1ovs-fields(7)                 Open vSwitch Manual                ovs-fields(7)
2
3
4

NAME

6       ovs-fields - protocol header fields in OpenFlow and Open vSwitch
7

INTRODUCTION

9       This  document aims to comprehensively document all of the fields, both
10       standard and non-standard,  supported  by  OpenFlow  or  Open  vSwitch,
11       regardless of origin.
12
13   Fields
14       A  field  is  a  property of a packet. Most familiarly, data fields are
15       fields that can be extracted from a packet. Most data fields are copied
16       directly  from  protocol  headers, e.g. at layer 2, the Ethernet source
17       and destination addresses, or the VLAN ID; at layer 3, the IPv4 or IPv6
18       source  and  destination;  and  at layer 4, the TCP or UDP ports. Other
19       data fields are computed, e.g. ip_frag describes whether a packet is  a
20       fragment but it is not copied directly from the IP header.
21
22       Data  fields that are always present as a consequence of the basic net‐
23       working technology in use are called called root fields.  Open  vSwitch
24       2.7  and earlier considered Ethernet fields to be root fields, and this
25       remains the default mode of operation for Open vSwitch bridges. When  a
26       packet  is  received  from a non-Ethernet interfaces, such as a layer-3
27       LISP tunnel, Open vSwitch 2.7 and earlier force-fit the packet to  this
28       Ethernet-centric point of view by pretending that an Ethernet header is
29       present whose Ethernet type that indicates  the  packet’s  actual  type
30       (and whose source and destination addresses are all-zero).
31
32       Open vSwitch 2.8 and later implement the ``packet type-aware pipeline’’
33       concept introduced in OpenFlow 1.5. Such a pipeline does not  have  any
34       root  fields. Instead, a new metadata field, packet_type, indicates the
35       basic type of the packet, which can be Ethernet, IPv4, IPv6, or another
36       type.  For backward compatibility, by default Open vSwitch 2.8 imitates
37       the behavior of Open vSwitch 2.7 and earlier. Later  versions  of  Open
38       vSwitch  may  change  the  default, and in the meantime controllers can
39       turn off this legacy behavior, on  a  port-by-port  basis,  by  setting
40       options:packet_type to ptap in the Interface table. This is significant
41       only for ports that can handle non-Ethernet packets, which is currently
42       just  LISP, VXLAN-GPE, and GRE tunnel ports. See ovs-vwitchd.conf.db(5)
43       for more information.
44
45       Non-root data fields are not always  present.  A  packet  contains  ARP
46       fields,  for example, only when its packet type is ARP or when it is an
47       Ethernet packet whose Ethernet header indicates the Ethertype for  ARP,
48       0x0806.  In  this documentation, we say that a field is applicable when
49       it is present in a packet, and inapplicable when it is not. (These  are
50       not  standard terms.) We refer to the conditions that determine whether
51       a field is applicable as prerequisites. Some VLAN-related fields are  a
52       special  case: these fields are always applicable for Ethernet packets,
53       but have a designated value or bit that indicates whether a VLAN header
54       is  present,  with  the  remaining  values  or bits indicating the VLAN
55       header’s content (if it is present).
56
57       An inapplicable field does  not  have  a  value,  not  even  a  nominal
58       ``value’’  such  as  all-zero-bits. In many circumstances, OpenFlow and
59       Open vSwitch allow references only to applicable fields.  For  example,
60       one  may  match  (see  Matching, below) a given field only if the match
61       includes the field’s prerequisite, e.g. matching an ARP field  is  only
62       allowed  if one also matches on Ethertype 0x0806 or the packet_type for
63       ARP in a packet type-aware bridge.
64
65       Sometimes a packet may contain multiple  instances  of  a  header.  For
66       example,  a  packet may contain multiple VLAN or MPLS headers, and tun‐
67       nels can cause any data field to recur. OpenFlow and  Open  vSwitch  do
68       not  address these cases uniformly. For VLAN and MPLS headers, only the
69       outermost header is accessible, so that inner headers may  be  accessed
70       only by ``popping’’ (removing) the outer header. (Open vSwitch supports
71       only a single VLAN header in any case.) For tunnels, e.g. GRE or VXLAN,
72       the  outer  header  and  inner  headers  are  treated as different data
73       fields.
74
75       Many network protocols are built in layers as a stack  of  concatenated
76       headers.  Each  header  typically  contains  a ``next type’’ field that
77       indicates the type of the protocol header that follows,  e.g.  Ethernet
78       contains  an Ethertype and IPv4 contains a IP protocol type. The excep‐
79       tional cases, where protocols are layered but an outer layer  does  not
80       indicate  the  protocol  type  for  the  inner  layer, or gives only an
81       ambiguous indication, are troublesome. An  MPLS  header,  for  example,
82       only  indicates whether another MPLS header or some other protocol fol‐
83       lows, and in the latter case the inner protocol must be known from  the
84       context.  In  these exceptional cases, OpenFlow and Open vSwitch cannot
85       provide insight into the inner protocol data fields without  additional
86       context,  and  thus  they  treat  all later data fields as inapplicable
87       until an OpenFlow action explicitly specifies what protocol follows. In
88       the  case  of  MPLS,  the OpenFlow ``pop MPLS’’ action that removes the
89       last MPLS header from a packet provides this context, as the  Ethertype
90       of the payload. See Layer 2.5: MPLS for more information.
91
92       OpenFlow  and  Open vSwitch support some fields other than data fields.
93       Metadata fields relate to the origin or treatment of a packet, but they
94       are not extracted from the packet data itself. One example is the phys‐
95       ical port on which a packet arrived at the switch. Register fields  act
96       like  variables: they give an OpenFlow switch space for temporary stor‐
97       age while processing a packet. Existing metadata  and  register  fields
98       have no prerequisites.
