d46 100644
--- a/ui/src/views/infra/zone/ZoneWizardLaunchZone.vue
+++ b/ui/src/views/infra/zone/ZoneWizardLaunchZone.vue
@@ -493,6 +493,13 @@ export default {
                 physicalNetwork.traffics.findIndex(traffic => traffic.type === 'public' || traffic.type === 'guest') > -1) {
                 this.stepData.isNetrisZone = true
               }
+              // Same gating as Netris/NSX: only flag the zone as OVN when the physical
+              // network actually carries public or guest traffic. Storage- or management-
+              // only physnets that happen to be tagged OVN do not need a provider entry.
+              if (physicalNetwork.isolationMethod.toLowerCase() === 'ovn' &&
+                physicalNetwork.traffics.findIndex(traffic => traffic.type === 'public' || traffic.type === 'guest') > -1) {
+                this.stepData.isOvnZone = true
+              }
             } else {
               this.stepData.physicalNetworkReturned = this.stepData.physicalNetworkItem['createPhysicalNetwork' + index]
             }
@@ -910,6 +917,8 @@ export default {
         await this.stepAddNsxController()
       } else if (this.stepData.isNetrisZone) {
         await this.stepAddNetrisProvider()
+      } else if (this.stepData.isOvnZone) {
+        await this.stepAddOvnProvider()
       } else {
         await this.stepConfigureStorageTraffic()
       }
@@ -1157,6 +1166,54 @@ export default {
         this.setStepStatus(STATUS_FAILED)
       }
     },
+    async stepAddOvnProvider () {
+      // Mirror of stepAddNetrisProvider: register the OVN central (NB/SB) endpoints with
+      // the zone via addOvnProvider so OvnGuestNetworkGuru can resolve the provider when
+      // a network is implemented. Only `name` and `nbconnection` are mandatory; the rest
+      // are optional and skipped when the operator left the field blank in the wizard.
+      this.setStepStatus(STATUS_FINISH)
+      this.currentStep++
+      this.addStep('message.add.ovn.controller', 'ovn')
+      if (this.stepData.stepMove.includes('ovn')) {
+        await this.stepConfigureStorageTraffic()
+        return
+      }
+      try {
+        if (!this.stepData.stepMove.includes('addOvnProvider')) {
+          const providerParams = {}
+          providerParams.zoneid = this.stepData.zoneReturned.id
+          providerParams.name = this.prefillContent?.ovnName || ''
+          providerParams.nbconnection = this.prefillContent?.ovnNbConnection || ''
+          if (this.prefillContent?.ovnSbConnection) {
+            providerParams.sbconnection = this.prefillContent.ovnSbConnection
+          }
+          if (this.prefillContent?.ovnExternalBridge) {
+            providerParams.externalbridge = this.prefillContent.ovnExternalBridge
+          }
+          if (this.prefillContent?.ovnLocalnetName) {
+            providerParams.localnetname = this.prefillContent.ovnLocalnetName
+          }
+          if (this.prefillContent?.ovnCaCertPath) {
+            providerParams.cacertpath = this.prefillContent.ovnCaCertPath
+          }
+          if (this.prefillContent?.ovnClientCertPath) {
+            providerParams.clientcertpath = this.prefillContent.ovnClientCertPath
+          }
+          if (this.prefillContent?.ovnClientPrivateKeyPath) {
+            providerParams.clientprivatekeypath = this.prefillContent.ovnClientPrivateKeyPath
+          }
+
+          await this.addOvnProvider(providerParams)
+          this.stepData.stepMove.push('addOvnProvider')
+        }
+        this.stepData.stepMove.push('ovn')
+        await this.stepConfigureStorageTraffic()
+      } catch (e) {
+        this.messageError = e
+        this.processStatus = STATUS_FAILED
+        this.setStepStatus(STATUS_FAILED)
+      }
+    },
     async stepConfigureStorageTraffic () {
       let targetNetwork = false
       this.prefillContent.physicalNetworks.forEach(physicalNetwork => {
@@ -2339,6 +2396,16 @@ export default {
         })
       })
     },
+    addOvnProvider (args) {
+      return new Promise((resolve, reject) => {
+        postAPI('addOvnProvider', args).then(json => {
+          resolve()
+        }).catch(error => {
+          const message = error.response.headers['x-description']
+          reject(message)
+        })
+      })
+    },
     configTungstenFabricService (args) {
       return new Promise((resolve, reject) => {
         postAPI('configTungstenFabricService', args).then(json => {
diff --git a/ui/src/views/infra/zone/ZoneWizardNetworkSetupStep.vue b/ui/src/views/infra/zone/ZoneWizardNetworkSetupStep.vue
index 3f00c3c38386..dd9da49d9355 100644
--- a/ui/src/views/infra/zone/ZoneWizardNetworkSetupStep.vue
+++ b/ui/src/views/infra/zone/ZoneWizardNetworkSetupStep.vue
@@ -102,6 +102,18 @@
       :isFixError="isFixError"
     />
 
+    <static-inputs-form
+      v-if="steps && steps[currentStep].formKey === 'ovn'"
+      @nextPressed="nextPressed"
+      @backPressed="handleBack"
+      @fieldsChanged="fieldsChanged"
+      @submitLaunchZone="submitLaunchZone"
+      :fields="ovnFields"
+      :prefillContent="prefillContent"
+      :description="ovnSetupDescription"
+      :isFixError="isFixError"
+    />
+
     <static-inputs-form
       v-if="steps && steps[currentStep].formKey === 'pod'"
       @nextPressed="nextPressed"
@@ -237,6 +249,15 @@ export default {
       }
       return isNetris
     },
+    isOvnZone () {
+      // The physical-network grid stores the user's selection as the literal label of the
+      // dropdown option. The OVN option is registered as value="OVN" in
+      // ZoneWizardPhysicalNetworkSetupStep.vue, so match on that exact string.
