OVN 25.03 was initially released on 7 March, 2025. This version of OVN is no longer supported. Support ended on 7 March, 2026.
v25.03.3 was released on 20 April, 2026.
Release Notes:
OVN v25.03.3 - 20 Apr 2026
--------------------------
- Security: Fixed vulnerability CVE-2026-5265.
- Security: Fixed vulnerability CVE-2026-5367.
- Bug fixes
- Add support for special port_security prefix "VRRPv3". This prefix allows
CMS to allow all required traffic for a VRRPv3 virtual router behind LSP.
See ovn-nb(5) man page for more details.
- Fixed support for fragmented traffic in the userspace datapath. Added the
"acl_ct_translation" NB_Global option to enable connection tracking
based L4 field translation for stateful ACLs. When enabled allows proper
handling of IP fragmentation in userspace datapaths. This option may break
hardware offloading and is disabled by default.
- Added disable_garp_rarp option to logical_router table in order to disable
GARP/RARP announcements by all the peer ports of this logical router.
v25.03.2 was released on 19 November, 2025.
Release Notes:
OVN v25.03.2 - 18 Nov 2025
--------------------------
- Bug fixes
- Dynamic Routing:
* Add the option "dynamic-routing-redistribute-local-only" to Logical
Routers and Logical Router Ports which refines the way in which
chassis-specific Advertised_Routes (e.g., for NAT and LB IPs) are
advertised.
* Add the option "dynamic-routing-vrf-id" to Logical Routers which allows
CMS to specify the Linux routing table id for a given vrf.
- Add ovn-nbctl lsp-add-router-port which will create router port on
specified LS.
- Add ovn-nbctl lsp-add-localnet-port which will create localnet port on
specified LS.
v25.03.1 was released on 13 June, 2025.
Release Notes:
OVN v25.03.1 - 13 Jun 2025
--------------------------
- Bug fixes
v25.03.0 was released on 7 March, 2025.
Release Notes:
OVN v25.03.0 - 07 Mar 2025
--------------------------
- Added support to choose selection methods - dp_hash or
hash (with specified hash fields) for ECMP routes
while choosing nexthop.
- ovn-ic: Add support for route tag to prevent route learning.
- Support for STT tunnels in ovn-encap-type is deprecated and will be
removed in the next release.
- The LRP option 'centralize_routing' has been removed. The behavior is now
enabled in all cases where it is needed.
- ovn-nb: Changed schema of ovn-nb to make networks optional within Logical
Router Ports.
- Added support for Spine-Leaf topology of logical switches by adding
a new LSP type 'switch' that can directly connect two logical switches.
Supported for both distributed and transit switches.
- Bump python version required for building OVN to 3.7.
- SSL/TLS:
* TLSv1 and TLSv1.1 protocols are deprecated and disabled by default
on OpenFlow and database connections. Use --ssl-protocols to turn
them back on. Support will be fully removed in the next release.
* OpenSSL 1.1.1 or newer is now required for SSL/TLS support.
* The protocol list in --ssl-protocols or corresponding database column
now supports specifying simple protocol ranges like:
- "TLSv1-TLSv1.2" to enable all protocols between TLSv1 and TLSv1.2.
- "TLSv1.2+" to enable protocol TLSv1.2 and later.
The value must be a list of protocols or exactly one protocol range.
* Added explicit support for TLSv1.3. It can now be enabled via
--ssl-protocols (TLSv1.3 was supported in earlier versions only when
this option was not set). TLS ciphersuites for TLSv1.3 and later can
be configured via --ssl-ciphersuites (--ssl-ciphers only applies to
TLSv1.2 and earlier).
- Add "arp-nd-max-timeout-sec" config option to vswitchd external-ids to
configure the interval (in seconds) between ovn-controller originated
ARP/ND packets used for tracking ECMP next hop MAC addresses.
- Auto flush ECMP symmetric reply connection states when an ECMP route is
removed by the CMS. This behavior is controlled by the
"ecmp_nexthop_monitor_enable" config option in the NB_Global table.
Disabled by default.
- Improved handling of IPv6 traffic by enabling address prefix tracking
in OVS for both IPv4 and IPv6 addresses, whenever possible, reducing
the amount of IPv6 datapath flows.
- Add concept of Transit Routers, users are now allowed to specify
options:requested-chassis for router ports; if the chassis is remote
then the router port will behave as a remote port.
- Added a new ACL option "persist-established" that allows for
established connections to bypass ACL matching. This way, if an ACL
match changes, traffic on the established connection can still pass.
- Logical router policies can now be arranged in chains. Using the new
"jump" action, combined with new "chain" and "jump_chain" columns,
allows for policies to be chained together.
- Reduce the max number of local datapath to 1024 when OVN is using VXLAN
encapsulation type in OVN-interconnect mode.
- Added vxlan_mode parameter in IC_NB_GLOBAL option column to enable or
disable VXLAN encapsulation type in OVN-interconnect mode.
- Dynamic Routing:
* Add the option "dynamic-routing" to Logical Routers. If set to true
static and connected routes matching the filter below are shared to the
southbound "Advertised_Route" table for sharing outside of OVN.
The routes can further be configured by setting
`dynamic-routing-redistribute` on the LR or LRP. The LRP settings
overwrite the LR settings for all routes using this interface to
forward traffic on.
* Allow Logical Routers to dynamically learn routes from outside the
fabric. Routes entered into the "Learned_Route" table in the southbound
database will be learned by the respective LR. They are included in the
route table with a lower priority than static routes.
* Add the option value "connected-as-host" to the
"dynamic-routing-redistribute" LR and LRP option. If set then connected
routes are announced as individual host routes.
* Add the option "dynamic-routing-maintain-vrf" to LRPs. If set the
ovn-controller will create a vrf named "ovnvrf" + datapath id that
includes all advertised and learned routes.
The vrf name can be overwritten with the "dynamic-routing-vrf-name"
setting.
* Add the option "dynamic-routing-port-name" to LRPs. If set only routes
learned from a linux interfaces that is locally bound to the referenced
LSP will be learned. Additionally support local overwrites for arbitrary
interface names using "dynamic-routing-port-mapping".
* The logical router port options "routing-protocol-redirect" and
"routing-protocols" are now also usable on distributed gateway ports.
* Logical router port options "routing-protocol-redirect" and
"routing-protocols" are now considered stable. Their "experimental" tag
was removed.
- Add "options:ct-commit-all" to LR, that enables commit of all traffic
to DNAT and SNAT zone when LR is stateful.