99
100       A  field’s  value  consists  of  an  integral number of bytes. For data
101       fields, sometimes those bytes are taken directly from the packet. Other
102       data  fields  are copied from a packet with padding (usually with zeros
103       and in the most significant positions). The remaining data  fields  are
104       transformed  in other ways as they are copied from the packets, to make
105       them more useful for matching.
106
107   Matching
108       The most important use of fields in OpenFlow is matching, to  determine
109       whether  particular field values agree with a set of constraints called
110       a match. A match consists of zero or  more  constraints  on  individual
111       fields,  all  of  which must be met to satisfy the match. (A match that
112       contains no constraints is always satisfied.) OpenFlow and Open vSwitch
113       support a number of forms of matching on individual fields:
114
115              Exact match, e.g. nw_src=10.1.2.3
116                     Only  a  particular  value  of  the field is matched; for
117                     example, only one particular  source  IP  address.  Exact
118                     matches  are  written  as field=value. The forms accepted
119                     for value depend on the field.
120
121                     All fields support exact matches.
122
123              Bitwise match, e.g. nw_src=10.1.0.0/255.255.0.0
124                     Specific bits in the field must  have  specified  values;
125                     for  example,  only  source  IP addresses in a particular
126                     subnet. Bitwise matches are written as  field=value/mask,
127                     where  value  and mask take one of the forms accepted for
128                     an exact match on field. Some fields accept  other  forms
129                     for       bitwise       matches;       for       example,
130                     nw_src=10.1.0.0/255.255.0.0   may   also    be    written
131                     nw_src=10.1.0.0/16.
132
133                     Most  OpenFlow switches do not allow every bitwise match‐
134                     ing on every field (and before OpenFlow 1.2, the protocol
135                     did  not  even  provide  for  the  possibility  for  most
136                     fields). Even switches that do allow bitwise matching  on
137                     a  given  field  may restrict the masks that are allowed,
138                     e.g. by allowing matches only on contiguous sets of  bits
139                     starting from the most significant bit, that is, ``CIDR’’
140                     masks [RFC 4632]. Open vSwitch does  not  allows  bitwise
141                     matching  on every field, but it allows arbitrary bitwise
142                     masks on any field that does  support  bitwise  matching.
143                     (Older  versions  had some restrictions, as documented in
144                     the descriptions of individual fields.)
145
146              Wildcard, e.g. ``any nw_src’’
147                     The value of the field  is  not  constrained.  Wildcarded
148                     fields  may be written as field=*, although it is unusual
149                     to mention them  at  all.  (When  specifying  a  wildcard
150                     explicitly  in  a  command  invocation,  be sure to using
151                     quoting to protect against shell expansion.)
152
153                     There is a tiny difference between  wildcarding  a  field
154                     and  not  specifying  any match on a field: wildcarding a
155                     field requires satisfying the field’s prerequisites.
156
157       Some types of matches on individual fields cannot be expressed directly
158       with OpenFlow and Open vSwitch. These can be expressed indirectly:
159
160              Set match, e.g. ``tcp_dst ∈ {80, 443, 8080}’’
161                     The value of a field is one of a specified set of values;
162                     for example, the TCP destination  port  is  80,  443,  or
163                     8080.
164
165                     For  matches  used  in flows (see Flows, below), multiple
166                     flows can simulate set matches.
167
168              Range match, e.g. ``1000 ≤ tcp_dst ≤ 1999’’
169                     The value of the field must lie within a numerical range,
170                     for example, TCP destination ports between 1000 and 1999.
171
172                     Range matches can be expressed as a collection of bitwise
173                     matches. For example, suppose that the goal is  to  match
174                     TCP source ports 1000 to 1999, inclusive. The binary rep‐
175                     resentations of 1000 and 1999 are:
176
177                     01111101000
178                     11111001111
179
180
181                     The following series of bitwise matches will  match  1000
182                     and 1999 and all the values in between:
183
184                     01111101xxx
185                     0111111xxxx
186                     10xxxxxxxxx
187                     110xxxxxxxx
188                     1110xxxxxxx
189                     11110xxxxxx
190                     1111100xxxx
191
192
193                     which can be written as the following matches:
194
195                     tcp,tp_src=0x03e8/0xfff8
196                     tcp,tp_src=0x03f0/0xfff0
197                     tcp,tp_src=0x0400/0xfe00
198                     tcp,tp_src=0x0600/0xff00
199                     tcp,tp_src=0x0700/0xff80
200                     tcp,tp_src=0x0780/0xffc0
201                     tcp,tp_src=0x07c0/0xfff0
202
203
204              Inequality match, e.g. ``tcp_dst ≠ 80’’
205                     The  value  of  the field differs from a specified value,
206                     for example, all TCP destination ports except 80.
207
208                     An inequality match on an n-bit field can be expressed as
209                     a  disjunction  of  n  1-bit  matches.  For  example, the
210                     inequality match ``vlan_pcp ≠ 5’’  can  be  expressed  as
211                     ``vlan_pcp  =  0/4 or vlan_pcp = 2/2 or vlan_pcp = 0/1.’’
212                     For matches used in flows (see Flows,  below),  sometimes
213                     one  can  more  compactly express inequality as a higher-
214                     priority flow that matches the  exceptional  case  paired
215                     with a lower-priority flow that matches the general case.
216
217                     Alternatively,  an inequality match may be converted to a
218                     pair of range matches, e.g. tcp_src ≠ 80 may be expressed
219                     as ``0 ≤ tcp_src < 80 or 80 < tcp_src ≤ 65535’’, and then
220                     each range match may in turn be converted  to  a  bitwise
221                     match.
222
223              Conjunctive  match, e.g. ``tcp_src ∈ {80, 443, 8080} and tcp_dst
224              ∈ {80, 443, 8080}’’
225                     As an OpenFlow extension, Open vSwitch supports  matching
226                     on conditions on conjunctions of the previously mentioned
227                     forms of matching. See the documentation for conj_id  for
228                     more information.
229
230       All  of  these supported forms of matching are special cases of bitwise
231       matching. In some cases this influences the  design  of  field  values.
