OVN 26.03 was initially released on 20 March, 2026. This version of OVN is currently supported for all bug fixes. This version will enter critical fix mode on 20 March, 2028. Support for this version will end on 20 March, 2029.
v26.03.0 was released on 20 March, 2026.
Release Notes:
OVN v26.03.0 - 20 Mar 2026
--------------------------
- Added DNS query statistics tracking in ovn-controller using OVS coverage
counters. Statistics can be queried using "ovn-appctl -t ovn-controller
coverage/read-counter <counter_name>" or "coverage/show". Tracked metrics
include total queries, query types (A, AAAA, PTR, ANY, Other), cache
performance (hits/misses), responses sent, and error conditions.
- Added support for TLS Server Name Indication (SNI) with the new
--ssl-server-name option in OVN utilities and daemons. This allows
specifying the server name for SNI, which is useful when connecting
through proxies or service meshes where the connection endpoint differs
from the intended server name. Without this option, the hostname from
the connection string is used for SNI, as before.
- Added disable_garp_rarp option to logical_router table in order to disable
GARP/RARP announcements by all the peer ports of this logical router.
- Support for specifying output_port for logical router reroute policies.
- Added "ic-route-deny-adv" and "ic-route-deny-learn" options to
the Logical_Router/Logical_Router_Port tables to allow users to
deny filter advertised/learned IC routes.
- Dynamic Routing:
* Extend the Logical Switch EVPN support to now automatically learn
IP neighbors (Type-2 MAC+IP EVPN routes) and automatically inject them
into the pipelines of the adjacent logical routers.
* Add the "other_config:dynamic-routing-arp-prefer-local" to Logical
Switches. If set to "true" ovn-controller will give preference to SB
(Static_)MAC_Bindings of adjacent logical routers over ARPs learned
through EVPN on the switch.
* Add the "other_config:dynamic-routing-redistribute=ip" to Logical
Switches to announce local IPs/MAC bindings belonging to the same
EVPN domain.
* Introduce the capability to specify EVPN device names using
Logical_Switch other_config column.
* Introduce the capability to specify multiple ips for ovn-evpn-local-ip
option.
* Add the option "dynamic-routing-vrf-id" to Logical Routers which allows
CMS to specify the Linux routing table id for a given vrf.
* Add the option "dynamic-routing-v4-prefix-nexthop" to Logical Routers
which allows CMS to specify nexthop for IPv4 Advertised routes.
* Add the option "dynamic-routing-v6-prefix-nexthop" to Logical Routers
which allows CMS to specify nexthop for IPv6 Advertised routes.
* Add the "options:dynamic-routing-no-learning" to Logical Routers. If
set to true router will not learn routes and will forget learned
routes.
* Add the "options:dynamic-routing-no-learning" to Logical Routers ports.
If set to true, router port will not learn routes and will forget
learned routes. This option has priority over its router counterpart.
* The EVPN support is now considered stable. Its "experimental" tag has
been removed.
- Add support for Network Function insertion in OVN with stateful traffic
redirection capability in Logical Switch datapath. The feature introduces
three new NB database tables:
* Network_Function: Defines network function entities with inport/outport
pairs. These logical_switch_ports need to point to each other using
"nf-linked-port" option and also "is-nf" option set to true.
* Network_Function_Group: Groups multiple network functions for redundancy
* Network_Function_Health_Check: Configurable health monitoring with
interval, timeout, success_count and failure_count parameters.
Traffic matching ACLs can be redirected through inline network functions
using the network_function_group column in ACL. A healthy network function
from the group gets automatically selected based on ICMP forwarding probes
with failover to some other member of the group when currently active
network function becomes unavailable. Network functions operate in
"inline" mode, transparently processing packets without modifying headers,
and support both ingress (from-lport) and egress (to-lport) traffic flows.
Two new options have been added to Logical_Switch_Port which need to
be set to false for ports used as network function inport or outport.
- "lsp_learn_mac": This can be used to control mac learning on the port.
- "receive_multicast": This can used to control whether multicast packets
can be received by the port.
NOTE:
* Network functions must not modify packet headers.
* The feature is not supported in conjunction with Load Balancer.
* The feature is supported for both VLAN and overlay networks.
When network function is used in a VLAN network, geneve tunneling is
used for cross host traffic (between the chassis hosting network
function and the chassis hosting the port where the ACL is being
enforced). Proper MTU needs to be configured to accomodate this
encapsulation.
- Added Transit Router support:
* Support the creation of Transit Routers.
* Added new ovn-ic-nbctl 'tr-add','tr-del','tr-list' commands to manage
Transit Router.
* Support the creation of Transit Router Ports.
* Added new ovn-ic-nbctl 'trp-add' and 'tpr-del' commands to manage
Transit Router Ports.
- Add ovn-nbctl lsp-add-router-port which will create router port on
specified LS.
- Add ovn-nbctl lsp-add-localnet-port which will create localnet port on
specified LS.
- Add a new experimental service - ovn-br-controller to program and
manage OVS bridges (not managed by ovn-controller) using OVN logical
flows. For more details see man ovn-br(5).
- Added experimental flow-based tunnel support. Enable via
external_ids:ovn-enable-flow-based-tunnels=true to use shared tunnel
ports instead of per-chassis ports, reducing port count for large scale
environments. Default is disabled.
- Add fallback support for Network Function.
- Load balancer health checks can now use Logical Router Port IPs as the
source IP for health check probes. Previously, health checks required
reserving an unused IP from the backend's subnet. This change allows
using LRP IPs directly, eliminating the need to reserve additional IPs
per backend port.
- Add "distributed" option for load balancer, that forces traffic to be
routed only to backend instances running locally on the same chassis
it arrives on.
- Add support for special port_security prefix "VRRPv3". This prefix allows
CMS to allow all required traffic for a VRRPv3 virtual router behind LSP.
See ovn-nb(5) man page for more details.
- Fixed support for fragmented traffic in the userspace datapath. Added the
"acl_ct_translation" NB_Global option to enable connection tracking
based L4 field translation for stateful ACLs. When enabled allows proper
handling of IP fragmentation in userspace datapaths. This option may break
hardware offloading and is disabled by default.
- Added support for health check monitoring for Logical Switch Ports using
tcp, udp, and icmp protocols. The check status from SB database is
synchronized to NB database to health check status field for CMS needs.