1ovs-fields(7)                 Open vSwitch Manual                ovs-fields(7)
2
3
4

NAME

6       ovs-fields - protocol header fields in OpenFlow and Open vSwitch
7

INTRODUCTION

9       This  document aims to comprehensively document all of the fields, both
10       standard and non-standard,  supported  by  OpenFlow  or  Open  vSwitch,
11       regardless of origin.
12
13   Fields
14       A  field  is  a  property of a packet. Most familiarly, data fields are
15       fields that can be extracted from a packet. Most data fields are copied
16       directly  from  protocol  headers, e.g. at layer 2, the Ethernet source
17       and destination addresses, or the VLAN ID; at layer 3, the IPv4 or IPv6
18       source  and  destination;  and  at layer 4, the TCP or UDP ports. Other
19       data fields are computed, e.g. ip_frag describes whether a packet is  a
20       fragment but it is not copied directly from the IP header.
21
22       Data  fields that are always present as a consequence of the basic net‐
23       working technology in use are called called root fields.  Open  vSwitch
24       2.7  and earlier considered Ethernet fields to be root fields, and this
25       remains the default mode of operation for Open vSwitch bridges. When  a
26       packet  is  received  from a non-Ethernet interfaces, such as a layer-3
27       LISP tunnel, Open vSwitch 2.7 and earlier force-fit the packet to  this
28       Ethernet-centric point of view by pretending that an Ethernet header is
29       present whose Ethernet type that indicates  the  packet’s  actual  type
30       (and whose source and destination addresses are all-zero).
31
32       Open vSwitch 2.8 and later implement the ``packet type-aware pipeline’’
33       concept introduced in OpenFlow 1.5. Such a pipeline does not  have  any
34       root  fields. Instead, a new metadata field, packet_type, indicates the
35       basic type of the packet, which can be Ethernet, IPv4, IPv6, or another
36       type.  For backward compatibility, by default Open vSwitch 2.8 imitates
37       the behavior of Open vSwitch 2.7 and earlier. Later  versions  of  Open
38       vSwitch  may  change  the  default, and in the meantime controllers can
39       turn off this legacy behavior, on  a  port-by-port  basis,  by  setting
40       options:packet_type to ptap in the Interface table. This is significant
41       only for ports that can handle non-Ethernet packets, which is currently
42       just  LISP, VXLAN-GPE, and GRE tunnel ports. See ovs-vwitchd.conf.db(5)
43       for more information.
44
45       Non-root data fields are not always  present.  A  packet  contains  ARP
46       fields,  for example, only when its packet type is ARP or when it is an
47       Ethernet packet whose Ethernet header indicates the Ethertype for  ARP,
48       0x0806.  In  this documentation, we say that a field is applicable when
49       it is present in a packet, and inapplicable when it is not. (These  are
50       not  standard terms.) We refer to the conditions that determine whether
51       a field is applicable as prerequisites. Some VLAN-related fields are  a
52       special  case: these fields are always applicable for Ethernet packets,
53       but have a designated value or bit that indicates whether a VLAN header
54       is  present,  with  the  remaining  values  or bits indicating the VLAN
55       header’s content (if it is present).
56
57       An inapplicable field does  not  have  a  value,  not  even  a  nominal
58       ``value’’  such  as  all-zero-bits. In many circumstances, OpenFlow and
59       Open vSwitch allow references only to applicable fields.  For  example,
60       one  may  match  (see  Matching, below) a given field only if the match
61       includes the field’s prerequisite, e.g. matching an ARP field  is  only
62       allowed  if one also matches on Ethertype 0x0806 or the packet_type for
63       ARP in a packet type-aware bridge.
64
65       Sometimes a packet may contain multiple  instances  of  a  header.  For
66       example,  a  packet may contain multiple VLAN or MPLS headers, and tun‐
67       nels can cause any data field to recur. OpenFlow and  Open  vSwitch  do
68       not  address these cases uniformly. For VLAN and MPLS headers, only the
69       outermost header is accessible, so that inner headers may  be  accessed
70       only by ``popping’’ (removing) the outer header. (Open vSwitch supports
71       only a single VLAN header in any case.) For tunnels, e.g. GRE or VXLAN,
72       the  outer  header  and  inner  headers  are  treated as different data
73       fields.
74
75       Many network protocols are built in layers as a stack  of  concatenated
76       headers.  Each  header  typically  contains  a ``next type’’ field that
77       indicates the type of the protocol header that follows,  e.g.  Ethernet
78       contains  an Ethertype and IPv4 contains a IP protocol type. The excep‐
79       tional cases, where protocols are layered but an outer layer  does  not
80       indicate  the  protocol  type  for  the  inner  layer, or gives only an
81       ambiguous indication, are troublesome. An  MPLS  header,  for  example,
82       only  indicates whether another MPLS header or some other protocol fol‐
83       lows, and in the latter case the inner protocol must be known from  the
84       context.  In  these exceptional cases, OpenFlow and Open vSwitch cannot
85       provide insight into the inner protocol data fields without  additional
86       context,  and  thus  they  treat  all later data fields as inapplicable
87       until an OpenFlow action explicitly specifies what protocol follows. In
88       the  case  of  MPLS,  the OpenFlow ``pop MPLS’’ action that removes the
89       last MPLS header from a packet provides this context, as the  Ethertype
90       of the payload. See Layer 2.5: MPLS for more information.
91
92       OpenFlow  and  Open vSwitch support some fields other than data fields.
93       Metadata fields relate to the origin or treatment of a packet, but they
94       are not extracted from the packet data itself. One example is the phys‐
95       ical port on which a packet arrived at the switch. Register fields  act
96       like  variables: they give an OpenFlow switch space for temporary stor‐
97       age while processing a packet. Existing metadata  and  register  fields
98       have no prerequisites.
99
100       A  field’s  value  consists  of  an  integral number of bytes. For data
101       fields, sometimes those bytes are taken directly from the packet. Other
102       data  fields  are copied from a packet with padding (usually with zeros
103       and in the most significant positions). The remaining data  fields  are
104       transformed  in other ways as they are copied from the packets, to make
105       them more useful for matching.
106
107   Matching
108       The most important use of fields in OpenFlow is matching, to  determine
109       whether  particular field values agree with a set of constraints called
110       a match. A match consists of zero or  more  constraints  on  individual
111       fields,  all  of  which must be met to satisfy the match. (A match that
112       contains no constraints is always satisfied.) OpenFlow and Open vSwitch
113       support a number of forms of matching on individual fields:
114
115              Exact match, e.g. nw_src=10.1.2.3
116                     Only  a  particular  value  of  the field is matched; for
117                     example, only one particular  source  IP  address.  Exact
118                     matches  are  written  as field=value. The forms accepted
119                     for value depend on the field.
120
121                     All fields support exact matches.
122
123              Bitwise match, e.g. nw_src=10.1.0.0/255.255.0.0
124                     Specific bits in the field must  have  specified  values;
125                     for  example,  only  source  IP addresses in a particular
126                     subnet. Bitwise matches are written as  field=value/mask,
127                     where  value  and mask take one of the forms accepted for
128                     an exact match on field. Some fields accept  other  forms
129                     for       bitwise       matches;       for       example,
130                     nw_src=10.1.0.0/255.255.0.0   may   also    be    written
131                     nw_src=10.1.0.0/16.
132
133                     Most  OpenFlow switches do not allow every bitwise match‐
134                     ing on every field (and before OpenFlow 1.2, the protocol
135                     did  not  even  provide  for  the  possibility  for  most
136                     fields). Even switches that do allow bitwise matching  on
137                     a  given  field  may restrict the masks that are allowed,
138                     e.g. by allowing matches only on contiguous sets of  bits
139                     starting from the most significant bit, that is, ``CIDR’’
140                     masks [RFC 4632]. Open vSwitch does  not  allows  bitwise
141                     matching  on every field, but it allows arbitrary bitwise
142                     masks on any field that does  support  bitwise  matching.
143                     (Older  versions  had some restrictions, as documented in
144                     the descriptions of individual fields.)
145
146              Wildcard, e.g. ``any nw_src’’
147                     The value of the field  is  not  constrained.  Wildcarded
148                     fields  may be written as field=*, although it is unusual
149                     to mention them  at  all.  (When  specifying  a  wildcard
150                     explicitly  in  a  command  invocation,  be sure to using
151                     quoting to protect against shell expansion.)
152
153                     There is a tiny difference between  wildcarding  a  field
154                     and  not  specifying  any match on a field: wildcarding a
155                     field requires satisfying the field’s prerequisites.
156
157       Some types of matches on individual fields cannot be expressed directly
158       with OpenFlow and Open vSwitch. These can be expressed indirectly:
159
160              Set match, e.g. ``tcp_dst ∈ {80, 443, 8080}’’
161                     The value of a field is one of a specified set of values;
162                     for example, the TCP destination  port  is  80,  443,  or
163                     8080.
164
165                     For  matches  used  in flows (see Flows, below), multiple
166                     flows can simulate set matches.
167
168              Range match, e.g. ``1000 ≤ tcp_dst ≤ 1999’’
169                     The value of the field must lie within a numerical range,
170                     for example, TCP destination ports between 1000 and 1999.
171
172                     Range matches can be expressed as a collection of bitwise
173                     matches. For example, suppose that the goal is  to  match
174                     TCP source ports 1000 to 1999, inclusive. The binary rep‐
175                     resentations of 1000 and 1999 are:
176
177                     01111101000
178                     11111001111
179
180
181                     The following series of bitwise matches will  match  1000
182                     and 1999 and all the values in between:
183
184                     01111101xxx
185                     0111111xxxx
186                     10xxxxxxxxx
187                     110xxxxxxxx
188                     1110xxxxxxx
189                     11110xxxxxx
190                     1111100xxxx
191
192
193                     which can be written as the following matches:
194
195                     tcp,tp_src=0x03e8/0xfff8
196                     tcp,tp_src=0x03f0/0xfff0
197                     tcp,tp_src=0x0400/0xfe00
198                     tcp,tp_src=0x0600/0xff00
199                     tcp,tp_src=0x0700/0xff80
200                     tcp,tp_src=0x0780/0xffc0
201                     tcp,tp_src=0x07c0/0xfff0
202
203
204              Inequality match, e.g. ``tcp_dst ≠ 80’’
205                     The  value  of  the field differs from a specified value,
206                     for example, all TCP destination ports except 80.
207
208                     An inequality match on an n-bit field can be expressed as
209                     a  disjunction  of  n  1-bit  matches.  For  example, the
210                     inequality match ``vlan_pcp ≠ 5’’  can  be  expressed  as
211                     ``vlan_pcp  =  0/4 or vlan_pcp = 2/2 or vlan_pcp = 0/1.’’
212                     For matches used in flows (see Flows,  below),  sometimes
213                     one  can  more  compactly express inequality as a higher-
214                     priority flow that matches the  exceptional  case  paired
215                     with a lower-priority flow that matches the general case.
216
217                     Alternatively,  an inequality match may be converted to a
218                     pair of range matches, e.g. tcp_src ≠ 80 may be expressed
219                     as ``0 ≤ tcp_src < 80 or 80 < tcp_src ≤ 65535’’, and then
220                     each range match may in turn be converted  to  a  bitwise
221                     match.
222
223              Conjunctive  match, e.g. ``tcp_src ∈ {80, 443, 8080} and tcp_dst
224              ∈ {80, 443, 8080}’’
225                     As an OpenFlow extension, Open vSwitch supports  matching
226                     on conditions on conjunctions of the previously mentioned
227                     forms of matching. See the documentation for conj_id  for
228                     more information.
229
230       All  of  these supported forms of matching are special cases of bitwise
231       matching. In some cases this influences the  design  of  field  values.
232       ip_frag  is  the  most prominent example: it is designed to make all of
233       the practically useful checks for IP fragmentation possible as a single
234       bitwise match.
235
236     Shorthands
237
238       Some  matches are very commonly used, so Open vSwitch accepts shorthand
239       notations. In some cases, Open vSwitch also  uses  shorthand  notations
240       when  it  displays  matches. The following shorthands are defined, with
241       their long forms shown on the right side:
242
243              eth    packet_type=(0,0) (Open vSwitch 2.8 and later)
244
245              ip     eth_type=0x0800
246
247              ipv6   eth_type=0x86dd
248
249              icmp   eth_type=0x0800,ip_proto=1
250
251              icmp6  eth_type=0x86dd,ip_proto=58
252
253              tcp    eth_type=0x0800,ip_proto=6
254
255              tcp6   eth_type=0x86dd,ip_proto=6
256
257              udp    eth_type=0x0800,ip_proto=17
258
259              udp6   eth_type=0x86dd,ip_proto=17
260
261              sctp   eth_type=0x0800,ip_proto=132
262
263              sctp6  eth_type=0x86dd,ip_proto=132
264
265              arp    eth_type=0x0806
266
267              rarp   eth_type=0x8035
268
269              mpls   eth_type=0x8847
270
271              mplsm  eth_type=0x8848
272
273   Evolution of OpenFlow Fields
274       The discussion so far applies to all OpenFlow  and  Open  vSwitch  ver‐
275       sions.  This section starts to draw in specific information by explain‐
276       ing, in broad terms, the treatment of fields and matches in each  Open‐
277       Flow version.
278
279     OpenFlow 1.0
280
281       OpenFlow  1.0  defined  the  OpenFlow  protocol  format of a match as a
282       fixed-length data structure that could match on the following fields:
283
284              ·      Ingress port.
285
286              ·      Ethernet source and destination MAC.
287
288              ·      Ethertype (with a special value to match frames that lack
289                     an Ethertype).
290
291              ·      VLAN ID and priority.
292
293              ·      IPv4 source, destination, protocol, and DSCP.
294
295              ·      TCP source and destination port.
296
297              ·      UDP source and destination port.
298
299              ·      ICMPv4 type and code.
300
301              ·      ARP IPv4 addresses (SPA and TPA) and opcode.