232       ip_frag  is  the  most prominent example: it is designed to make all of
233       the practically useful checks for IP fragmentation possible as a single
234       bitwise match.
235
236     Shorthands
237
238       Some  matches are very commonly used, so Open vSwitch accepts shorthand
239       notations. In some cases, Open vSwitch also  uses  shorthand  notations
240       when  it  displays  matches. The following shorthands are defined, with
241       their long forms shown on the right side:
242
243              eth    packet_type=(0,0) (Open vSwitch 2.8 and later)
244
245              ip     eth_type=0x0800
246
247              ipv6   eth_type=0x86dd
248
249              icmp   eth_type=0x0800,ip_proto=1
250
251              icmp6  eth_type=0x86dd,ip_proto=58
252
253              tcp    eth_type=0x0800,ip_proto=6
254
255              tcp6   eth_type=0x86dd,ip_proto=6
256
257              udp    eth_type=0x0800,ip_proto=17
258
259              udp6   eth_type=0x86dd,ip_proto=17
260
261              sctp   eth_type=0x0800,ip_proto=132
262
263              sctp6  eth_type=0x86dd,ip_proto=132
264
265              arp    eth_type=0x0806
266
267              rarp   eth_type=0x8035
268
269              mpls   eth_type=0x8847
270
271              mplsm  eth_type=0x8848
272
273   Evolution of OpenFlow Fields
274       The discussion so far applies to all OpenFlow  and  Open  vSwitch  ver‐
275       sions.  This section starts to draw in specific information by explain‐
276       ing, in broad terms, the treatment of fields and matches in each  Open‐
277       Flow version.
278
279     OpenFlow 1.0
280
281       OpenFlow  1.0  defined  the  OpenFlow  protocol  format of a match as a
282       fixed-length data structure that could match on the following fields:
283
284              ·      Ingress port.
285
286              ·      Ethernet source and destination MAC.
287
288              ·      Ethertype (with a special value to match frames that lack
289                     an Ethertype).
290
291              ·      VLAN ID and priority.
292
293              ·      IPv4 source, destination, protocol, and DSCP.
294
295              ·      TCP source and destination port.
296
297              ·      UDP source and destination port.
298
299              ·      ICMPv4 type and code.
300
301              ·      ARP IPv4 addresses (SPA and TPA) and opcode.
302
303       Each supported field corresponded to some member of the data structure.
304       Some members represented multiple fields, in the case of the TCP,  UDP,
305       ICMPv4,  and ARP fields whose presence is mutually exclusive. This also
306       meant that some members were poor fits for their fields: only the low 8
307       bits of the 16-bit ARP opcode could be represented, and the ICMPv4 type
308       and code were padded with 8 bits of zeros to fit in the 16-bit  members
309       primarily  meant  for  TCP  and  UDP ports. An additional bitmap member
310       indicated, for each member, whether its field should be an ``exact’’ or
311       ``wildcarded’’  match  (see Matching), with additional support for CIDR
312       prefix matching on the IPv4 source and destination fields.
313
314       Simplicity was recognized early on as the main virtue of this approach.
315       Obviously,  any fixed-length data structure cannot support matching new
316       protocols that do not fit. There was no room, for example, for matching
317       IPv6 fields, which was not a priority at the time. Lack of room to sup‐
318       port matching the Ethernet addresses inside ARP packets actually caused
319       more  of  a  design problem later, leading to an Open vSwitch extension
320       action specialized for dropping ``spoofed’’ ARP packets  in  which  the
321       frame  and  ARP Ethernet source addressed differed. (This extension was
322       never standardized. Open vSwitch dropped support for it a few  releases
323       after it added support for full ARP matching.)
324
325       The  design  of the OpenFlow fixed-length matches also illustrates com‐
326       promises, in both directions, between the strengths and  weaknesses  of
327       software  and  hardware that have always influenced the design of Open‐
328       Flow. Support for matching ARP fields that do fit in the data structure
329       was  only  added  late  in the design process (and remained optional in
330       OpenFlow 1.0), for example, because common switch ASICs did not support
331       matching these fields.
332
333       The compromises in favor of software occurred for more complicated rea‐
334       sons. The OpenFlow designers did not know how to implement matching  in
335       software  that  was  fast, dynamic, and general. (A way was later found
336       [Srinivasan].) Thus, the designers sought to support  dynamic,  general
337       matching  that  would be fast in realistic special cases, in particular
338       when all of the matches were microflows, that is, matches that  specify
339       every  field  present  in  a packet, because such matches can be imple‐
340       mented as a single hash table lookup. Contemporary  research  supported
341       the  feasibility of this approach: the number of microflows in a campus
342       network had been measured to peak  at  about  10,000  [Casado,  section
343       3.2]. (Calculations show that this can only be true in a lightly loaded
344       network [Pepelnjak].)
345
346       As a result, OpenFlow 1.0 required switches to treat microflow  matches
347       as  the  highest  possible priority. This let software switches perform
348       the microflow hash table lookup first.  Only  on  failure  to  match  a
349       microflow did the switch need to fall back to checking the more general
350       and presumed slower matches. Also, the OpenFlow 1.0 flow match was min‐
351       imally  flexible,  with no support for general bitwise matching, partly
352       on the basis that this seemed more likely amenable to relatively  effi‐
353       cient  software  implementation.  (CIDR  masking for IPv4 addresses was
354       added relatively late in the OpenFlow 1.0 design process.)
355
356       Microflow matching was later discovered to aid some hardware  implemen‐
357       tations.  The  TCAM  chips used for matching in hardware do not support
358       priority in the same way as OpenFlow but instead tie priority to order‐
359       ing  [Pagiamtzis]. Thus, adding a new match with a priority between the
360       priorities of existing matches can require reordering an arbitrary num‐
361       ber  of  TCAM  entries.  On the other hand, when microflows are highest
362       priority, they can be managed  as  a  set-aside  portion  of  the  TCAM
363       entries.