+      if (!this.prefillContent.physicalNetworks) {
+        return false
+      }
+      return this.prefillContent.physicalNetworks.findIndex(network => network.isolationMethod === 'OVN') > -1
+    },
     allSteps () {
       const steps = []
       steps.push({
@@ -261,6 +282,12 @@ export default {
           formKey: 'netris'
         })
       }
+      if (this.isOvnZone) {
+        steps.push({
+          title: 'label.ovn.provider',
+          formKey: 'ovn'
+        })
+      }
       if (this.havingNetscaler) {
         steps.push({
           title: 'label.netScaler',
@@ -523,6 +550,68 @@ export default {
       ]
       return fields
     },
+    ovnFields () {
+      // Mirrors the AddOvnProviderCmd parameters in
+      // plugins/network-elements/ovn/.../api/command/AddOvnProviderCmd.java.
+      // Only `name` and `nbConnection` are mandatory on the API; everything else is
+      // optional but operator-recommended for a usable zone:
+      //   - sbConnection lets us prune stale Gateway_Chassis rows (PR-2a/PR-2b)
+      //   - externalBridge / localnetName are how the public LS bridges to the
+      //     physical network via ovn-bridge-mappings
+      //   - the three TLS paths are required when the operator has secured the
+      //     OVSDB endpoints with TLS (NB/SB on ssl:host:6641|6642).
+      const fields = [
+        {
+          title: 'label.ovn.provider.name',
+          key: 'ovnName',
+          placeHolder: 'message.installwizard.tooltip.ovn.provider.name',
+          required: true
+        },
+        {
+          title: 'label.ovn.provider.nb.connection',
+          key: 'ovnNbConnection',
+          placeHolder: 'message.installwizard.tooltip.ovn.provider.nb.connection',
+          required: true
+        },
+        {
+          title: 'label.ovn.provider.sb.connection',
+          key: 'ovnSbConnection',
+          placeHolder: 'message.installwizard.tooltip.ovn.provider.sb.connection',
+          required: false
+        },
+        {
+          title: 'label.ovn.provider.external.bridge',
+          key: 'ovnExternalBridge',
+          placeHolder: 'message.installwizard.tooltip.ovn.provider.external.bridge',
+          required: false
+        },
+        {
+          title: 'label.ovn.provider.localnet.name',
+          key: 'ovnLocalnetName',
+          placeHolder: 'message.installwizard.tooltip.ovn.provider.localnet.name',
+          required: false
+        },
+        {
+          title: 'label.ovn.provider.ca.cert.path',
+          key: 'ovnCaCertPath',
+          placeHolder: 'message.installwizard.tooltip.ovn.provider.ca.cert.path',
+          required: false
+        },
+        {
+          title: 'label.ovn.provider.client.cert.path',
+          key: 'ovnClientCertPath',
+          placeHolder: 'message.installwizard.tooltip.ovn.provider.client.cert.path',
+          required: false
+        },
+        {
+          title: 'label.ovn.provider.client.private.key.path',
+          key: 'ovnClientPrivateKeyPath',
+          placeHolder: 'message.installwizard.tooltip.ovn.provider.client.private.key.path',
+          required: false
+        }
+      ]
+      return fields
+    },
     guestTrafficFields () {
       const fields = [
         {
@@ -594,6 +683,7 @@ export default {
       tungstenSetupDescription: 'message.infra.setup.tungsten.description',
       nsxSetupDescription: 'message.infra.setup.nsx.description',
       netrisSetupDescription: 'message.infra.setup.netris.description',
+      ovnSetupDescription: 'message.infra.setup.ovn.description',
       netscalerSetupDescription: 'label.please.specify.netscaler.info',
       storageTrafficDescription: 'label.zonewizard.traffictype.storage',
       podFields: [