302
303       Each supported field corresponded to some member of the data structure.
304       Some members represented multiple fields, in the case of the TCP,  UDP,
305       ICMPv4,  and ARP fields whose presence is mutually exclusive. This also
306       meant that some members were poor fits for their fields: only the low 8
307       bits of the 16-bit ARP opcode could be represented, and the ICMPv4 type
308       and code were padded with 8 bits of zeros to fit in the 16-bit  members
309       primarily  meant  for  TCP  and  UDP ports. An additional bitmap member
310       indicated, for each member, whether its field should be an ``exact’’ or
311       ``wildcarded’’  match  (see Matching), with additional support for CIDR
312       prefix matching on the IPv4 source and destination fields.
313
314       Simplicity was recognized early on as the main virtue of this approach.
315       Obviously,  any fixed-length data structure cannot support matching new
316       protocols that do not fit. There was no room, for example, for matching
317       IPv6 fields, which was not a priority at the time. Lack of room to sup‐
318       port matching the Ethernet addresses inside ARP packets actually caused
319       more  of  a  design problem later, leading to an Open vSwitch extension
320       action specialized for dropping ``spoofed’’ ARP packets  in  which  the
321       frame  and  ARP Ethernet source addressed differed. (This extension was
322       never standardized. Open vSwitch dropped support for it a few  releases
323       after it added support for full ARP matching.)
324
325       The  design  of the OpenFlow fixed-length matches also illustrates com‐
326       promises, in both directions, between the strengths and  weaknesses  of
327       software  and  hardware that have always influenced the design of Open‐
328       Flow. Support for matching ARP fields that do fit in the data structure
329       was  only  added  late  in the design process (and remained optional in
330       OpenFlow 1.0), for example, because common switch ASICs did not support
331       matching these fields.
332
333       The compromises in favor of software occurred for more complicated rea‐
334       sons. The OpenFlow designers did not know how to implement matching  in
335       software  that  was  fast, dynamic, and general. (A way was later found
336       [Srinivasan].) Thus, the designers sought to support  dynamic,  general
337       matching  that  would be fast in realistic special cases, in particular
338       when all of the matches were microflows, that is, matches that  specify
339       every  field  present  in  a packet, because such matches can be imple‐
340       mented as a single hash table lookup. Contemporary  research  supported
341       the  feasibility of this approach: the number of microflows in a campus
342       network had been measured to peak  at  about  10,000  [Casado,  section
343       3.2]. (Calculations show that this can only be true in a lightly loaded
344       network [Pepelnjak].)
345
346       As a result, OpenFlow 1.0 required switches to treat microflow  matches
347       as  the  highest  possible priority. This let software switches perform
348       the microflow hash table lookup first.  Only  on  failure  to  match  a
349       microflow did the switch need to fall back to checking the more general
350       and presumed slower matches. Also, the OpenFlow 1.0 flow match was min‐
351       imally  flexible,  with no support for general bitwise matching, partly
352       on the basis that this seemed more likely amenable to relatively  effi‐
353       cient  software  implementation.  (CIDR  masking for IPv4 addresses was
354       added relatively late in the OpenFlow 1.0 design process.)
355
356       Microflow matching was later discovered to aid some hardware  implemen‐
357       tations.  The  TCAM  chips used for matching in hardware do not support
358       priority in the same way as OpenFlow but instead tie priority to order‐
359       ing  [Pagiamtzis]. Thus, adding a new match with a priority between the
360       priorities of existing matches can require reordering an arbitrary num‐
361       ber  of  TCAM  entries.  On the other hand, when microflows are highest
362       priority, they can be managed  as  a  set-aside  portion  of  the  TCAM
363       entries.
364
365       The  emphasis  on  matching  microflows also led designers to carefully
366       consider the bandwidth requirements between switch and  controller:  to
367       maximize  the  number of microflow setups per second, one must minimize
368       the size of each flow’s description. This favored the fixed-length for‐
369       mat in use, because it expressed common TCP and UDP microflows in fewer
370       bytes than more flexible ``type-length-value’’  (TLV)  formats.  (Early
371       versions  of OpenFlow also avoided TLVs in general to head off protocol
372       fragmentation.)
373
374       Inapplicable Fields
375
376       OpenFlow 1.0 does not clearly specify how to treat inapplicable fields.
377       The  members  for  inapplicable  fields are always present in the match
378       data structure, as are the bits that indicate whether  the  fields  are
379       matched,  and  the  ``correct’’  member and bit values for inapplicable
380       fields is unclear. OpenFlow 1.0 implementations changed their  behavior
381       over time as priorities shifted. The early OpenFlow reference implemen‐
382       tation, motivated to make every flow a  microflow  to  enable  hashing,
383       treated  inapplicable  fields  as  exact  matches on a value of 0. Ini‐
384       tially, this behavior was implemented in the reference controller only.
385
386       Later, the reference switch was also  changed  to  actually  force  any
387       wildcarded  inapplicable  fields  into  exact  matches on 0. The latter
388       behavior sometimes caused problems, because the modified flow  was  the
389       one  reported back to the controller later when it queried the flow ta‐
390       ble, and the modifications sometimes meant that  the  controller  could
391       not  properly recognize the flow that it had added. In retrospect, per‐
392       haps this problem should have alerted the designers to a design  error,
393       but  the  ability to use a single hash table was held to be more impor‐
394       tant than almost every other consideration at the time.
395
396       When more flexible match formats were introduced much later, they  dis‐
397       allowed  any  mention  of  inapplicable fields as part of a match. This
398       raised the question of how to translate between this new format and the
399       OpenFlow 1.0 fixed format. It seemed somewhat inconsistent and backward
400       to treat fields as exact-match in one format and forbid  matching  them
401       in  the  other,  so instead the treatment of inapplicable fields in the
402       fixed-length format was changed from exact match on 0  to  wildcarding.
403       (A  better  classifier had by now eliminated software performance prob‐
404       lems with wildcards.)
405
406       The OpenFlow 1.0.1 errata (released only in 2012) added some additional
407       explanation  [OpenFlow 1.0.1, section 3.4], but it did not mandate spe‐
408       cific behavior because of variation among implementations.
409
410     OpenFlow 1.1
411
412       The  OpenFlow  1.1  protocol   match   format   was   designed   as   a
413       type/length/value  (TLV)  format  to  allow for future flexibility. The
414       specification standardized only a single type OFPMT_STANDARD (0) with a
415       fixed-size  payload,  described here. The additional fields and bitwise
416       masks in OpenFlow 1.1 cause this match structure to be  over  twice  as
417       large as in OpenFlow 1.0, 88 bytes versus 40.
418
419       OpenFlow 1.1 added support for the following fields:
420
421              ·      SCTP source and destination port.
422
423              ·      MPLS label and traffic control (TC) fields.
424
425              ·      One 64-bit register (named ``metadata’’).
426
427       OpenFlow  1.1 increased the width of the ingress port number field (and
428       all other port numbers in the protocol) from 16 bits to 32 bits.
429
430       OpenFlow 1.1 increased matching flexibility  by  introducing  arbitrary
431       bitwise  matching  on  Ethernet  and IPv4 address fields and on the new
432       ``metadata’’ register field. Switches were not required to support  all
433       possible masks [OpenFlow 1.1, section 4.3].
434
435       By  a strict reading of the specification, OpenFlow 1.1 removed support
436       for matching ICMPv4 type and code [OpenFlow 1.1,  section  A.2.3],  but
437       this  is  likely  an  editing  error because ICMP matching is described
438       elsewhere [OpenFlow 1.1, Table 3, Table 4, Figure 4]. Open vSwitch does
439       support ICMPv4 type and code matching with OpenFlow 1.1.
440
441       OpenFlow  1.1 avoided the pitfalls of inapplicable fields that OpenFlow
442       1.0 encountered, by requiring the switch to ignore the specified  field
443       values  [OpenFlow  1.1, section A.2.3]. It also implied that the switch
444       should ignore the bits that  indicate  whether  to  match  inapplicable
445       fields.
446
447       Physical Ingress Port
448
449       OpenFlow  1.1 introduced a new pseudo-field, the physical ingress port.
450       The physical ingress port is only a pseudo-field because it  cannot  be
451       used  for  matching.  It appears only one place in the protocol, in the
452       ``packet-in’’ message that passes a packet received at the switch to an
453       OpenFlow controller.
454
455       A  packet’s ingress port and physical ingress port are identical except
456       for packets processed by a switch feature such as bonding or  tunneling
457       that  makes  a packet appear to arrive on a ``virtual’’ port associated
458       with the bond or the tunnel. For such packets, the ingress port is  the
459       virtual  port and the physical ingress port is, naturally, the physical
460       port. Open vSwitch implements both bonding and tunneling, but its bond‐
461       ing implementation does not use virtual ports and its tunnels are typi‐
462       cally not on the same OpenFlow switch as their physical  ingress  ports
463       (which  need not be part of any switch), so the ingress port and physi‐
464       cal ingress port are always the same in Open vSwitch.
465
466     OpenFlow 1.2
467
468       OpenFlow 1.2 abandoned the fixed-length approach to matching. One  rea‐
469       son  was size, since adding support for IPv6 address matching (now seen
470       as important), with bitwise masks, would have added  64  bytes  to  the
471       match  length,  increasing it from 88 bytes in OpenFlow 1.1 to over 150
472       bytes. Extensibility had also become important  as  controller  writers
473       increasingly  wanted  support  for  new fields without having to change
474       messages throughout the OpenFlow protocol. The challenges of  carefully
475       defining  fixed-length  matches  to  avoid  problems  with inapplicable
476       fields had also become clear over time.
477
478       Therefore, OpenFlow 1.2 adopted a flow format using  a  flexible  type-
479       length-value  (TLV) representation, in which each TLV expresses a match
480       on one field. These TLVs were in turn encapsulated inside the outer TLV
481       wrapper  introduced  in  OpenFlow 1.1 with the new identifier OFPMT_OXM
482       (1). (This wrapper fulfilled  its  intended  purpose  of  reducing  the
483       amount  of churn in the protocol when changing match formats; some mes‐
484       sages that included matches remained unchanged from OpenFlow 1.1 to 1.2
485       and later versions.)
486
487       OpenFlow 1.2 added support for the following fields:
488
489              ·      ARP hardware addresses (SHA and THA).
490
491              ·      IPv4 ECN.
492
493              ·      IPv6  source and destination addresses, flow label, DSCP,
494                     ECN, and protocol.
495
496              ·      TCP, UDP, and SCTP port numbers when encapsulated  inside
497                     IPv6.
498
499              ·      ICMPv6 type and code.
500
501              ·      ICMPv6  Neighbor  Discovery target address and source and
502                     target Ethernet addresses.
503
504       The OpenFlow 1.2 format, called OXM (OpenFlow  Extensible  Match),  was
505       modeled  closely  on  an  extension  to OpenFlow 1.0 introduced in Open
506       vSwitch 1.1 called NXM (Nicira Extended Match). Each OXM or NXM TLV has
507       the following format:
508
509               type
510        <---------------->
511             16        7   1    8      length bytes
512       +------------+-----+--+------+ +------------+
513       |vendor/class|field|HM|length| |    body    |
514       +------------+-----+--+------+ +------------+
515
516
517       The most significant 16 bits of the NXM or OXM header, called vendor by
518       NXM and class by OXM, identify an organization  permitted  to  allocate
519       identifiers  for  fields.  NXM  allocates  only two vendors, 0x0000 for
520       fields supported by OpenFlow 1.0 and 0x0001 for fields  implemented  as
521       an Open vSwitch extension. OXM assigns classes as follows:
522
523              0x0000 (OFPXMC_NXM_0).
524              0x0001 (OFPXMC_NXM_1).
525                   Reserved for NXM compatibility.
526
527              0x0002 to 0x7fff
528                   Reserved  for  allocation  to  ONF  members,  but  none yet
529                   assigned.
530
531              0x8000 (OFPXMC_OPENFLOW_BASIC)
532                   Used for most standard OpenFlow fields.
533
534              0x8001 (OFPXMC_PACKET_REGS)
535                   Used for packet register fields in OpenFlow 1.5 and later.
536
537              0x8002 to 0xfffe
538                   Reserved for the OpenFlow specification.
539
540              0xffff (OFPXMC_EXPERIMENTER)
541                   Experimental use.
542
543       When class is 0xffff, the OXM header is extended to 64  bits  by  using
544       the  first 32 bits of the body as an experimenter field whose most sig‐
545       nificant byte is zero and whose remaining bytes are an Organizationally
546       Unique  Identifier  (OUI)  assigned  by  the  IEEE [IEEE OUI], as shown
547       below.
548
549            type                 experimenter
550        <---------->             <---------->
551          16     7   1    8        8     24     (length - 4) bytes
552       +------+-----+--+------+ +------+-----+ +------------------+
553       |class |field|HM|length| | zero | OUI | |       body       |
554       +------+-----+--+------+ +------+-----+ +------------------+
555        0xffff                    0x00
556
557
558       OpenFlow says that support for experimenter fields  is  optional.  Open
559       vSwitch  2.4  and  later  does support them, so that it can support the
560       following experimenter classes:
561
562              0x4f4e4600 (ONFOXM_ET)
563                     Used by official Open Networking Foundation extensions in
564                     OpenFlow  1.3  and  later.  e.g.  [TCP  Flags Match Field
565                     Extension].
566
567              0x005ad650 (NXOXM_NSH)
568                     Used by Open vSwitch for NSH extensions, in  the  absence
569                     of  an official ONF-assigned class. (This OUI is randomly
570                     generated.)
571
572       Taken as a unit, class  (or  vendor),  field,  and  experimenter  (when
573       present) uniquely identify a particular field.
574
575       When  hasmask (abbreviated HM above) is 0, the OXM is an exact match on
576       an entire field. In this case, the  body  (excluding  the  experimenter
577       field, if present) is a single value to be matched.
578
579       When  hasmask is 1, the OXM is a bitwise match. The body (excluding the
580       experimenter field) consists of a value to match, followed by the  bit‐
581       wise  mask to apply. A 1-bit in the mask indicates that the correspond‐
582       ing bit in the value should be matched and a 0-bit that  it  should  be
583       ignored.  For  example, for an IP address field, a value of 192.168.0.0
584       followed by  a  mask  of  255.255.0.0  would  match  addresses  in  the
585       196.168.0.0/16 subnet.
586
587              ·      Some  fields  might  not support masking at all, and some
588                     fields that do support masking might restrict it to  cer‐
589                     tain  patterns.  For example, fields that have IP address
590                     values might be restricted to CIDR  masks.  The  descrip‐
591                     tions of individual fields note these restrictions.