364
365       The  emphasis  on  matching  microflows also led designers to carefully
366       consider the bandwidth requirements between switch and  controller:  to
367       maximize  the  number of microflow setups per second, one must minimize
368       the size of each flow’s description. This favored the fixed-length for‐
369       mat in use, because it expressed common TCP and UDP microflows in fewer
370       bytes than more flexible ``type-length-value’’  (TLV)  formats.  (Early
371       versions  of OpenFlow also avoided TLVs in general to head off protocol
372       fragmentation.)
373
374       Inapplicable Fields
375
376       OpenFlow 1.0 does not clearly specify how to treat inapplicable fields.
377       The  members  for  inapplicable  fields are always present in the match
378       data structure, as are the bits that indicate whether  the  fields  are
379       matched,  and  the  ``correct’’  member and bit values for inapplicable
380       fields is unclear. OpenFlow 1.0 implementations changed their  behavior
381       over time as priorities shifted. The early OpenFlow reference implemen‐
382       tation, motivated to make every flow a  microflow  to  enable  hashing,
383       treated  inapplicable  fields  as  exact  matches on a value of 0. Ini‐
384       tially, this behavior was implemented in the reference controller only.
385
386       Later, the reference switch was also  changed  to  actually  force  any
387       wildcarded  inapplicable  fields  into  exact  matches on 0. The latter
388       behavior sometimes caused problems, because the modified flow  was  the
389       one  reported back to the controller later when it queried the flow ta‐
390       ble, and the modifications sometimes meant that  the  controller  could
391       not  properly recognize the flow that it had added. In retrospect, per‐
392       haps this problem should have alerted the designers to a design  error,
393       but  the  ability to use a single hash table was held to be more impor‐
394       tant than almost every other consideration at the time.
395
396       When more flexible match formats were introduced much later, they  dis‐
397       allowed  any  mention  of  inapplicable fields as part of a match. This
398       raised the question of how to translate between this new format and the
399       OpenFlow 1.0 fixed format. It seemed somewhat inconsistent and backward
400       to treat fields as exact-match in one format and forbid  matching  them
401       in  the  other,  so instead the treatment of inapplicable fields in the
402       fixed-length format was changed from exact match on 0  to  wildcarding.
403       (A  better  classifier had by now eliminated software performance prob‐
404       lems with wildcards.)
405
406       The OpenFlow 1.0.1 errata (released only in 2012) added some additional
407       explanation  [OpenFlow 1.0.1, section 3.4], but it did not mandate spe‐
408       cific behavior because of variation among implementations.
409
410     OpenFlow 1.1
411
412       The  OpenFlow  1.1  protocol   match   format   was   designed   as   a
413       type/length/value  (TLV)  format  to  allow for future flexibility. The
414       specification standardized only a single type OFPMT_STANDARD (0) with a
415       fixed-size  payload,  described here. The additional fields and bitwise
416       masks in OpenFlow 1.1 cause this match structure to be  over  twice  as
417       large as in OpenFlow 1.0, 88 bytes versus 40.
418
419       OpenFlow 1.1 added support for the following fields:
420
421              ·      SCTP source and destination port.
422
423              ·      MPLS label and traffic control (TC) fields.
424
425              ·      One 64-bit register (named ``metadata’’).
426
427       OpenFlow  1.1 increased the width of the ingress port number field (and
428       all other port numbers in the protocol) from 16 bits to 32 bits.
429
430       OpenFlow 1.1 increased matching flexibility  by  introducing  arbitrary
431       bitwise  matching  on  Ethernet  and IPv4 address fields and on the new
432       ``metadata’’ register field. Switches were not required to support  all
433       possible masks [OpenFlow 1.1, section 4.3].
434
435       By  a strict reading of the specification, OpenFlow 1.1 removed support
436       for matching ICMPv4 type and code [OpenFlow 1.1,  section  A.2.3],  but
437       this  is  likely  an  editing  error because ICMP matching is described
438       elsewhere [OpenFlow 1.1, Table 3, Table 4, Figure 4]. Open vSwitch does
439       support ICMPv4 type and code matching with OpenFlow 1.1.
440
441       OpenFlow  1.1 avoided the pitfalls of inapplicable fields that OpenFlow
442       1.0 encountered, by requiring the switch to ignore the specified  field
443       values  [OpenFlow  1.1, section A.2.3]. It also implied that the switch
444       should ignore the bits that  indicate  whether  to  match  inapplicable
445       fields.
446
447       Physical Ingress Port
448
449       OpenFlow  1.1 introduced a new pseudo-field, the physical ingress port.
450       The physical ingress port is only a pseudo-field because it  cannot  be
451       used  for  matching.  It appears only one place in the protocol, in the
452       ``packet-in’’ message that passes a packet received at the switch to an
453       OpenFlow controller.
454
455       A  packet’s ingress port and physical ingress port are identical except
456       for packets processed by a switch feature such as bonding or  tunneling
457       that  makes  a packet appear to arrive on a ``virtual’’ port associated
458       with the bond or the tunnel. For such packets, the ingress port is  the
459       virtual  port and the physical ingress port is, naturally, the physical
460       port. Open vSwitch implements both bonding and tunneling, but its bond‐
461       ing implementation does not use virtual ports and its tunnels are typi‐
462       cally not on the same OpenFlow switch as their physical  ingress  ports
463       (which  need not be part of any switch), so the ingress port and physi‐
464       cal ingress port are always the same in Open vSwitch.
465
466     OpenFlow 1.2
467
468       OpenFlow 1.2 abandoned the fixed-length approach to matching. One  rea‐
469       son  was size, since adding support for IPv6 address matching (now seen
470       as important), with bitwise masks, would have added  64  bytes  to  the
471       match  length,  increasing it from 88 bytes in OpenFlow 1.1 to over 150
472       bytes. Extensibility had also become important  as  controller  writers
473       increasingly  wanted  support  for  new fields without having to change
474       messages throughout the OpenFlow protocol. The challenges of  carefully
475       defining  fixed-length  matches  to  avoid  problems  with inapplicable
476       fields had also become clear over time.