592
593              ·      An  OXM  TLV  with a mask that is all zeros is not useful
594                     (although it is not forbidden), because  it  is  has  the
595                     same effect as omitting the TLV entirely.
596
597              ·      It  is not meaningful to pair a 0-bit in an OXM mask with
598                     a 1-bit in its value, and Open vSwitch  rejects  such  an
599                     OXM  with  the error OFPBMC_BAD_WILDCARDS, as required by
600                     OpenFlow 1.3 and later.
601
602       The length identifies the number of bytes in the  body,  including  the
603       4-byte  experimenter header, if it is present. Each OXM TLV has a fixed
604       length; that is, given class, field,  experimenter  (if  present),  and
605       hasmask,  length  is  a  constant. The length is included explicitly to
606       allow software to minimally parse OXM TLVs of unknown types.
607
608       OXM TLVs must be ordered so that a field’s prerequisites are  satisfied
609       before  it  is parsed. For example, an OXM TLV that matches on the IPv4
610       source address field is only allowed following an OXM TLV that  matches
611       on  the  Ethertype  for IPv4. Similarly, an OXM TLV that matches on the
612       TCP source port must follow a TLV that matches an Ethertype of IPv4  or
613       IPv6  and  one  that matches an IP protocol of TCP (in that order). The
614       order of OXM TLVs is not otherwise restricted; no canonical ordering is
615       defined.
616
617       A given field may be matched only once in a series of OXM TLVs.
618
619     OpenFlow 1.3
620
621       OpenFlow  1.3 showed OXM to be largely successful, by adding new fields
622       without making any changes to how flow  matches  otherwise  worked.  It
623       added OXMs for the following fields supported by Open vSwitch:
624
625              ·      Tunnel  ID  for ports associated with e.g. VXLAN or keyed
626                     GRE.
627
628              ·      MPLS ``bottom of stack’’ (BOS) bit.
629
630       OpenFlow 1.3 also added OXMs for the following  fields  not  documented
631       here and not yet implemented by Open vSwitch:
632
633              ·      IPv6 extension header handling.
634
635              ·      PBB I-SID.
636
637     OpenFlow 1.4
638
639       OpenFlow  1.4  added  OXMs for the following fields not documented here
640       and not yet implemented by Open vSwitch:
641
642              ·      PBB UCA.
643
644     OpenFlow 1.5
645
646       OpenFlow 1.5 added OXMs for the  following  fields  supported  by  Open
647       vSwitch:
648
649              ·      Packet type.
650
651              ·      TCP flags.
652
653              ·      Packet registers.
654
655              ·      The output port in the OpenFlow action set.
656

FIELDS REFERENCE

658       The  following sections document the fields that Open vSwitch supports.
659       Each section provides introductory  material  on  a  group  of  related
660       fields,  followed  by information on each individual field. In addition
661       to field-specific information, each field  begins  with  a  table  with
662       entries for the following important properties:
663
664              Name   The  field’s  name,  used  for parsing and formatting the
665                     field, e.g. in ovs-ofctl commands.  For  historical  rea‐
666                     sons,  some  fields  have  an  additional  name  that  is
667                     accepted as an alternative in parsing.  This  name,  when
668                     there  is  one,  is  listed as well, e.g. ``tun (aka tun‐
669                     nel_id).’’
670
671              Width  The field’s width, always a  multiple  of  8  bits.  Some
672                     fields don’t use all of the bits, so this may be accompa‐
673                     nied by an explanation. For example, OpenFlow embeds  the
674                     2-bit  IP  ECN field as as the low bits in an 8-bit byte,
675                     and so its width is  expressed  as  ``8  bits  (only  the
676                     least-significant 2 bits may be nonzero).’’
677
678              Format How  a  value  for  the  field is formatted or parsed by,
679                     e.g., ovs-ofctl. Some possibilities are generic:
680
681                     decimal
682                            Formats as a decimal  number.  On  input,  accepts
683                            decimal numbers or hexadecimal numbers prefixed by
684                            0x.
685
686                     hexadecimal
687                            Formats as a hexadecimal number prefixed by 0x. On
688                            input, accepts decimal numbers or hexadecimal num‐
689                            bers prefixed by 0x. (The default for  parsing  is
690                            not  hexadecimal: only a 0x prefix causes input to
691                            be treated as hexadecimal.)
692
693                     Ethernet
694                            Formats and accepts the  common  Ethernet  address
695                            format xx:xx:xx:xx:xx:xx.
696
697                     IPv4   Formats   and   accepts   the  dotted-quad  format
698                            a.b.c.d. For bitwise matches, formats and  accepts
699                            address/length   CIDR   notation  in  addition  to
700                            address/mask.
701
702                     IPv6   Formats and accepts the common IPv6  address  for‐
703                            mats, plus CIDR notation for bitwise matches.
704
705                     OpenFlow 1.0 port
706                            Accepts 16-bit port numbers in decimal, plus Open‐
707                            Flow  well-known  port  names  (e.g.  IN_PORT)  in
708                            uppercase or lowercase.
709
710                     OpenFlow 1.1+ port
711                            Same  syntax  as OpenFlow 1.0 ports but for 32-bit
712                            OpenFlow 1.1+ port number fields.
713
714                     Other, field-specific formats are  explained  along  with
715                     their fields.
716
717              Masking
718                     For  most  fields, this says ``arbitrary bitwise masks,’’
719                     meaning that a flow may match any combination of bits  in
720                     the  field. Some fields instead say ``exact match only,’’
721                     which means that a flow that matches on this  field  must
722                     match  on  the  whole field instead of just certain bits.
723                     Either way, this reports masking support for  the  latest
724                     version of Open vSwitch using OXM or NXM (that is, either
725                     OpenFlow 1.2+ or  OpenFlow  1.0  plus  Open  vSwitch  NXM
726                     extensions).  In  particular,  OpenFlow 1.0 (without NXM)
727                     and 1.1 don’t always support masking even if Open vSwitch
728                     itself  does;  refer to the OpenFlow 1.0 and OpenFlow 1.1
729                     rows to learn about masking with these protocol versions.
730
731              Prerequisites
732                     Requirements that must be met to match on this field. For
733                     example,  ip_src has IPv4 as a prerequisite, meaning that
734                     a match must include eth_type=0x0800 to match on the IPv4
735                     source  address.  The following prerequisites, with their
736                     requirements, are currently in use:
737
738                     none   (no requirements)
739
740                     VLAN VID
741                            vlan_tci=0x1000/0x1000  (i.e.  a  VLAN  header  is
742                            present)
743
744                     ARP    eth_type=0x0806 (ARP) or eth_type=0x8035 (RARP)
745
746                     IPv4   eth_type=0x0800
747
748                     IPv6   eth_type=0x86dd
749
750                     IPv4/IPv6
751                            IPv4 or IPv6
752
753                     MPLS   eth_type=0x8847 or eth_type=0x8848
754
755                     TCP    IPv4/IPv6 and ip_proto=6
756
757                     UDP    IPv4/IPv6 and ip_proto=17
758
759                     SCTP   IPv4/IPv6 and ip_proto=132
760
761                     ICMPv4 IPv4 and ip_proto=1
762
763                     ICMPv6 IPv6 and ip_proto=58
764
765                     ND solicit
766                            ICMPv6 and icmp_type=135 and icmp_code=0
767
768                     ND advert
769                            ICMPv6 and icmp_type=136 and icmp_code=0
770
771                     ND     ND solicit or ND advert
772
773                     The  TCP,  UDP, and SCTP prerequisites also have the spe‐
774                     cial requirement that nw_frag is not being used to select
775                     ``later fragments.’’ This is because only the first frag‐
776                     ment of a fragmented IPv4 or IPv6 datagram  contains  the
777                     TCP or UDP header.
778
779              Access Most  fields  are ``read/write,’’ which means that common
780                     OpenFlow actions like set_field can modify  them.  Fields
781                     that  are  ``read-only’’ cannot be modified in these gen‐
782                     eral-purpose ways, although there may be other ways  that
783                     actions can modify them.
784
785              OpenFlow 1.0
786              OpenFlow 1.1
787                   These rows report the level of support that OpenFlow 1.0 or
788                   OpenFlow 1.1, respectively, has for a field.  For  OpenFlow
789                   1.0,  supported  fields are reported as either ``yes (exact
790                   match only)’’ for fields that do not  support  any  bitwise
791                   masking  or  ``yes (CIDR match only)’’ for fields that sup‐
792                   port CIDR masking. OpenFlow  1.1  supported  fields  report
793                   either  ``yes  (exact  match  only)’’ or simply ``yes’’ for
794                   fields that do support arbitrary masks. These OpenFlow ver‐
795                   sions supported a fixed collection of fields that cannot be
796                   extended, so many more fields are reported  as  ``not  sup‐
797                   ported.’’
798
799              OXM
800              NXM  These  rows  report the OXM and NXM code points that corre‐
801                   spond to a given field. Either or both may be ``none.’’
802
803                   A field that has only an OXM code point is usually one that
804                   was  standardized  before  it  was added to Open vSwitch. A
805                   field that has only an NXM code point is usually  one  that
806                   is  not yet standardized. When a field has both OXM and NXM
807                   code points, it usually indicates that it was introduced as
808                   an  Open  vSwitch  extension under the NXM code point, then
809                   later standardized under the OXM code point.  A  field  can
810                   have more than one OXM code point if it was standardized in
811                   OpenFlow 1.4 or later and  additionally  introduced  as  an
812                   official  ONF extension for OpenFlow 1.3. (A field that has
813                   neither OXM nor NXM code point  is  typically  an  obsolete
814                   field  that  is  supported  in some other form using OXM or
815                   NXM.)
816
817                   Each code point in these rows  is  described  in  the  form
818                   ``NAME  (number)  since OpenFlow spec and Open vSwitch ver‐
819                   sion,’’ e.g. ``OXM_OF_ETH_TYPE (5) since OpenFlow  1.2  and
820                   Open vSwitch 1.7.’’ First, NAME, which specifies a name for
821                   the code point, starts with  a  prefix  that  designates  a
822                   class  and,  in some cases, a vendor, as listed in the fol‐
823                   lowing table:
824
825                   Prefix           Vendor       Class
826                   ───────────────  ───────────  ───────
827                   NXM_OF           (none)       0x0000
828                   NXM_NX           (none)       0x0001
829                   ERICOXM_OF       (none)       0x1000
830                   OXM_OF           (none)       0x8000
831                   OXM_OF_PKT_REG   (none)       0x8001
832                   NXOXM_ET         0x00002320   0xffff
833                   NXOXM_NSH        0x005ad650   0xffff
834                   ONFOXM_ET        0x4f4e4600   0xffff
835
836                   For more information on OXM/NXM classes and vendors,  refer
837                   back  to  OpenFlow  1.2 under Evolution of OpenFlow Fields.
838                   The number is the field number within the class and vendor.
839                   The OpenFlow spec is the version of OpenFlow that standard‐
840                   ized the code point. It is  omitted  for  NXM  code  points
841                   because they are nonstandard. The version is the version of
842                   Open vSwitch that first supported the code point.
843

CONJUNCTIVE MATCH FIELDS

845   Summary:
846       Name      Bytes   Mask   RW?   Prereqs   NXM/OXM Support
847       ────────  ──────  ─────  ────  ────────  ────────────────
848       conj_id   4       no     no    none      OVS 2.4+
849
850       An individual OpenFlow flow can match only  a  single  value  for  each
851       field.  However, situations often arise where one wants to match one of
852       a set of values within a field or fields. For matching a  single  field
853       against  a  set,  it  is  straightforward and efficient to add multiple
854       flows to the flow table, one for each value in the  set.  For  example,
855       one  might  use  the  following  flows  to  send packets with IP source
856       address a, b, c, or d to the OpenFlow controller:
857
858             ip,ip_src=a actions=controller
859             ip,ip_src=b actions=controller
860             ip,ip_src=c actions=controller
861             ip,ip_src=d actions=controller
862
863
864       Similarly, these flows send packets with IP destination address  e,  f,
865       g, or h to the OpenFlow controller:
866
867             ip,ip_dst=e actions=controller
868             ip,ip_dst=f actions=controller
869             ip,ip_dst=g actions=controller
870             ip,ip_dst=h actions=controller
871
872
873       Installing  all of the above flows in a single flow table yields a dis‐
874       junctive effect: a packet  is  sent  to  the  controller  if  ip_src  ∈
875       {a,b,c,d}  or  ip_dst  ∈ {e,f,g,h} (or both). (Pedantically, if both of
876       the above sets of flows are present in the flow table, they should have
877       different  priorities, because OpenFlow says that the results are unde‐
878       fined when two flows  with  same  priority  can  both  match  a  single
879       packet.)
880
881       Suppose, on the other hand, one wishes to match conjunctively, that is,
882       to send a packet to the controller only if both ip_src ∈ {a,b,c,d}  and
883       ip_dst ∈ {e,f,g,h}. This requires 4 × 4 = 16 flows, one for each possi‐
884       ble pairing of ip_src and ip_dst. That  is  acceptable  for  our  small
885       example,  but  it  does not gracefully extend to larger sets or greater
886       numbers of dimensions.
887
888       The conjunction action is a solution for conjunctive  matches  that  is
889       built into Open vSwitch. A conjunction action ties groups of individual
890       OpenFlow flows into higher-level ``conjunctive flows’’. Each group cor‐
891       responds  to  one dimension, and each flow within the group matches one
892       possible value for the dimension. A packet that matches one  flow  from
893       each group matches the conjunctive flow.
894
895       To  implement  a conjunctive flow with conjunction, assign the conjunc‐
896       tive flow a 32-bit id, which must be unique within an  OpenFlow  table.
897       Assign  each  of  the n ≥ 2 dimensions a unique number from 1 to n; the
898       ordering is unimportant. Add one flow to the OpenFlow  flow  table  for
899       each  possible value of each dimension with conjunction(id, k/n) as the
900       flow’s actions, where k is the number assigned to the flow’s dimension.
901       Together,  these  flows specify the conjunctive flow’s match condition.
902       When the conjunctive match condition is met, Open vSwitch looks up  one
903       more  flow  that  specifies the conjunctive flow’s actions and receives
904       its statistics. This flow is found by setting conj_id to the  specified
905       id and then again searching the flow table.
906
907       The  following  flows provide an example. Whenever the IP source is one
908       of the values in the flows that match on the IP source (dimension 1  of
909       2), and the IP destination is one of the values in the flows that match
910       on IP destination (dimension 2 of 2), Open vSwitch searches for a  flow
911       that  matches  conj_id  against  the conjunction ID (1234), finding the
912       first flow listed below.
913
914             conj_id=1234 actions=controller
915             ip,ip_src=10.0.0.1 actions=conjunction(1234, 1/2)
916             ip,ip_src=10.0.0.4 actions=conjunction(1234, 1/2)
917             ip,ip_src=10.0.0.6 actions=conjunction(1234, 1/2)
918             ip,ip_src=10.0.0.7 actions=conjunction(1234, 1/2)
919             ip,ip_dst=10.0.0.2 actions=conjunction(1234, 2/2)
920             ip,ip_dst=10.0.0.5 actions=conjunction(1234, 2/2)
921             ip,ip_dst=10.0.0.7 actions=conjunction(1234, 2/2)
922             ip,ip_dst=10.0.0.8 actions=conjunction(1234, 2/2)
923
924
925       Many subtleties exist:
926
927              ·      In the example above, every flow in  a  single  dimension
928                     has the same form, that is, dimension 1 matches on ip_src
929                     and dimension 2 on ip_dst, but this is not a requirement.
930                     Different flows within a dimension may match on different
931                     bits within a field (e.g. IP network prefixes of  differ‐
932                     ent  lengths, or TCP/UDP port ranges as bitwise matches),
933                     or even on entirely different fields (e.g. to match pack‐
934                     ets for TCP source port 80 or TCP destination port 80).
935
936              ·      The  flows  within  a  dimension  can  vary their matches
937                     across more than one field, e.g. to match  only  specific
938                     pairs  of  IP source and destination addresses or L4 port
939                     numbers.
940
941              ·      A flow may have multiple conjunction actions,  with  dif‐
942                     ferent id values. This is useful for multiple conjunctive
943                     flows with overlapping  sets.  If  one  conjunctive  flow
944                     matches  packets  with  both  ip_src ∈ {a,b} and ip_dst ∈
945                     {d,e} and a second  conjunctive  flow  matches  ip_src  ∈
946                     {b,c} and ip_dst ∈ {f,g}, for example, then the flow that
947                     matches ip_src=b would have two conjunction actions,  one
948                     for  each  conjunctive  flow.  The  order  of conjunction
949                     actions within a list of actions is not significant.
950
951              ·      A flow with conjunction actions  may  also  include  note
952                     actions  for  annotations,  but  not  any  other  kind of
953                     actions. (They would not be  useful  because  they  would
954                     never be executed.)
955
956              ·      All  of the flows that constitute a conjunctive flow with
957                     a given id must have the same priority. (Flows  with  the
958                     same id but different priorities are currently treated as
959                     different conjunctive flows, that is, currently id values
960                     need  only  be unique within an OpenFlow table at a given
961                     priority. This behavior isn’t guaranteed to stay the same
962                     in  later releases, so please use id values unique within
963                     an OpenFlow table.)
964
965              ·      Conjunctive flows must not overlap with each other, at  a
966                     given priority, that is, any given packet must be able to
967                     match at most one conjunctive flow at a  given  priority.
968                     Overlapping   conjunctive   flows   yield   unpredictable
969                     results.
970
971              ·      Following a conjunctive flow match, the  search  for  the
972                     flow  with conj_id=id is done in the same general-purpose
973                     way as other flow table searches, so one  can  use  flows
974                     with  conj_id=id  to act differently depending on circum‐
975                     stances. (One  exception  is  that  the  search  for  the
976                     conj_id=id  flow  itself  ignores  conjunctive  flows, to
977                     avoid recursion.) If the search  with  conj_id=id  fails,
978                     Open  vSwitch  acts  as  if  the conjunctive flow had not
979                     matched at all, and continues searching  the  flow  table
980                     for other matching flows.
981
982              ·      OpenFlow  prerequisite  checking occurs for the flow with
983                     conj_id=id in the same way as any other flow, e.g. in  an
984                     OpenFlow  1.1+  context, putting a mod_nw_src action into
985                     the example above would require adding an ip match,  like
986                     this:
987
988                               conj_id=1234,ip actions=mod_nw_src:1.2.3.4,controller
989
990
991              ·      OpenFlow  prerequisite checking also occurs for the indi‐
992                     vidual flows that comprise a  conjunctive  match  in  the
993                     same way as any other flow.
994
995              ·      The  flows that constitute a conjunctive flow do not have
996                     useful statistics. They are never updated  with  byte  or
997                     packet  counts,  and  so on. (For such a flow, therefore,
998                     the idle and hard timeouts work much the same way.)
999
1000              ·      Sometimes there is a choice of which flows include a par‐
1001                     ticular  match.  For  example,  suppose  that we added an
1002                     extra constraint to our example, to  match  on  ip_src  ∈
1003                     {a,b,c,d} and ip_dst ∈ {e,f,g,h} and tcp_dst = i. One way
1004                     to implement this is to add the  new  constraint  to  the
1005                     conj_id flow, like this:
1006
1007                               conj_id=1234,tcp,tcp_dst=i actions=mod_nw_src:1.2.3.4,controller
1008
1009
1010                     but  this  is  not recommended because of the cost of the
1011                     extra flow table lookup. Instead, add the  constraint  to
1012                     the  individual flows, either in one of the dimensions or
1013                     (slightly better) all of them.
1014
1015              ·      A conjunctive match must have n ≥ 2 dimensions (otherwise
1016                     a  conjunctive  match  is  not  necessary).  Open vSwitch
1017                     enforces this.
1018
1019              ·      Each dimension within a conjunctive match should ordinar‐
1020                     ily  have  more  than  one  flow.  Open  vSwitch does not
1021                     enforce this.
1022
1023       Conjunction ID Field
1024
1025       Name:            conj_id
1026       Width:           32 bits
1027       Format:          decimal
1028       Masking:         not maskable
1029       Prerequisites:   none
1030       Access:          read-only
1031       OpenFlow 1.0:    not supported
1032       OpenFlow 1.1:    not supported
1033       OXM:             none
1034       NXM:             NXM_NX_CONJ_ID (37) since Open vSwitch 2.4
1035
1036       Used for conjunctive matching. See above for more information.
1037

TUNNEL FIELDS

1039   Summary:
1040       Name                   Bytes             Mask   RW?   Prereqs   NXM/OXM Support
1041       ─────────────────────  ────────────────  ─────  ────  ────────  ─────────────────────
1042       tun_id aka tunnel_id   8                 yes    yes   none      OF 1.3+ and OVS 1.1+
1043       tun_src                4                 yes    yes   none      OVS 2.0+
1044       tun_dst                4                 yes    yes   none      OVS 2.0+
1045       tun_ipv6_src           16                yes    yes   none      OVS 2.5+
1046       tun_ipv6_dst           16                yes    yes   none      OVS 2.5+
1047       tun_gbp_id             2                 yes    yes   none      OVS 2.4+
1048       tun_gbp_flags          1                 yes    yes   none      OVS 2.4+
1049       tun_erspan_ver         1 (low 4 bits)    yes    yes   none      OVS 2.10+
1050
1051       tun_erspan_idx         4 (low 20 bits)   yes    yes   none      OVS 2.10+
1052       tun_erspan_dir         1 (low 1 bits)    yes    yes   none      OVS 2.10+
1053       tun_erspan_hwid        1 (low 6 bits)    yes    yes   none      OVS 2.10+
1054       tun_metadata0          124               yes    yes   none      OVS 2.5+
1055       tun_metadata1          124               yes    yes   none      OVS 2.5+
1056       tun_metadata2          124               yes    yes   none      OVS 2.5+
1057       tun_metadata3          124               yes    yes   none      OVS 2.5+
1058       tun_metadata4          124               yes    yes   none      OVS 2.5+
1059       tun_metadata5          124               yes    yes   none      OVS 2.5+
1060       tun_metadata6          124               yes    yes   none      OVS 2.5+
1061       tun_metadata7          124               yes    yes   none      OVS 2.5+
1062       tun_metadata8          124               yes    yes   none      OVS 2.5+
1063       tun_metadata9          124               yes    yes   none      OVS 2.5+
1064
1065       tun_metadata10         124               yes    yes   none      OVS 2.5+
1066       tun_metadata11         124               yes    yes   none      OVS 2.5+
1067       tun_metadata12         124               yes    yes   none      OVS 2.5+
1068       tun_metadata13         124               yes    yes   none      OVS 2.5+
1069       tun_metadata14         124               yes    yes   none      OVS 2.5+
1070       tun_metadata15         124               yes    yes   none      OVS 2.5+
1071       tun_metadata16         124               yes    yes   none      OVS 2.5+
1072       tun_metadata17         124               yes    yes   none      OVS 2.5+
1073       tun_metadata18         124               yes    yes   none      OVS 2.5+
1074       tun_metadata19         124               yes    yes   none      OVS 2.5+
1075       tun_metadata20         124               yes    yes   none      OVS 2.5+
1076       tun_metadata21         124               yes    yes   none      OVS 2.5+
1077       tun_metadata22         124               yes    yes   none      OVS 2.5+
1078
1079       tun_metadata23         124               yes    yes   none      OVS 2.5+
1080       tun_metadata24         124               yes    yes   none      OVS 2.5+
1081       tun_metadata25         124               yes    yes   none      OVS 2.5+
1082       tun_metadata26         124               yes    yes   none      OVS 2.5+
1083       tun_metadata27         124               yes    yes   none      OVS 2.5+
1084       tun_metadata28         124               yes    yes   none      OVS 2.5+
1085       tun_metadata29         124               yes    yes   none      OVS 2.5+
1086       tun_metadata30         124               yes    yes   none      OVS 2.5+
1087       tun_metadata31         124               yes    yes   none      OVS 2.5+
1088       tun_metadata32         124               yes    yes   none      OVS 2.5+
1089       tun_metadata33         124               yes    yes   none      OVS 2.5+
1090       tun_metadata34         124               yes    yes   none      OVS 2.5+
1091       tun_metadata35         124               yes    yes   none      OVS 2.5+
1092
1093       tun_metadata36         124               yes    yes   none      OVS 2.5+
1094       tun_metadata37         124               yes    yes   none      OVS 2.5+
1095       tun_metadata38         124               yes    yes   none      OVS 2.5+
1096       tun_metadata39         124               yes    yes   none      OVS 2.5+
1097       tun_metadata40         124               yes    yes   none      OVS 2.5+
1098       tun_metadata41         124               yes    yes   none      OVS 2.5+
1099       tun_metadata42         124               yes    yes   none      OVS 2.5+
1100       tun_metadata43         124               yes    yes   none      OVS 2.5+
1101       tun_metadata44         124               yes    yes   none      OVS 2.5+
1102       tun_metadata45         124               yes    yes   none      OVS 2.5+
1103       tun_metadata46         124               yes    yes   none      OVS 2.5+
1104       tun_metadata47         124               yes    yes   none      OVS 2.5+
1105       tun_metadata48         124               yes    yes   none      OVS 2.5+
1106
1107       tun_metadata49         124               yes    yes   none      OVS 2.5+
1108       tun_metadata50         124               yes    yes   none      OVS 2.5+
1109       tun_metadata51         124               yes    yes   none      OVS 2.5+
1110       tun_metadata52         124               yes    yes   none      OVS 2.5+
1111       tun_metadata53         124               yes    yes   none      OVS 2.5+
1112       tun_metadata54         124               yes    yes   none      OVS 2.5+
1113       tun_metadata55         124               yes    yes   none      OVS 2.5+
1114       tun_metadata56         124               yes    yes   none      OVS 2.5+
1115       tun_metadata57         124               yes    yes   none      OVS 2.5+
1116       tun_metadata58         124               yes    yes   none      OVS 2.5+
1117       tun_metadata59         124               yes    yes   none      OVS 2.5+
1118       tun_metadata60         124               yes    yes   none      OVS 2.5+
1119       tun_metadata61         124               yes    yes   none      OVS 2.5+
1120
1121       tun_metadata62         124               yes    yes   none      OVS 2.5+
1122       tun_metadata63         124               yes    yes   none      OVS 2.5+
1123       tun_flags              2 (low 1 bits)    yes    yes   none      OVS 2.5+
1124
1125       The fields in this group relate to tunnels, which Open vSwitch supports
1126       in  several  forms  (GRE,  VXLAN,  and  so on). Most of these fields do
1127       appear in the wire format of a packet, so they  are  data  fields  from
1128       that  point  of view, but they are metadata from an OpenFlow flow table
1129       point of view because they do not appear in packets that are  forwarded
1130       to the controller or to ordinary (non-tunnel) output ports.
1131
1132       Open vSwitch supports a spectrum of usage models for mapping tunnels to
1133       OpenFlow ports:
1134
1135              ``Port-based’’ tunnels
1136                     In this model, an OpenFlow port represents one tunnel: it
1137                     matches  a  particular type of tunnel traffic between two
1138                     IP endpoints, with a particular tunnel key (if  keys  are
1139                     in  use).  In this situation, in_port suffices to distin‐
1140                     guish one tunnel  from  another,  so  the  tunnel  header
1141                     fields  have  little  importance for OpenFlow processing.