477
478       Therefore, OpenFlow 1.2 adopted a flow format using  a  flexible  type-
479       length-value  (TLV) representation, in which each TLV expresses a match
480       on one field. These TLVs were in turn encapsulated inside the outer TLV
481       wrapper  introduced  in  OpenFlow 1.1 with the new identifier OFPMT_OXM
482       (1). (This wrapper fulfilled  its  intended  purpose  of  reducing  the
483       amount  of churn in the protocol when changing match formats; some mes‐
484       sages that included matches remained unchanged from OpenFlow 1.1 to 1.2
485       and later versions.)
486
487       OpenFlow 1.2 added support for the following fields:
488
489              ·      ARP hardware addresses (SHA and THA).
490
491              ·      IPv4 ECN.
492
493              ·      IPv6  source and destination addresses, flow label, DSCP,
494                     ECN, and protocol.
495
496              ·      TCP, UDP, and SCTP port numbers when encapsulated  inside
497                     IPv6.
498
499              ·      ICMPv6 type and code.
500
501              ·      ICMPv6  Neighbor  Discovery target address and source and
502                     target Ethernet addresses.
503
504       The OpenFlow 1.2 format, called OXM (OpenFlow  Extensible  Match),  was
505       modeled  closely  on  an  extension  to OpenFlow 1.0 introduced in Open
506       vSwitch 1.1 called NXM (Nicira Extended Match). Each OXM or NXM TLV has
507       the following format:
508
509               type
510        <---------------->
511             16        7   1    8      length bytes
512       +------------+-----+--+------+ +------------+
513       |vendor/class|field|HM|length| |    body    |
514       +------------+-----+--+------+ +------------+
515
516
517       The most significant 16 bits of the NXM or OXM header, called vendor by
518       NXM and class by OXM, identify an organization  permitted  to  allocate
519       identifiers  for  fields.  NXM  allocates  only two vendors, 0x0000 for
520       fields supported by OpenFlow 1.0 and 0x0001 for fields  implemented  as
521       an Open vSwitch extension. OXM assigns classes as follows:
522
523              0x0000 (OFPXMC_NXM_0).
524              0x0001 (OFPXMC_NXM_1).
525                   Reserved for NXM compatibility.
526
527              0x0002 to 0x7fff
528                   Reserved  for  allocation  to  ONF  members,  but  none yet
529                   assigned.
530
531              0x8000 (OFPXMC_OPENFLOW_BASIC)
532                   Used for most standard OpenFlow fields.
533
534              0x8001 (OFPXMC_PACKET_REGS)
535                   Used for packet register fields in OpenFlow 1.5 and later.
536
537              0x8002 to 0xfffe
538                   Reserved for the OpenFlow specification.
539
540              0xffff (OFPXMC_EXPERIMENTER)
541                   Experimental use.
542
543       When class is 0xffff, the OXM header is extended to 64  bits  by  using
544       the  first 32 bits of the body as an experimenter field whose most sig‐
545       nificant byte is zero and whose remaining bytes are an Organizationally
546       Unique  Identifier  (OUI)  assigned  by  the  IEEE [IEEE OUI], as shown
547       below.
548
549            type                 experimenter
550        <---------->             <---------->
551          16     7   1    8        8     24     (length - 4) bytes
552       +------+-----+--+------+ +------+-----+ +------------------+
553       |class |field|HM|length| | zero | OUI | |       body       |
554       +------+-----+--+------+ +------+-----+ +------------------+
555        0xffff                    0x00
556
557
558       OpenFlow says that support for experimenter fields  is  optional.  Open
559       vSwitch  2.4  and  later  does support them, so that it can support the
560       following experimenter classes:
561
562              0x4f4e4600 (ONFOXM_ET)
563                     Used by official Open Networking Foundation extensions in
564                     OpenFlow  1.3  and  later.  e.g.  [TCP  Flags Match Field
565                     Extension].
566
567              0x005ad650 (NXOXM_NSH)
568                     Used by Open vSwitch for NSH extensions, in  the  absence
569                     of  an official ONF-assigned class. (This OUI is randomly
570                     generated.)
571
572       Taken as a unit, class  (or  vendor),  field,  and  experimenter  (when
573       present) uniquely identify a particular field.
574
575       When  hasmask (abbreviated HM above) is 0, the OXM is an exact match on
576       an entire field. In this case, the  body  (excluding  the  experimenter
577       field, if present) is a single value to be matched.
578
579       When  hasmask is 1, the OXM is a bitwise match. The body (excluding the
580       experimenter field) consists of a value to match, followed by the  bit‐
581       wise  mask to apply. A 1-bit in the mask indicates that the correspond‐
582       ing bit in the value should be matched and a 0-bit that  it  should  be
583       ignored.  For  example, for an IP address field, a value of 192.168.0.0
584       followed by  a  mask  of  255.255.0.0  would  match  addresses  in  the
585       196.168.0.0/16 subnet.
586
587              ·      Some  fields  might  not support masking at all, and some
588                     fields that do support masking might restrict it to  cer‐
589                     tain  patterns.  For example, fields that have IP address
590                     values might be restricted to CIDR  masks.  The  descrip‐
591                     tions of individual fields note these restrictions.
592
593              ·      An  OXM  TLV  with a mask that is all zeros is not useful
594                     (although it is not forbidden), because  it  is  has  the
595                     same effect as omitting the TLV entirely.
596
597              ·      It  is not meaningful to pair a 0-bit in an OXM mask with
598                     a 1-bit in its value, and Open vSwitch  rejects  such  an
599                     OXM  with  the error OFPBMC_BAD_WILDCARDS, as required by
600                     OpenFlow 1.3 and later.
601
602       The length identifies the number of bytes in the  body,  including  the
603       4-byte  experimenter header, if it is present. Each OXM TLV has a fixed
604       length; that is, given class, field,  experimenter  (if  present),  and
605       hasmask,  length  is  a  constant. The length is included explicitly to
606       allow software to minimally parse OXM TLVs of unknown types.