1142                     (They are still populated and may be used if it is conve‐
1143                     nient.)  The tunnel header fields play no role in sending
1144                     packets out such an OpenFlow port,  either,  because  the
1145                     OpenFlow port itself fully specifies the tunnel headers.
1146
1147                     The  following  Open  vSwitch  commands  create  a bridge
1148                     br-int, add port tap0 to the bridge as OpenFlow  port  1,
1149                     establish  a port-based GRE tunnel between the local host
1150                     and remote IP 192.168.1.1 using GRE key 5001 as  OpenFlow
1151                     port  2, and arranges to forward all traffic from tap0 to
1152                     the tunnel and vice versa:
1153
1154                     ovs-vsctl add-br br-int
1155                     ovs-vsctl add-port br-int tap0 -- set interface tap0 ofport_request=1
1156                     ovs-vsctl add-port br-int gre0 -- \
1157                         set interface gre0 ofport_request=2 type=gre \
1158                                            options:remote_ip=192.168.1.1 options:key=5001
1159                     ovs-ofctl add-flow br-int in_port=1,actions=2
1160                     ovs-ofctl add-flow br-int in_port=2,actions=1
1161
1162
1163              ``Flow-based’’ tunnels
1164                     In this model, one OpenFlow port represents all  possible
1165                     tunnels  of  a given type with an endpoint on the current
1166                     host, for example, all GRE tunnels.  In  this  situation,
1167                     in_port  only  indicates that traffic was received on the
1168                     particular kind of  tunnel.  This  is  where  the  tunnel
1169                     header fields are most important: they allow the OpenFlow
1170                     tables to discriminate among tunnels based  on  their  IP
1171                     endpoints  or  keys.  Tunnel header fields also determine
1172                     the IP endpoints and keys of packets sent out such a tun‐
1173                     nel port.
1174
1175                     The  following  Open  vSwitch  commands  create  a bridge
1176                     br-int, add port tap0 to the bridge as OpenFlow  port  1,
1177                     establish a flow-based GRE tunnel port 3, and arranges to
1178                     forward all traffic from tap0 to  remote  IP  192.168.1.1
1179                     over a GRE tunnel with key 5001 and vice versa:
1180
1181                     ovs-vsctl add-br br-int
1182                     ovs-vsctl add-port br-int tap0 -- set interface tap0 ofport_request=1
1183                     ovs-vsctl add-port br-int allgre -- \
1184                         set interface allgre ofport_request=3 type=gre \
1185                                              options:remote_ip=flow options:key=flow
1186                     ovs-ofctl add-flow br-int \
1187                         ’in_port=1 actions=set_tunnel:5001,set_field:192.168.1.1->tun_dst,3’
1188                     ovs-ofctl add-flow br-int ’in_port=3,tun_src=192.168.1.1,tun_id=5001 actions=1’
1189
1190
1191              Mixed models.
1192                     One  may define both flow-based and port-based tunnels at
1193                     the same time. For example, it is valid and possibly use‐
1194                     ful  to  create and configure both gre0 and allgre tunnel
1195                     ports described above.
1196
1197                     Traffic is attributed on ingress  to  the  most  specific
1198                     matching  tunnel. For example, gre0 is more specific than
1199                     allgre. Therefore, if both exist, then gre0 will  be  the
1200                     ingress   port   for   any   GRE  traffic  received  from
1201                     192.168.1.1 with key 5001.
1202
1203                     On egress, traffic may be  directed  to  any  appropriate
1204                     tunnel  port.  If  both gre0 and allgre are configured as
1205                     already  described,  then  the  actions  2  and  set_tun‐
1206                     nel:5001,set_field:192.168.1.1->tun_dst,3  send  the same
1207                     tunnel traffic.
1208
1209              Intermediate models.
1210                     Ports may be  configured  as  partially  flow-based.  For
1211                     example,  one may define an OpenFlow port that represents
1212                     tunnels between a pair of endpoints but leaves  the  flow
1213                     table to discriminate on the flow key.
1214
1215       ovs-vswitchd.conf.db(5)  describes all the details of tunnel configura‐
1216       tion.
1217
1218       These fields do not have any prerequisites, which means that a flow may
1219       match on any or all of them, in any combination.
1220
1221       These fields are zeros for packets that did not arrive on a tunnel.
1222
1223       Tunnel ID Field
1224
1225       Name:            tun_id (aka tunnel_id)
1226       Width:           64 bits
1227       Format:          hexadecimal
1228       Masking:         arbitrary bitwise masks
1229       Prerequisites:   none
1230       Access:          read/write
1231       OpenFlow 1.0:    not supported
1232
1233       OpenFlow 1.1:    not supported
1234       OXM:             OXM_OF_TUNNEL_ID  (38)  since  OpenFlow  1.3  and Open
1235                        vSwitch 1.10
1236       NXM:             NXM_NX_TUN_ID (16) since Open vSwitch 1.1
1237
1238       Many kinds of tunnels support a tunnel ID:
1239
1240              ·      VXLAN and Geneve have a 24-bit virtual network identifier
1241                     (VNI).
1242
1243              ·      LISP has a 24-bit instance ID.
1244
1245              ·      GRE has an optional 32-bit key.
1246
1247              ·      STT has a 64-bit key.
1248
1249              ·      ERSPAN has a 10-bit key (Session ID).
1250
1251       When a packet is received from a tunnel, this field holds the tunnel ID
1252       in its least significant bits, zero-extended to fit. This field is zero
1253       if  the tunnel does not support an ID, or if no ID is in use for a tun‐
1254       nel type that has an optional ID, or if an ID of zero received,  or  if
1255       the packet was not received over a tunnel.
1256
1257       When  a  packet  is  output  to a tunnel port, the tunnel configuration
1258       determines whether the tunnel ID is taken from this field or bound to a
1259       fixed  value. See the earlier description of ``port-based’’ and ``flow-
1260       based’’ tunnels for more information.
1261
1262       The following diagram shows the origin of this field in a typical keyed
1263       GRE tunnel:
1264
1265          Ethernet            IPv4               GRE           Ethernet
1266        <----------->   <--------------->   <------------>   <---------->
1267        48  48   16           8   32  32    16    16   32    48  48   16
1268       +---+---+-----+ +---+-----+---+---+ +---+------+---+ +---+---+----+
1269       |dst|src|type | |...|proto|src|dst| |...| type |key| |dst|src|type| ...
1270       +---+---+-----+ +---+-----+---+---+ +---+------+---+ +---+---+----+
1271                0x800        47                 0x6558
1272
1273
1274       Tunnel IPv4 Source Field
1275
1276       Name:            tun_src
1277       Width:           32 bits
1278       Format:          IPv4
1279       Masking:         arbitrary bitwise masks
1280       Prerequisites:   none
1281       Access:          read/write
1282       OpenFlow 1.0:    not supported
1283       OpenFlow 1.1:    not supported
1284       OXM:             none
1285       NXM:             NXM_NX_TUN_IPV4_SRC (31) since Open vSwitch 2.0
1286
1287       When  a  packet  is  received  from  a tunnel, this field is the source
1288       address in the outer IP header of the tunneled packet.  This  field  is
1289       zero if the packet was not received over a tunnel.
1290
1291       When  a packet is output to a flow-based tunnel port, this field influ‐
1292       ences the IPv4 source address used to send the packet. If it  is  zero,
1293       then the kernel chooses an appropriate IP address based using the rout‐
1294       ing table.
1295
1296       The following diagram shows the origin of this field in a typical keyed
1297       GRE tunnel:
1298
1299          Ethernet            IPv4               GRE           Ethernet
1300        <----------->   <--------------->   <------------>   <---------->
1301        48  48   16           8   32  32    16    16   32    48  48   16
1302       +---+---+-----+ +---+-----+---+---+ +---+------+---+ +---+---+----+
1303       |dst|src|type | |...|proto|src|dst| |...| type |key| |dst|src|type| ...
1304       +---+---+-----+ +---+-----+---+---+ +---+------+---+ +---+---+----+
1305                0x800        47                 0x6558
1306
1307
1308       Tunnel IPv4 Destination Field
1309
1310       Name:            tun_dst
1311       Width:           32 bits
1312       Format:          IPv4
1313       Masking:         arbitrary bitwise masks
1314       Prerequisites:   none
1315       Access:          read/write
1316
1317       OpenFlow 1.0:    not supported
1318       OpenFlow 1.1:    not supported
1319       OXM:             none
1320       NXM:             NXM_NX_TUN_IPV4_DST (32) since Open vSwitch 2.0
1321
1322       When  a packet is received from a tunnel, this field is the destination
1323       address in the outer IP header of the tunneled packet.  This  field  is
1324       zero if the packet was not received over a tunnel.
1325
1326       When  a packet is output to a flow-based tunnel port, this field speci‐
1327       fies the destination to which the tunnel packet is sent.
1328
1329       The following diagram shows the origin of this field in a typical keyed
1330       GRE tunnel:
1331
1332          Ethernet            IPv4               GRE           Ethernet
1333        <----------->   <--------------->   <------------>   <---------->
1334        48  48   16           8   32  32    16    16   32    48  48   16
1335       +---+---+-----+ +---+-----+---+---+ +---+------+---+ +---+---+----+
1336       |dst|src|type | |...|proto|src|dst| |...| type |key| |dst|src|type| ...
1337       +---+---+-----+ +---+-----+---+---+ +---+------+---+ +---+---+----+
1338                0x800        47                 0x6558
1339
1340
1341       Tunnel IPv6 Source Field
1342
1343       Name:            tun_ipv6_src
1344
1345       Width:           128 bits
1346       Format:          IPv6
1347       Masking:         arbitrary bitwise masks
1348       Prerequisites:   none
1349       Access:          read/write
1350       OpenFlow 1.0:    not supported
1351       OpenFlow 1.1:    not supported
1352       OXM:             none
1353       NXM:             NXM_NX_TUN_IPV6_SRC (109) since Open vSwitch 2.5
1354
1355       Similar to tun_src, but for tunnels over IPv6.
1356
1357       Tunnel IPv6 Destination Field
1358
1359       Name:            tun_ipv6_dst
1360       Width:           128 bits
1361       Format:          IPv6
1362       Masking:         arbitrary bitwise masks
1363       Prerequisites:   none
1364       Access:          read/write
1365       OpenFlow 1.0:    not supported
1366       OpenFlow 1.1:    not supported
1367       OXM:             none
1368       NXM:             NXM_NX_TUN_IPV6_DST (110) since Open vSwitch 2.5
1369
1370       Similar to tun_dst, but for tunnels over IPv6.
1371
1372   VXLAN Group-Based Policy Fields
1373       The VXLAN header is defined as follows [RFC 7348], where the I bit must
1374       be set to 1, unlabeled bits or those labeled reserved must be set to 0,
1375       and Open vSwitch makes the VNI available via tun_id:
1376
1377          VXLAN flags
1378        <------------->
1379        1 1 1 1 1 1 1 1    24    24     8
1380       +-+-+-+-+-+-+-+-+--------+---+--------+
1381       | | | | |I| | | |reserved|VNI|reserved|
1382       +-+-+-+-+-+-+-+-+--------+---+--------+
1383
1384
1385       VXLAN Group-Based Policy [VXLAN Group Policy Option] adds new interpre‐
1386       tations to existing bits in the VXLAN header, reinterpreting it as fol‐
1387       lows, with changes highlighted:
1388
1389           GBP flags
1390        <------------->
1391        1 1 1 1 1 1 1 1       24        24     8
1392       +-+-+-+-+-+-+-+-+---------------+---+--------+
1393       | |D| | |A| | | |group policy ID|VNI|reserved|
1394       +-+-+-+-+-+-+-+-+---------------+---+--------+
1395
1396
1397       Open vSwitch makes GBP fields and flags available through the following
1398       fields. Only packets that arrive over  a  VXLAN  tunnel  with  the  GBP
1399       extension enabled have these fields set. In other packets they are zero
1400       on receive and ignored on transmit.
1401
1402       VXLAN Group-Based Policy ID Field
1403
1404       Name:            tun_gbp_id
1405       Width:           16 bits
1406
1407       Format:          decimal
1408       Masking:         arbitrary bitwise masks
1409       Prerequisites:   none
1410       Access:          read/write
1411       OpenFlow 1.0:    not supported
1412       OpenFlow 1.1:    not supported
1413       OXM:             none
1414       NXM:             NXM_NX_TUN_GBP_ID (38) since Open vSwitch 2.4
1415
1416       For a packet tunneled over VXLAN  with  the  Group-Based  Policy  (GBP)
1417       extension, this field represents the GBP policy ID, as shown above.
1418
1419       VXLAN Group-Based Policy Flags Field
1420
1421       Name:            tun_gbp_flags
1422
1423       Width:           8 bits
1424       Format:          hexadecimal
1425       Masking:         arbitrary bitwise masks
1426       Prerequisites:   none
1427       Access:          read/write
1428       OpenFlow 1.0:    not supported
1429       OpenFlow 1.1:    not supported
1430       OXM:             none
1431       NXM:             NXM_NX_TUN_GBP_FLAGS (39) since Open vSwitch 2.4
1432
1433       For  a  packet  tunneled  over  VXLAN with the Group-Based Policy (GBP)
1434       extension, this field represents the GBP policy flags, as shown above.
1435
1436       The field has the format shown below:
1437
1438           GBP Flags
1439        <------------->
1440        1 1 1 1 1 1 1 1
1441       +-+-+-+-+-+-+-+-+
1442       | |D| | |A| | | |
1443       +-+-+-+-+-+-+-+-+
1444
1445
1446       Unlabeled bits are reserved and must be transmitted as 0. The VXLAN GBP
1447       draft defines the other bits’ meanings as:
1448
1449              D (Don’t Learn)
1450                     When  set, this bit indicates that the egress tunnel end‐
1451                     point must not learn the source address of  the  encapsu‐
1452                     lated frame.
1453
1454              A (Applied)
1455                     When  set,  indicates  that  the group policy has already
1456                     been applied to this packet. Devices must not apply poli‐
1457                     cies when the A bit is set.
1458
1459   ERSPAN Metadata Fields
1460       These  fields provide access to features in the ERSPAN tunneling proto‐
1461       col [ERSPAN], which has two major versions: version 1 (aka type II) and
1462       version 2 (aka type III).
1463
1464       Regardless of version, ERSPAN is encapsulated within a fixed 8-byte GRE
1465       header that consists of a 4-byte GRE base header and a 4-byte  sequence
1466       number. The ERSPAN version 1 header format is:
1467
1468             GRE                ERSPAN v1            Ethernet
1469        <------------>   <--------------------->   <---------->
1470        16    16   32     4  18    10    12  20    48  48   16
1471       +---+------+---+ +---+---+-------+---+---+ +---+---+----+
1472       |...| type |seq| |ver|...|session|...|idx| |dst|src|type| ...