607
608       OXM TLVs must be ordered so that a field’s prerequisites are  satisfied
609       before  it  is parsed. For example, an OXM TLV that matches on the IPv4
610       source address field is only allowed following an OXM TLV that  matches
611       on  the  Ethertype  for IPv4. Similarly, an OXM TLV that matches on the
612       TCP source port must follow a TLV that matches an Ethertype of IPv4  or
613       IPv6  and  one  that matches an IP protocol of TCP (in that order). The
614       order of OXM TLVs is not otherwise restricted; no canonical ordering is
615       defined.
616
617       A given field may be matched only once in a series of OXM TLVs.
618
619     OpenFlow 1.3
620
621       OpenFlow  1.3 showed OXM to be largely successful, by adding new fields
622       without making any changes to how flow  matches  otherwise  worked.  It
623       added OXMs for the following fields supported by Open vSwitch:
624
625              ·      Tunnel  ID  for ports associated with e.g. VXLAN or keyed
626                     GRE.
627
628              ·      MPLS ``bottom of stack’’ (BOS) bit.
629
630       OpenFlow 1.3 also added OXMs for the following  fields  not  documented
631       here and not yet implemented by Open vSwitch:
632
633              ·      IPv6 extension header handling.
634
635              ·      PBB I-SID.
636
637     OpenFlow 1.4
638
639       OpenFlow  1.4  added  OXMs for the following fields not documented here
640       and not yet implemented by Open vSwitch:
641
642              ·      PBB UCA.
643
644     OpenFlow 1.5
645
646       OpenFlow 1.5 added OXMs for the  following  fields  supported  by  Open
647       vSwitch:
648
649              ·      Packet type.
650
651              ·      TCP flags.
652
653              ·      Packet registers.
654
655              ·      The output port in the OpenFlow action set.
656

FIELDS REFERENCE

658       The  following sections document the fields that Open vSwitch supports.
659       Each section provides introductory  material  on  a  group  of  related
660       fields,  followed  by information on each individual field. In addition
661       to field-specific information, each field  begins  with  a  table  with
662       entries for the following important properties:
663
664              Name   The  field’s  name,  used  for parsing and formatting the
665                     field, e.g. in ovs-ofctl commands.  For  historical  rea‐
666                     sons,  some  fields  have  an  additional  name  that  is
667                     accepted as an alternative in parsing.  This  name,  when
668                     there  is  one,  is  listed as well, e.g. ``tun (aka tun‐
669                     nel_id).’’
670
671              Width  The field’s width, always a  multiple  of  8  bits.  Some
672                     fields don’t use all of the bits, so this may be accompa‐
673                     nied by an explanation. For example, OpenFlow embeds  the
674                     2-bit  IP  ECN field as as the low bits in an 8-bit byte,
675                     and so its width is  expressed  as  ``8  bits  (only  the
676                     least-significant 2 bits may be nonzero).’’
677
678              Format How  a  value  for  the  field is formatted or parsed by,
679                     e.g., ovs-ofctl. Some possibilities are generic:
680
681                     decimal
682                            Formats as a decimal  number.  On  input,  accepts
683                            decimal numbers or hexadecimal numbers prefixed by
684                            0x.
685
686                     hexadecimal
687                            Formats as a hexadecimal number prefixed by 0x. On
688                            input, accepts decimal numbers or hexadecimal num‐
689                            bers prefixed by 0x. (The default for  parsing  is
690                            not  hexadecimal: only a 0x prefix causes input to
691                            be treated as hexadecimal.)
692
693                     Ethernet
694                            Formats and accepts the  common  Ethernet  address
695                            format xx:xx:xx:xx:xx:xx.
696
697                     IPv4   Formats   and   accepts   the  dotted-quad  format
698                            a.b.c.d. For bitwise matches, formats and  accepts
699                            address/length   CIDR   notation  in  addition  to
700                            address/mask.
701
702                     IPv6   Formats and accepts the common IPv6  address  for‐
703                            mats, plus CIDR notation for bitwise matches.
704
705                     OpenFlow 1.0 port
706                            Accepts 16-bit port numbers in decimal, plus Open‐
707                            Flow  well-known  port  names  (e.g.  IN_PORT)  in
708                            uppercase or lowercase.
709
710                     OpenFlow 1.1+ port
711                            Same  syntax  as OpenFlow 1.0 ports but for 32-bit
712                            OpenFlow 1.1+ port number fields.
713
714                     Other, field-specific formats are  explained  along  with
715                     their fields.
716
717              Masking
718                     For  most  fields, this says ``arbitrary bitwise masks,’’
719                     meaning that a flow may match any combination of bits  in
720                     the  field. Some fields instead say ``exact match only,’’
721                     which means that a flow that matches on this  field  must
722                     match  on  the  whole field instead of just certain bits.
723                     Either way, this reports masking support for  the  latest
724                     version of Open vSwitch using OXM or NXM (that is, either
725                     OpenFlow 1.2+ or  OpenFlow  1.0  plus  Open  vSwitch  NXM
726                     extensions).  In  particular,  OpenFlow 1.0 (without NXM)
727                     and 1.1 don’t always support masking even if Open vSwitch
728                     itself  does;  refer to the OpenFlow 1.0 and OpenFlow 1.1
729                     rows to learn about masking with these protocol versions.
730
731              Prerequisites
732                     Requirements that must be met to match on this field. For
733                     example,  ip_src has IPv4 as a prerequisite, meaning that
734                     a match must include eth_type=0x0800 to match on the IPv4
735                     source  address.  The following prerequisites, with their
736                     requirements, are currently in use:
737
738                     none   (no requirements)
739
740                     VLAN VID
741                            vlan_tci=0x1000/0x1000  (i.e.  a  VLAN  header  is
742                            present)
743
744                     ARP    eth_type=0x0806 (ARP) or eth_type=0x8035 (RARP)
745
746                     IPv4   eth_type=0x0800
747
748                     IPv6   eth_type=0x86dd
749
750                     IPv4/IPv6
751                            IPv4 or IPv6
752
753                     MPLS   eth_type=0x8847 or eth_type=0x8848
754
755                     TCP    IPv4/IPv6 and ip_proto=6
756
757                     UDP    IPv4/IPv6 and ip_proto=17
758
759                     SCTP   IPv4/IPv6 and ip_proto=132
760
761                     ICMPv4 IPv4 and ip_proto=1
762
763                     ICMPv6 IPv6 and ip_proto=58
764
765                     ND solicit
766                            ICMPv6 and icmp_type=135 and icmp_code=0
767
768                     ND advert
769                            ICMPv6 and icmp_type=136 and icmp_code=0
770
771                     ND     ND solicit or ND advert
772
773                     The  TCP,  UDP, and SCTP prerequisites also have the spe‐
774                     cial requirement that nw_frag is not being used to select
775                     ``later fragments.’’ This is because only the first frag‐
776                     ment of a fragmented IPv4 or IPv6 datagram  contains  the
777                     TCP or UDP header.
778
779              Access Most  fields  are ``read/write,’’ which means that common
780                     OpenFlow actions like set_field can modify  them.  Fields
781                     that  are  ``read-only’’ cannot be modified in these gen‐
782                     eral-purpose ways, although there may be other ways  that
783                     actions can modify them.
784
785              OpenFlow 1.0
786              OpenFlow 1.1
787                   These rows report the level of support that OpenFlow 1.0 or
788                   OpenFlow 1.1, respectively, has for a field.  For  OpenFlow
789                   1.0,  supported  fields are reported as either ``yes (exact
790                   match only)’’ for fields that do not  support  any  bitwise
791                   masking  or  ``yes (CIDR match only)’’ for fields that sup‐
792                   port CIDR masking. OpenFlow  1.1  supported  fields  report
793                   either  ``yes  (exact  match  only)’’ or simply ``yes’’ for
794                   fields that do support arbitrary masks. These OpenFlow ver‐
795                   sions supported a fixed collection of fields that cannot be
796                   extended, so many more fields are reported  as  ``not  sup‐
797                   ported.’’
798
799              OXM
800              NXM  These  rows  report the OXM and NXM code points that corre‐
801                   spond to a given field. Either or both may be ``none.’’
802
803                   A field that has only an OXM code point is usually one that
804                   was  standardized  before  it  was added to Open vSwitch. A
805                   field that has only an NXM code point is usually  one  that
806                   is  not yet standardized. When a field has both OXM and NXM
807                   code points, it usually indicates that it was introduced as
808                   an  Open  vSwitch  extension under the NXM code point, then
809                   later standardized under the OXM code point.  A  field  can
810                   have more than one OXM code point if it was standardized in
811                   OpenFlow 1.4 or later and  additionally  introduced  as  an
812                   official  ONF extension for OpenFlow 1.3. (A field that has
813                   neither OXM nor NXM code point  is  typically  an  obsolete
814                   field  that  is  supported  in some other form using OXM or
815                   NXM.)
816
817                   Each code point in these rows  is  described  in  the  form
818                   ``NAME  (number)  since OpenFlow spec and Open vSwitch ver‐
819                   sion,’’ e.g. ``OXM_OF_ETH_TYPE (5) since OpenFlow  1.2  and
820                   Open vSwitch 1.7.’’ First, NAME, which specifies a name for
821                   the code point, starts with  a  prefix  that  designates  a
822                   class  and,  in some cases, a vendor, as listed in the fol‐
823                   lowing table:
824
825                   Prefix           Vendor       Class
826                   ───────────────  ───────────  ───────
827                   NXM_OF           (none)       0x0000
828                   NXM_NX           (none)       0x0001
829                   ERICOXM_OF       (none)       0x1000
830                   OXM_OF           (none)       0x8000
831                   OXM_OF_PKT_REG   (none)       0x8001
832                   NXOXM_ET         0x00002320   0xffff
833                   NXOXM_NSH        0x005ad650   0xffff
834                   ONFOXM_ET        0x4f4e4600   0xffff
835
836                   For more information on OXM/NXM classes and vendors,  refer
837                   back  to  OpenFlow  1.2 under Evolution of OpenFlow Fields.
838                   The number is the field number within the class and vendor.
839                   The OpenFlow spec is the version of OpenFlow that standard‐
840                   ized the code point. It is  omitted  for  NXM  code  points
841                   because they are nonstandard. The version is the version of
842                   Open vSwitch that first supported the code point.
843

CONJUNCTIVE MATCH FIELDS

845   Summary:
846       Name      Bytes   Mask   RW?   Prereqs   NXM/OXM Support
847       ────────  ──────  ─────  ────  ────────  ────────────────
848       conj_id   4       no     no    none      OVS 2.4+
849
850       An individual OpenFlow flow can match only  a  single  value  for  each
851       field.  However, situations often arise where one wants to match one of
852       a set of values within a field or fields. For matching a  single  field
853       against  a  set,  it  is  straightforward and efficient to add multiple
854       flows to the flow table, one for each value in the  set.  For  example,
855       one  might  use  the  following  flows  to  send packets with IP source
856       address a, b, c, or d to the OpenFlow controller:
857
858             ip,ip_src=a actions=controller
859             ip,ip_src=b actions=controller
860             ip,ip_src=c actions=controller
861             ip,ip_src=d actions=controller
862
863
864       Similarly, these flows send packets with IP destination address  e,  f,
865       g, or h to the OpenFlow controller:
866
867             ip,ip_dst=e actions=controller
868             ip,ip_dst=f actions=controller
869             ip,ip_dst=g actions=controller
870             ip,ip_dst=h actions=controller
871
872
873       Installing  all of the above flows in a single flow table yields a dis‐
874       junctive effect: a packet  is  sent  to  the  controller  if  ip_src  
875       {a,b,c,d}  or  ip_dst  ∈ {e,f,g,h} (or both). (Pedantically, if both of
876       the above sets of flows are present in the flow table, they should have
877       different  priorities, because OpenFlow says that the results are unde‐
878       fined when two flows  with  same  priority  can  both  match  a  single
879       packet.)