1473       +---+------+---+ +---+---+-------+---+---+ +---+---+----+
1474            0x88be        1      tun_id
1475
1476
1477       The ERSPAN version 2 header format is:
1478
1479             GRE                         ERSPAN v2                      Ethernet
1480        <------------>   <---------------------------------------->   <---------->
1481        16    16   32     4  18    10       32     22   6    1   3    48  48   16
1482       +---+------+---+ +---+---+-------+---------+---+----+---+---+ +---+---+----+
1483       |...| type |seq| |ver|...|session|timestamp|...|hwid|dir|...| |dst|src|type| ...
1484       +---+------+---+ +---+---+-------+---------+---+----+---+---+ +---+---+----+
1485            0x22eb        2      tun_id                     0/1
1486
1487
1488       ERSPAN Version Field
1489
1490       Name:            tun_erspan_ver
1491       Width:           8 bits (only the least-significant 4 bits may be nonzero)
1492
1493       Format:          decimal
1494       Masking:         arbitrary bitwise masks
1495       Prerequisites:   none
1496       Access:          read/write
1497       OpenFlow 1.0:    not supported
1498       OpenFlow 1.1:    not supported
1499       OXM:             none
1500       NXM:             NXOXM_ET_ERSPAN_VER (12) since Open vSwitch 2.10
1501
1502       ERSPAN version number: 1 for version 1, or 2 for version 2.
1503
1504       ERSPAN Index Field
1505
1506       Name:            tun_erspan_idx
1507       Width:           32 bits (only the least-significant 20 bits may be nonzero)
1508       Format:          hexadecimal
1509       Masking:         arbitrary bitwise masks
1510
1511       Prerequisites:   none
1512       Access:          read/write
1513       OpenFlow 1.0:    not supported
1514       OpenFlow 1.1:    not supported
1515       OXM:             none
1516       NXM:             NXOXM_ET_ERSPAN_IDX (11) since Open vSwitch 2.10
1517
1518       This  field  is  a  20-bit index/port number associated with the ERSPAN
1519       traffic’s source port and direction  (ingress/egress).  This  field  is
1520       platform dependent.
1521
1522       ERSPAN Direction Field
1523
1524       Name:            tun_erspan_dir
1525       Width:           8 bits (only the least-significant 1 bits may be nonzero)
1526       Format:          decimal
1527       Masking:         arbitrary bitwise masks
1528
1529       Prerequisites:   none
1530       Access:          read/write
1531       OpenFlow 1.0:    not supported
1532       OpenFlow 1.1:    not supported
1533       OXM:             none
1534       NXM:             NXOXM_ET_ERSPAN_DIR (13) since Open vSwitch 2.10
1535
1536       For ERSPAN v2, the mirrored traffic’s direction: 0 for ingress traffic,
1537       1 for egress traffic.
1538
1539       ERSPAN Hardware ID Field
1540
1541       Name:            tun_erspan_hwid
1542       Width:           8 bits (only the least-significant 6 bits may be nonzero)
1543       Format:          hexadecimal
1544       Masking:         arbitrary bitwise masks
1545       Prerequisites:   none
1546
1547       Access:          read/write
1548       OpenFlow 1.0:    not supported
1549       OpenFlow 1.1:    not supported
1550       OXM:             none
1551       NXM:             NXOXM_ET_ERSPAN_HWID (14) since Open vSwitch 2.10
1552
1553       A 6-bit unique identifier of an ERSPAN v2 engine within a system.
1554
1555   Geneve Fields
1556       These fields provide access to additional features in the  Geneve  tun‐
1557       neling  protocol [Geneve]. Their names are somewhat generic in the hope
1558       that the same fields could be reused for other protocols in the future;
1559       for  example, the NSH protocol [NSH] supports TLV options whose form is
1560       identical to that for Geneve options.
1561
1562       Generic Tunnel Option 0 Field
1563
1564
1565       Name:            tun_metadata0
1566       Width:           992 bits (124 bytes)
1567       Format:          hexadecimal
1568       Masking:         arbitrary bitwise masks
1569       Prerequisites:   none
1570       Access:          read/write
1571       OpenFlow 1.0:    not supported
1572       OpenFlow 1.1:    not supported
1573       OXM:             none
1574       NXM:             NXM_NX_TUN_METADATA0 (40) since Open vSwitch 2.5
1575
1576       The above information specifically covers generic tunnel option 0,  but
1577       Open  vSwitch  supports  64  options,  numbered 0 through 63, whose NXM
1578       field numbers are 40 through 103.
1579
1580       These fields provide OpenFlow access to the  generic  type-length-value
1581       options  defined  by  the  Geneve tunneling protocol or other protocols
1582       with options in the same TLV format as Geneve options.  Each  of  these
1583       options has the following wire format:
1584
1585               header                 body
1586        <-------------------> <------------------>
1587         16    8    3    5    4×(length - 1) bytes
1588       +-----+----+---+------+--------------------+
1589       |class|type|res|length|       value        |
1590       +-----+----+---+------+--------------------+
1591                    0
1592
1593
1594       Taken together, the class and type in the option format mean that there
1595       are about 16 million distinct kinds of TLV options, too  many  to  give
1596       individual  OXM  code  points.  Thus, Open vSwitch requires the user to
1597       define the TLV options of interest, by binding up to 64 TLV options  to
1598       generic  tunnel  option NXM code points. Each option may have up to 124
1599       bytes in its body, the maximum allowed by the  TLV  format,  but  bound
1600       options may total at most 252 bytes of body.
1601
1602       Open  vSwitch  extensions  to the OpenFlow protocol bind TLV options to
1603       NXM code points. The ovs-ofctl(8) program offers one way to  use  these
1604       extensions,  e.g.  to  configure a mapping from a TLV option with class
1605       0xffff, type 0, and a body length of 4 bytes:
1606
1607       ovs-ofctl add-tlv-map br0 "{class=0xffff,type=0,len=4}->tun_metadata0"
1608
1609
1610       Once a TLV option is properly bound, it can be  accessed  and  modified
1611       like any other field, e.g. to send packets that have value 1234 for the
1612       option described above to the controller:
1613
1614       ovs-ofctl add-flow br0 tun_metadata0=1234,actions=controller
1615
1616
1617       An option not received or not bound is matched as all zeros.
1618
1619       Tunnel Flags Field
1620
1621       Name:            tun_flags
1622       Width:           16 bits (only the least-significant 1 bits may be nonzero)
1623       Format:          tunnel flags
1624       Masking:         arbitrary bitwise masks
1625       Prerequisites:   none
1626       Access:          read/write
1627       OpenFlow 1.0:    not supported
1628       OpenFlow 1.1:    not supported
1629       OXM:             none
1630       NXM:             NXM_NX_TUN_FLAGS (104) since Open vSwitch 2.5
1631
1632       Flags indicating various aspects of the tunnel encapsulation.
1633
1634       Matches on this field are most conveniently written in  terms  of  sym‐
1635       bolic names (given in the diagram below), each preceded by either + for
1636       a flag that must be set, or - for a flag that must  be  unset,  without
1637       any  other  delimiters between the flags. Flags not mentioned are wild‐
1638       carded. For example, tun_flags=+oam matches only OAM  packets.  Matches
1639       can also be written as flags/mask, where flags and mask are 16-bit num‐
1640       bers in decimal or in hexadecimal prefixed by 0x.
1641
1642       Currently, only one flag is defined:
1643
1644              oam    The tunnel protocol indicated that this is an OAM (Opera‐
1645                     tions and Management) control packet.
1646
1647       The switch may reject matches against unknown flags.
1648
1649       Newer  versions of Open vSwitch may introduce additional flags with new
1650       meanings. It is therefore not recommended to use an exact match on this
1651       field  since  the  behavior of these new flags is unknown and should be
1652       ignored.
1653
1654       For non-tunneled packets, the value is 0.

METADATA FIELDS

1656   Summary:
1657       Name            Bytes   Mask   RW?   Prereqs   NXM/OXM Support
1658
1659       ──────────────  ──────  ─────  ────  ────────  ─────────────────────
1660       in_port         2       no     yes   none      OVS 1.1+
1661       in_port_oxm     4       no     yes   none      OF 1.2+ and OVS 1.7+
1662
1663       skb_priority    4       no     no    none
1664       pkt_mark        4       yes    yes   none      OVS 2.0+
1665       actset_output   4       no     no    none      OF 1.3+ and OVS 2.4+
1666
1667       packet_type     4       no     no    none      OF 1.5+ and OVS 2.8+
1668
1669       These fields relate to the origin or treatment of a  packet,  but  they
1670       are not extracted from the packet data itself.
1671
1672       Ingress Port Field
1673
1674
1675       Name:            in_port
1676       Width:           16 bits
1677       Format:          OpenFlow 1.0 port
1678
1679       Masking:         not maskable
1680       Prerequisites:   none
1681       Access:          read/write
1682
1683       OpenFlow 1.0:    yes (exact match only)
1684       OpenFlow 1.1:    yes (exact match only)
1685       OXM:             none
1686
1687       NXM:             NXM_OF_IN_PORT (0) since Open vSwitch 1.1
1688
1689       The  OpenFlow port on which the packet being processed arrived. This is
1690       a 16-bit field that holds an OpenFlow 1.0 port number. For receiving  a
1691       packet, the only values that appear in this field are:
1692
1693              1 through 0xfeff (65,279), inclusive.
1694                     Conventional OpenFlow port numbers.
1695
1696              OFPP_LOCAL (0xfffe or 65,534).
1697                     The ``local’’ port, which in Open vSwitch is always named
1698                     the same as the bridge itself. This represents a  connec‐
1699                     tion  between the switch and the local TCP/IP stack. This
1700                     port is where an IP address is most  commonly  configured
1701                     on an Open vSwitch switch.
1702
1703                     OpenFlow  does not require a switch to have a local port,
1704                     but all existing versions of  Open  vSwitch  have  always
1705                     included a local port. Future Directions: Future versions
1706                     of Open vSwitch might be  able  to  optionally  omit  the
1707                     local  port,  if someone submits code to implement such a
1708                     feature.
1709
1710              OFPP_NONE (OpenFlow 1.0) or OFPP_ANY (OpenFlow 1.1+) (0xffff  or
1711              65,535).
1712              OFPP_CONTROLLER (0xfffd or 65,533).
1713                   When  a controller injects a packet into an OpenFlow switch
1714                   with a ``packet-out’’ request, it can specify one of  these
1715                   ingress  ports  to  indicate  that the packet was generated
1716                   internally rather than having been received on some port.
1717
1718                   OpenFlow 1.0 specified OFPP_NONE for this purpose.  Despite
1719                   that,  some  controllers  used  OFPP_CONTROLLER,  and  some
1720                   switches only accepted OFPP_CONTROLLER, so  OpenFlow  1.0.2
1721                   required  support  for  both  ports. OpenFlow 1.1 and later
1722                   were more clearly drafted to  allow  only  OFPP_CONTROLLER.
1723                   For  maximum  compatibility, Open vSwitch allows both ports
1724                   with all OpenFlow versions.
1725
1726       Values not mentioned above will never appear when receiving  a  packet,
1727       including the following notable values:
1728
1729              0      Zero is not a valid OpenFlow port number.
1730
1731              OFPP_MAX (0xff00 or 65,280).
1732                     This  value  has  only  been clearly specified as a valid
1733                     port number as of OpenFlow 1.3.3. Before that, its status
1734                     was  unclear,  and  so  Open  vSwitch  has  never allowed
1735                     OFPP_MAX to be used as a port  number,  so  packets  will
1736                     never be received on this port. (Other OpenFlow switches,
1737                     of course, might use it.)
1738
1739              OFPP_UNSET (0xfff7 or 65,527)
1740              OFPP_IN_PORT (0xfff8 or 65,528)
1741              OFPP_TABLE (0xfff9 or 65,529)
1742              OFPP_NORMAL (0xfffa or 65,530)
1743              OFPP_FLOOD (0xfffb or 65,531)
1744              OFPP_ALL (0xfffc or 65,532)
1745                   These port numbers are used  only  in  output  actions  and
1746                   never appear as ingress ports.
1747
1748                   Most  of  these  port numbers were defined in OpenFlow 1.0,
1749                   but OFPP_UNSET was only introduced in OpenFlow 1.5.
1750
1751       Values that will never appear when receiving  a  packet  may  still  be
1752       matched  against  in  the  flow table. There are still circumstances in
1753       which those flows can be matched:
1754
1755              ·      The resubmit Open vSwitch extension action allows a  flow
1756                     table lookup with an arbitrary ingress port.
1757
1758              ·      An  action  that  modifies  the  ingress  port field (see
1759                     below), such as e.g. load or set_field,  followed  by  an
1760                     action  or  instruction  that performs another flow table
1761                     lookup, such as resubmit or goto_table.
1762
1763       This field is heavily used for matching in  OpenFlow  tables,  but  for
1764       packet egress, it has only very limited roles:
1765
1766              ·      OpenFlow  requires suppressing output actions to in_port.
1767                     That is, the following two flows both  drop  all  packets
1768                     that arrive on port 1:
1769
1770                     in_port=1,actions=1
1771                     in_port=1,actions=drop
1772
1773
1774                     (This  behavior  is occasionally useful for flooding to a
1775                     subset of ports. Specifying actions=1,2,3,4, for example,
1776                     outputs  to  ports  1,  2, 3, and 4, omitting the ingress
1777                     port.)
1778
1779              ·      OpenFlow has a  special  port  OFPP_IN_PORT  (with  value
1780                     0xfff8) that outputs to the ingress port. For example, in
1781                     a switch that  has  four  ports  numbered  1  through  4,
1782                     actions=1,2,3,4,in_port  outputs to ports 1, 2, 3, and 4,
1783                     including the ingress port.
1784
1785       Because the ingress port field has so little influence on  packet  pro‐
1786       cessing,  it  does not ordinarily make sense to modify the ingress port
1787       field. The field is writable only to support the  occasional  use  case
1788       where  the  ingress  port’s  roles  in  packet egress, described above,
1789       become troublesome. For example,  actions=load:0->NXM_OF_IN_PORT[],out‐
1790       put:123  will  output  to  port  123 regardless of whether it is in the
1791       ingress port. If the ingress port is important, then one may  save  and
1792       restore it on the stack:
1793
1794       actions=push:NXM_OF_IN_PORT[],load:0->NXM_OF_IN_PORT[],output:123,pop:NXM_OF_IN_PORT[]
1795
1796
1797       or,  in  Open  vSwitch  2.7  or later, use the clone action to save and
1798       restore it:
1799
1800       actions=clone(load:0->NXM_OF_IN_PORT[],output:123)
1801
1802
1803       The ability to modify the ingress port is an Open vSwitch extension  to
1804       OpenFlow.
1805
1806       OXM Ingress Port Field
1807
1808       Name:            in_port_oxm
1809       Width:           32 bits
1810       Format:          OpenFlow 1.1+ port
1811
1812       Masking:         not maskable
1813       Prerequisites:   none
1814       Access:          read/write
1815       OpenFlow 1.0:    not supported
1816       OpenFlow 1.1:    yes (exact match only)
1817       OXM:             OXM_OF_IN_PORT (0) since OpenFlow 1.2 and Open vSwitch
1818                        1.7
1819       NXM:             none
1820
1821       OpenFlow 1.1 and later use a 32-bit port number, so this field supplies
1822       a  32-bit  view  of  the ingress port. Current versions of Open vSwitch
1823       support only a 16-bit range of ports:
1824
1825              ·      OpenFlow 1.0 ports 0x0000 to 0xfeff,  inclusive,  map  to
1826                     OpenFlow 1.1 port numbers with the same values.
1827
1828              ·      OpenFlow  1.0  ports  0xff00 to 0xffff, inclusive, map to
1829                     OpenFlow 1.1 port numbers 0xffffff00 to 0xffffffff.
1830
1831              ·      OpenFlow 1.1  ports  0x0000ff00  to  0xfffffeff  are  not
1832                     mapped and not supported.
1833
1834       in_port  and  in_port_oxm are two views of the same information, so all
1835       of the comments on in_port apply to in_port_oxm too. Modifying  in_port
1836       changes in_port_oxm, and vice versa.
1837
1838       Setting  in_port_oxm  to an unsupported value yields unspecified behav‐
1839       ior.
1840
1841       Output Queue Field
1842
1843       Name:            skb_priority
1844       Width:           32 bits
1845       Format:          hexadecimal
1846       Masking:         not maskable
1847       Prerequisites:   none
1848       Access:          read-only
1849       OpenFlow 1.0:    not supported
1850
1851       OpenFlow 1.1:    not supported
1852       OXM:             none
1853       NXM:             none
1854
1855       Future Directions: Open vSwitch implements the output queue as a field,
1856       but  does  not currently expose it through OXM or NXM for matching pur‐
1857       poses. If this turns out to be a useful feature,  it  could  be  imple‐
1858       mented  in  future versions. Only the set_queue, enqueue, and pop_queue
1859       actions currently influence the output queue.
1860
1861       This field influences how packets in the flow will be queued, for qual‐
1862       ity  of  service (QoS) purposes, when they egress the switch. Its range
1863       of meaningful values, and their meanings, varies greatly from one Open‐
1864       Flow  implementation  to  another. Even within a single implementation,
1865       there is no guarantee that all OpenFlow ports have the same queues con‐
1866       figured  or that all OpenFlow ports in an implementation can be config‐
1867       ured the same way queue-wise.
1868
1869       Configuring queues on OpenFlow is not well standardized. On Linux, Open
1870       vSwitch  supports  queue  configuration via OVSDB, specifically the QoS
1871       and Queue tables (see ovs-vswitchd.conf.db(5) for  details).  Ports  of
1872       Open  vSwitch  to  other  platforms  might  require queue configuration
1873       through some separate protocol (such as a CLI).  Even  on  Linux,  Open
1874       vSwitch  exposes  only  a  fraction  of  the  kernel’s queuing features
1875       through OVSDB, so advanced or unusual uses might require use  of  sepa‐
1876       rate  utilities  (e.g.  tc).  OpenFlow switches other than Open vSwitch
1877       might use OF-CONFIG or  any  of  the  configuration  methods  mentioned
1878       above.  Finally,  some  OpenFlow switches have a fixed number of fixed-
1879       function queues (e.g. eight queues with  strictly  defined  priorities)
1880       and others do not support any control over queuing.
1881
1882       The only output queue that all OpenFlow implementations must support is
1883       zero, to identify a default queue, whose properties are implementation-
1884       defined. Outputting a packet to a queue that does not exist on the out‐
1885       put port yields unpredictable behavior:  among  the  possibilities  are
1886       that  the  packet  might  be dropped or transmitted with a very high or
1887       very low priority.
1888
1889       OpenFlow 1.0 only allowed output queues to be specified as part  of  an
1890       enqueue action that specified both a queue and an output port. That is,
1891       OpenFlow 1.0 treats the queue as an argument to an  action,  not  as  a
1892       field.
1893
1894       To increase flexibility, OpenFlow 1.1 added an action to set the output
1895       queue. This model was carried forward, without change, through OpenFlow
1896       1.5.
1897
1898       Open  vSwitch implements the native queuing model of each OpenFlow ver‐
1899       sion it supports. Open vSwitch also includes an extension  for  setting
1900       the output queue as an action in OpenFlow 1.0.
1901
1902       When  a  packet  ingresses into an OpenFlow switch, the output queue is
1903       ordinarily set to  0,  indicating  the  default  queue.  However,  Open
1904       vSwitch  supports  various  ways  to forward a packet from one OpenFlow
1905       switch to another within a single host. In these  cases,  Open  vSwitch
1906       maintains the output queue across the forwarding step. For example:
1907
1908              ·      A  hop  across an Open vSwitch ``patch port’’ (which does
1909                     not actually involve queuing) preserves the output queue.
1910
1911              ·      When a flow sets the output  queue  then  outputs  to  an
1912                     OpenFlow  tunnel  port,  the  encapsulation preserves the
1913                     output queue. If  the  kernel  TCP/IP  stack  routes  the
1914                     encapsulated  packet  directly  to  a physical interface,
1915                     then that output honors the output queue.  Alternatively,
1916                     if  the  kernel routes the encapsulated packet to another
1917                     Open vSwitch bridge, then the output queue set previously
1918                     becomes the initial output queue on ingress to the second
1919                     bridge and will thus be used for further  output  actions
1920                     (unless overridden by a new ``set queue’’ action).
1921
1922                     (This  description  reflects the current behavior of Open
1923                     vSwitch on Linux. This behavior relies on details of  the
1924                     Linux  TCP/IP  stack. It could be difficult to make ports
1925                     to other operating systems behave the same way.)
1926
1927       Packet Mark Field
1928
1929       Name:            pkt_mark
1930       Width:           32 bits
1931       Format:          hexadecimal
1932       Masking:         arbitrary bitwise masks
1933       Prerequisites:   none
1934       Access:          read/write
1935       OpenFlow 1.0:    not supported
1936       OpenFlow 1.1:    not supported
1937       OXM:             none
1938       NXM:             NXM_NX_PKT_MARK (33) since Open vSwitch 2.0
1939
1940       Packet mark comes to Open vSwitch from the Linux kernel, in  which  the
1941       sk_buff  data structure that represents a packet contains a 32-bit mem‐
1942       ber named skb_mark. The value of skb_mark  propagates  along  with  the
1943       packet it accompanies wherever the packet goes in the kernel. It has no
1944       predefined semantics but various kernel-user  interfaces  can  set  and
1945       match  on  it,  which  makes it suitable for ``marking’’ packets at one
1946       point in their handling and then acting on the mark later.  With  ipta‐
1947       bles,  for  example, one can mark some traffic specially at ingress and
1948       then handle that traffic differently at  egress  based  on  the  marked
1949       value.
1950
1951       Packet  mark  is an attempt at a generalization of the skb_mark concept
1952       beyond Linux, at least through more generic naming. Like  skb_priority,
1953       packet  mark  is  preserved  across  forwarding steps within a machine.
1954       Unlike skb_priority, packet mark has no direct effect  on  packet  for‐
1955       warding: the value set in packet mark does not matter unless some later
1956       OpenFlow table or switch matches on packet mark, or unless  the  packet
1957       passes  through some other kernel subsystem that has been configured to
1958       interpret packet mark in specific ways, e.g. through iptables  configu‐
1959       ration mentioned above.
1960
1961       Preserving packet mark across kernel forwarding steps relies heavily on
1962       kernel support, which ports to  non-Linux  operating  systems  may  not
1963       have.  Regardless  of  operating  system support, Open vSwitch supports
1964       packet mark within a single bridge and across patch ports.
1965
1966       The value of packet mark when a packet ingresses into  the  first  Open
1967       vSwich  bridge  is typically zero, but it could be nonzero if its value
1968       was previously set by some kernel subsystem.
1969
1970       Action Set Output Port Field
1971
1972       Name:            actset_output
1973       Width:           32 bits
1974       Format:          OpenFlow 1.1+ port
1975       Masking:         not maskable
1976       Prerequisites:   none
1977       Access:          read-only
1978       OpenFlow 1.0:    not supported
1979       OpenFlow 1.1:    not supported
1980
1981       OXM:             ONFOXM_ET_ACTSET_OUTPUT (43) since  OpenFlow  1.3  and
1982                        Open  vSwitch  2.4;  OXM_OF_ACTSET_OUTPUT  (43)  since
1983                        OpenFlow 1.5 and Open vSwitch 2.4
1984       NXM:             none
1985
1986       Holds the output port currently in the OpenFlow action set  (i.e.  from
1987       an  output  action within a write_actions instruction). Its value is an
1988       OpenFlow port number. If there is no output port in the OpenFlow action
1989       set,  or  if  the output port will be ignored (e.g. because there is an
1990       output group in the OpenFlow  action  set),  then  the  value  will  be
1991       OFPP_UNSET.
1992
1993       Open  vSwitch  allows any table to match this field. OpenFlow, however,
1994       only requires this field to be matchable from within an OpenFlow egress
1995       table (a feature that Open vSwitch does not yet implement).
1996
1997       Packet Type Field
1998
1999       Name:            packet_type
2000       Width:           32 bits
2001       Format:          packet type
2002       Masking:         not maskable
2003       Prerequisites:   none
2004       Access:          read-only
2005       OpenFlow 1.0:    not supported
2006
2007       OpenFlow 1.1:    not supported
2008       OXM:             OXM_OF_PACKET_TYPE  (44)  since  OpenFlow 1.5 and Open
2009                        vSwitch 2.8
2010       NXM:             none
2011
2012       The type of the packet in the format specified in OpenFlow 1.5:
2013
2014        Packet type
2015        <--------->
2016        16    16
2017       +---+-------+
2018       |ns |ns_type| ...
2019       +---+-------+
2020
2021
2022       The upper 16 bits, ns, are a namespace. The meaning of ns_type  depends
2023       on  the  namespace. The packet type field is specified and displayed in
2024       the format (ns,ns_type).
2025
2026       Open vSwitch currently supports the following classes of  packet  types
2027       for matching:
2028
2029              (0,0)  Ethernet.
2030
2031              (1,ethertype)
2032                     The specified ethertype. Open vSwitch can forward packets
2033                     with any ethertype, but it can only match on and  process
2034                     data fields for the following supported packet types:
2035
2036                     (1,0x800)
2037                            IPv4
2038
2039                     (1,0x806)
2040                            ARP
2041
2042                     (1,0x86dd)
2043                            IPv6
2044
2045                     (1,0x8847)
2046                            MPLS
2047
2048                     (1,0x8848)
2049                            MPLS multicast
2050
2051                     (1,0x8035)
2052                            RARP
2053
2054                     (1,0x894f)
2055                            NSH
2056
2057       Consider  the  distinction  between  a  packet  with packet_type=(0,0),
2058       dl_type=0x800 and one with packet_type=(1,0x800). The former is an Eth‐
2059       ernet frame that contains an IPv4 packet, like this:
2060
2061          Ethernet            IPv4
2062        <----------->   <--------------->
2063        48  48   16           8   32  32
2064       +---+---+-----+ +---+-----+---+---+
2065       |dst|src|type | |...|proto|src|dst| ...
2066       +---+---+-----+ +---+-----+---+---+
2067                0x800
2068
2069
2070       The  latter  is an IPv4 packet not encapsulated inside any outer frame,
2071       like this:
2072
2073              IPv4
2074        <--------------->
2075              8   32  32
2076       +---+-----+---+---+
2077       |...|proto|src|dst| ...
2078       +---+-----+---+---+
2079
2080
2081       Matching on packet_type is a pre-requisite for  matching  on  any  data
2082       field,  but for backward compatibility, when a match on a data field is
2083       present without a packet_type match, Open  vSwitch  acts  as  though  a
2084       match  on  (0,0)  (Ethernet)  had  been  supplied. Similarly, when Open
2085       vSwitch sends flow match information to a controller, e.g. in  a  reply
2086       to  a  request  to  dump  the flow table, Open vSwitch omits a match on
2087       packet type (0,0) if it would be implied by a data field match.
2088

CONNECTION TRACKING FIELDS

2090   Summary:
2091       Name          Bytes   Mask   RW?   Prereqs   NXM/OXM Support
2092       ────────────  ──────  ─────  ────  ────────  ────────────────
2093       ct_state      4       yes    no    none      OVS 2.5+
2094       ct_zone       2       no     no    none      OVS 2.5+
2095       ct_mark       4       yes    yes   none      OVS 2.5+
2096       ct_label      16      yes    yes   none      OVS 2.5+
2097       ct_nw_src     4       yes    no    CT        OVS 2.8+
2098       ct_nw_dst     4       yes    no    CT        OVS 2.8+
2099
2100       ct_ipv6_src   16      yes    no    CT        OVS 2.8+
2101       ct_ipv6_dst   16      yes    no    CT        OVS 2.8+
2102       ct_nw_proto   1       no     no    CT        OVS 2.8+
2103       ct_tp_src     2       yes    no    CT        OVS 2.8+
2104       ct_tp_dst     2       yes    no    CT        OVS 2.8+
2105
2106       Open vSwitch 2.5  and  later  support  ``connection  tracking,’’  which
2107       allows  bidirectional  streams of packets to be statefully grouped into
2108       connections. Open vSwitch connection tracking, for example,  identifies
2109       the  patterns  of  TCP  packets that indicates a successfully initiated
2110       connection, as well as those that indicate that a connection  has  been
2111       torn  down.  Open vSwitch connection tracking can also identify related
2112       connections, such as FTP data connections spawned from FTP control con‐
2113       nections.
2114
2115       An  individual packet passing through the pipeline may be in one of two
2116       states, ``untracked’’ or ``tracked,’’ which may  be  distinguished  via
2117       the ``trk’’ flag in ct_state. A packet is untracked at the beginning of
2118       the Open vSwitch pipeline and continues to be untracked until the pipe‐
2119       line  invokes  the  ct  action.  The connection tracking fields are all
2120       zeroes in an untracked packet. When a flow in the Open vSwitch pipeline
2121       invokes  the  ct action, the action initializes the connection tracking
2122       fields and the packet becomes tracked for the remainder of its process‐
2123       ing.
2124
2125       The  connection  tracker  stores connection state in an internal table,
2126       but it only adds a new entry to this table when a ct action for  a  new
2127       connection  invokes  ct  with the commit parameter. For a given connec‐
2128       tion, when a pipeline has executed ct, but not  yet  with  commit,  the
2129       connection  is said to be uncommitted. State for an uncommitted connec‐
2130       tion is ephemeral and does not persist past the end of the pipeline, so
2131       some features are only available to committed connections. A connection
2132       would typically be left uncommitted as a way to drop its packets.
2133
2134       Connection tracking is an Open vSwitch extension to OpenFlow.
2135
2136       Connection Tracking State Field
2137
2138       Name:            ct_state
2139       Width:           32 bits
2140       Format:          ct state
2141       Masking:         arbitrary bitwise masks
2142       Prerequisites:   none
2143       Access:          read-only
2144       OpenFlow 1.0:    not supported
2145       OpenFlow 1.1:    not supported
2146       OXM:             none
2147
2148       NXM:             NXM_NX_CT_STATE (105) since Open vSwitch 2.5
2149
2150       This field holds several flags that can be used to determine the  state
2151       of the connection to which the packet belongs.
2152
2153       Matches  on  this  field are most conveniently written in terms of sym‐
2154       bolic names (listed below), each preceded by either + for a  flag  that
2155       must  be  set,  or  -  for a flag that must be unset, without any other
2156       delimiters between the flags. Flags not mentioned are  wildcarded.  For
2157       example,  tcp,ct_state=+trk-new  matches TCP packets that have been run
2158       through the connection tracker and do not establish a  new  connection.
2159       Matches  can  also  be  written as flags/mask, where flags and mask are
2160       32-bit numbers in decimal or in hexadecimal prefixed by 0x.
2161
2162       The following flags are defined:
2163
2164              new (0x01)
2165                     A new connection. Set to 1 if this is an uncommitted con‐
2166                     nection.
2167
2168              est (0x02)
2169                     Part  of  an  existing  connection. Set to 1 if this is a
2170                     committed connection.
2171
2172              rel (0x04)
2173                     Related to an existing connection, e.g. an ICMP  ``desti‐
2174                     nation  unreachable’’ message or an FTP data connections.
2175                     This flag will only be 1 if the connection to which  this
2176                     one is related is committed.
2177
2178                     Connections identified as rel are separate from the orig‐
2179                     inating connection and must be committed separately.  All
2180                     packets  for  a related connection will have the rel flag
2181                     set, not just the initial packet.
2182
2183              rpl (0x08)
2184                     This packet is in the reply direction, meaning that it is
2185                     in  the opposite direction from the packet that initiated
2186                     the connection. This flag will only be 1 if  the  connec‐
2187                     tion is committed.
2188
2189              inv (0x10)
2190                     The state is invalid, meaning that the connection tracker
2191                     couldn’t identify the connection. This flag is  a  catch-
2192                     all  for  problems  in  the  connection or the connection
2193                     tracker, such as:
2194
2195                     ·      L3/L4 protocol handler is not  loaded/unavailable.
2196                            With the Linux kernel datapath, this may mean that
2197                            the nf_conntrack_ipv4 or nf_conntrack_ipv6 modules
2198                            are not loaded.
2199
2200                     ·      L3/L4  protocol handler determines that the packet
2201                            is malformed.
2202
2203                     ·      Packets are unexpected length for protocol.
2204
2205              trk (0x20)
2206                     This packet is tracked, meaning that  it  has  previously
2207                     traversed  the  connection  tracker.  If this flag is not
2208                     set, then no other flags will be set.  If  this  flag  is
2209                     set,  then the packet is tracked and other flags may also
2210                     be set.
2211
2212              snat (0x40)
2213                     This packet was transformed by source address/port trans‐
2214                     lation  by  a preceding ct action. Open vSwitch 2.6 added
2215                     this flag.
2216
2217              dnat (0x80)
2218                     This packet was transformed by  destination  address/port
2219                     translation  by  a  preceding ct action. Open vSwitch 2.6
2220                     added this flag.
2221
2222       There are additional constraints on these flags, listed  in  decreasing
2223       order of precedence below:
2224
2225              1.  If trk is unset, no other flags are set.
2226
2227              2.  If trk is set, one or more other flags may be set.
2228
2229              3.  If inv is set, only the trk flag is also set.
2230
2231              4.  new and est are mutually exclusive.
2232
2233              5.  new and rpl are mutually exclusive.
2234
2235              6.  rel may be set in conjunction with any other flags.
2236
2237       Future versions of Open vSwitch may define new flags.
2238
2239       Connection Tracking Zone Field
2240
2241       Name:            ct_zone
2242       Width:           16 bits
2243       Format:          hexadecimal
2244       Masking:         not maskable
2245       Prerequisites:   none
2246
2247       Access:          read-only
2248       OpenFlow 1.0:    not supported
2249       OpenFlow 1.1:    not supported
2250       OXM:             none
2251       NXM:             NXM_NX_CT_ZONE (106) since Open vSwitch 2.5
2252
2253       A connection tracking zone, the zone value passed to the most recent ct
2254       action. Each zone is an independent  connection  tracking  context,  so
2255       tracking  the  same  packet  in multiple contexts requires using the ct
2256       action multiple times.
2257
2258       Connection Tracking Mark Field
2259
2260       Name:            ct_mark
2261       Width:           32 bits
2262
2263       Format:          hexadecimal
2264       Masking:         arbitrary bitwise masks
2265       Prerequisites:   none
2266       Access:          read/write
2267       OpenFlow 1.0:    not supported
2268       OpenFlow 1.1:    not supported
2269       OXM:             none
2270       NXM:             NXM_NX_CT_MARK (107) since Open vSwitch 2.5
2271
2272       The metadata committed, by an action within the exec parameter  to  the
2273       ct action, to the connection to which the current packet belongs.
2274
2275       Connection Tracking Label Field
2276
2277       Name:            ct_label
2278
2279       Width:           128 bits
2280       Format:          hexadecimal
2281       Masking:         arbitrary bitwise masks
2282       Prerequisites:   none
2283       Access:          read/write
2284       OpenFlow 1.0:    not supported
2285       OpenFlow 1.1:    not supported
2286       OXM:             none
2287       NXM:             NXM_NX_CT_LABEL (108) since Open vSwitch 2.5
2288
2289       The  label  committed, by an action within the exec parameter to the ct
2290       action, to the connection to which the current packet belongs.
2291
2292       Open vSwitch 2.8 introduced the matching support for connection tracker
2293       original direction 5-tuple fields.
2294
2295       For non-committed non-related connections the conntrack original direc‐
2296       tion tuple fields always have the  same  values  as  the  corresponding
2297       headers in the packet itself. For any other packets of a committed con‐
2298       nection the conntrack original direction tuple fields reflect the  val‐
2299       ues from that initial non-committed non-related packet, and thus may be
2300       different from the actual packet headers, as the actual packet  headers
2301       may  be  in  reverse  direction (for reply packets), transformed by NAT
2302       (when nat option was applied to the connection),  or  be  of  different
2303       protocol  (i.e.,  when  an  ICMP response is sent to an UDP packet). In
2304       case of related connections, e.g., an FTP data connection, the original
2305       direction tuple contains the original direction headers from the master
2306       connection, e.g., an FTP control connection.
2307
2308       The following fields are populated by the  ct  action,  and  require  a
2309       match  to a valid connection tracking state as a prerequisite, in addi‐
2310       tion to the IP or IPv6 ethertype match. Examples  of  valid  connection
2311       tracking    state   matches   include   ct_state=+new,   ct_state=+est,
2312       ct_state=+rel, and ct_state=+trk-inv.
2313
2314       Connection Tracking Original Direction IPv4 Source Address Field
2315
2316       Name:            ct_nw_src
2317       Width:           32 bits
2318       Format:          IPv4
2319       Masking:         arbitrary bitwise masks
2320       Prerequisites:   CT
2321       Access:          read-only
2322       OpenFlow 1.0:    not supported
2323       OpenFlow 1.1:    not supported
2324       OXM:             none
2325       NXM:             NXM_NX_CT_NW_SRC (120) since Open vSwitch 2.8
2326
2327       Matches IPv4 conntrack original direction tuple source address. See the
2328       paragraphs  above  for  general  description  to the conntrack original
2329       direction tuple. Introduced in Open vSwitch 2.8.
2330
2331       Connection Tracking Original Direction IPv4 Destination Address Field
2332
2333       Name:            ct_nw_dst
2334       Width:           32 bits
2335       Format:          IPv4
2336       Masking:         arbitrary bitwise masks
2337       Prerequisites:   CT
2338       Access:          read-only
2339       OpenFlow 1.0:    not supported
2340       OpenFlow 1.1:    not supported
2341       OXM:             none
2342
2343       NXM:             NXM_NX_CT_NW_DST (121) since Open vSwitch 2.8
2344
2345       Matches IPv4 conntrack original direction  tuple  destination  address.
2346       See the paragraphs above for general description to the conntrack orig‐
2347       inal direction tuple. Introduced in Open vSwitch 2.8.
2348
2349       Connection Tracking Original Direction IPv6 Source Address Field
2350
2351       Name:            ct_ipv6_src
2352       Width:           128 bits
2353       Format:          IPv6
2354       Masking:         arbitrary bitwise masks
2355       Prerequisites:   CT
2356       Access:          read-only
2357       OpenFlow 1.0:    not supported
2358
2359       OpenFlow 1.1:    not supported
2360       OXM:             none
2361       NXM:             NXM_NX_CT_IPV6_SRC (122) since Open vSwitch 2.8
2362
2363       Matches IPv6 conntrack original direction tuple source address. See the
2364       paragraphs  above  for  general  description  to the conntrack original
2365       direction tuple. Introduced in Open vSwitch 2.8.
2366
2367       Connection Tracking Original Direction IPv6 Destination Address Field
2368
2369       Name:            ct_ipv6_dst
2370       Width:           128 bits
2371       Format:          IPv6
2372       Masking:         arbitrary bitwise masks
2373       Prerequisites:   CT
2374
2375       Access:          read-only
2376       OpenFlow 1.0:    not supported
2377       OpenFlow 1.1:    not supported
2378       OXM:             none
2379       NXM:             NXM_NX_CT_IPV6_DST (123) since Open vSwitch 2.8
2380
2381       Matches IPv6 conntrack original direction  tuple  destination  address.
2382       See the paragraphs above for general description to the conntrack orig‐
2383       inal direction tuple. Introduced in Open vSwitch 2.8.
2384
2385       Connection Tracking Original Direction IP Protocol Field
2386
2387       Name:            ct_nw_proto
2388       Width:           8 bits
2389       Format:          decimal
2390
2391       Masking:         not maskable
2392       Prerequisites:   CT
2393       Access:          read-only
2394       OpenFlow 1.0:    not supported
2395       OpenFlow 1.1:    not supported
2396       OXM:             none
2397       NXM:             NXM_NX_CT_NW_PROTO (119) since Open vSwitch 2.8
2398
2399       Matches conntrack original direction tuple IP protocol type,  which  is
2400       specified  as  a decimal number between 0 and 255, inclusive (e.g. 1 to
2401       match ICMP packets or 6 to match TCP packets). In case of, for example,
2402       an  ICMP  response  to an UDP packet, this may be different from the IP
2403       protocol type of the packet itself. See the paragraphs above  for  gen‐
2404       eral  description to the conntrack original direction tuple. Introduced
2405       in Open vSwitch 2.8.
2406
2407       Connection Tracking Original  Direction  Transport  Layer  Source  Port
2408       Field
2409
2410       Name:            ct_tp_src
2411       Width:           16 bits
2412       Format:          decimal
2413       Masking:         arbitrary bitwise masks
2414       Prerequisites:   CT
2415       Access:          read-only
2416       OpenFlow 1.0:    not supported
2417       OpenFlow 1.1:    not supported
2418       OXM:             none
2419       NXM:             NXM_NX_CT_TP_SRC (124) since Open vSwitch 2.8
2420
2421       Bitwise  match  on  the  conntrack  original  direction tuple transport
2422       source, when MFF_CT_NW_PROTO has value 6 for TCP, 17 for  UDP,  or  132
2423       for  SCTP. When MFF_CT_NW_PROTO has value 1 for ICMP, or 58 for ICMPv6,
2424       the lower 8 bits of MFF_CT_TP_SRC matches the conntrack original direc‐
2425       tion ICMP type. See the paragraphs above for general description to the
2426       conntrack original direction tuple. Introduced in Open vSwitch 2.8.
2427
2428       Connection Tracking Original  Direction  Transport  Layer  Source  Port
2429       Field
2430
2431       Name:            ct_tp_dst
2432       Width:           16 bits
2433       Format:          decimal
2434       Masking:         arbitrary bitwise masks
2435       Prerequisites:   CT
2436       Access:          read-only
2437       OpenFlow 1.0:    not supported
2438
2439       OpenFlow 1.1:    not supported
2440       OXM:             none
2441       NXM:             NXM_NX_CT_TP_DST (125) since Open vSwitch 2.8
2442
2443       Bitwise  match on the conntrack original direction tuple transport des‐
2444       tination port, when MFF_CT_NW_PROTO has value 6 for TCP, 17 for UDP, or
2445       132  for  SCTP.  When  MFF_CT_NW_PROTO  has value 1 for ICMP, or 58 for
2446       ICMPv6, the lower 8 bits of MFF_CT_TP_DST matches the conntrack  origi‐
2447       nal  direction ICMP code. See the paragraphs above for general descrip‐
2448       tion to the conntrack original  direction  tuple.  Introduced  in  Open
2449       vSwitch 2.8.
2450