880
881       Suppose, on the other hand, one wishes to match conjunctively, that is,
882       to send a packet to the controller only if both ip_src ∈ {a,b,c,d}  and
883       ip_dst ∈ {e,f,g,h}. This requires 4 × 4 = 16 flows, one for each possi‐
884       ble pairing of ip_src and ip_dst. That  is  acceptable  for  our  small
885       example,  but  it  does not gracefully extend to larger sets or greater
886       numbers of dimensions.
887
888       The conjunction action is a solution for conjunctive  matches  that  is
889       built into Open vSwitch. A conjunction action ties groups of individual
890       OpenFlow flows into higher-level ``conjunctive flows’’. Each group cor‐
891       responds  to  one dimension, and each flow within the group matches one
892       possible value for the dimension. A packet that matches one  flow  from
893       each group matches the conjunctive flow.
894
895       To  implement  a conjunctive flow with conjunction, assign the conjunc‐
896       tive flow a 32-bit id, which must be unique within an  OpenFlow  table.
897       Assign  each  of  the n ≥ 2 dimensions a unique number from 1 to n; the
898       ordering is unimportant. Add one flow to the OpenFlow  flow  table  for
899       each  possible value of each dimension with conjunction(id, k/n) as the
900       flow’s actions, where k is the number assigned to the flow’s dimension.
901       Together,  these  flows specify the conjunctive flow’s match condition.
902       When the conjunctive match condition is met, Open vSwitch looks up  one
903       more  flow  that  specifies the conjunctive flow’s actions and receives
904       its statistics. This flow is found by setting conj_id to the  specified
905       id and then again searching the flow table.
906
907       The  following  flows provide an example. Whenever the IP source is one
908       of the values in the flows that match on the IP source (dimension 1  of
909       2), and the IP destination is one of the values in the flows that match
910       on IP destination (dimension 2 of 2), Open vSwitch searches for a  flow
911       that  matches  conj_id  against  the conjunction ID (1234), finding the
912       first flow listed below.
913
914             conj_id=1234 actions=controller
915             ip,ip_src=10.0.0.1 actions=conjunction(1234, 1/2)
916             ip,ip_src=10.0.0.4 actions=conjunction(1234, 1/2)
917             ip,ip_src=10.0.0.6 actions=conjunction(1234, 1/2)
918             ip,ip_src=10.0.0.7 actions=conjunction(1234, 1/2)
919             ip,ip_dst=10.0.0.2 actions=conjunction(1234, 2/2)
920             ip,ip_dst=10.0.0.5 actions=conjunction(1234, 2/2)
921             ip,ip_dst=10.0.0.7 actions=conjunction(1234, 2/2)
922             ip,ip_dst=10.0.0.8 actions=conjunction(1234, 2/2)
923
924
925       Many subtleties exist:
926
927              ·      In the example above, every flow in  a  single  dimension
928                     has the same form, that is, dimension 1 matches on ip_src
929                     and dimension 2 on ip_dst, but this is not a requirement.
930                     Different flows within a dimension may match on different
931                     bits within a field (e.g. IP network prefixes of  differ‐
932                     ent  lengths, or TCP/UDP port ranges as bitwise matches),
933                     or even on entirely different fields (e.g. to match pack‐
934                     ets for TCP source port 80 or TCP destination port 80).
935
936              ·      The  flows  within  a  dimension  can  vary their matches
937                     across more than one field, e.g. to match  only  specific
938                     pairs  of  IP source and destination addresses or L4 port
939                     numbers.
940
941              ·      A flow may have multiple conjunction actions,  with  dif‐
942                     ferent id values. This is useful for multiple conjunctive
943                     flows with overlapping  sets.  If  one  conjunctive  flow
944                     matches  packets  with  both  ip_src ∈ {a,b} and ip_dst 
945                     {d,e} and a second  conjunctive  flow  matches  ip_src  
946                     {b,c} and ip_dst ∈ {f,g}, for example, then the flow that
947                     matches ip_src=b would have two conjunction actions,  one
948                     for  each  conjunctive  flow.  The  order  of conjunction
949                     actions within a list of actions is not significant.
950
951              ·      A flow with conjunction actions  may  also  include  note
952                     actions  for  annotations,  but  not  any  other  kind of
953                     actions. (They would not be  useful  because  they  would
954                     never be executed.)
955
956              ·      All  of the flows that constitute a conjunctive flow with
957                     a given id must have the same priority. (Flows  with  the
958                     same id but different priorities are currently treated as
959                     different conjunctive flows, that is, currently id values
960                     need  only  be unique within an OpenFlow table at a given
961                     priority. This behavior isn’t guaranteed to stay the same
962                     in  later releases, so please use id values unique within
963                     an OpenFlow table.)
964
965              ·      Conjunctive flows must not overlap with each other, at  a
966                     given priority, that is, any given packet must be able to
967                     match at most one conjunctive flow at a  given  priority.
968                     Overlapping   conjunctive   flows   yield   unpredictable
969                     results. (The flows that constitute  a  conjunctive  flow
970                     may  overlap  with  those  that  constitute  the  same or
971                     another conjunctive flow.)
972
973              ·      Following a conjunctive flow match, the  search  for  the
974                     flow  with conj_id=id is done in the same general-purpose
975                     way as other flow table searches, so one  can  use  flows
976                     with  conj_id=id  to act differently depending on circum‐
977                     stances. (One  exception  is  that  the  search  for  the
978                     conj_id=id  flow  itself  ignores  conjunctive  flows, to
979                     avoid recursion.) If the search  with  conj_id=id  fails,
980                     Open  vSwitch  acts  as  if  the conjunctive flow had not
981                     matched at all, and continues searching  the  flow  table
982                     for other matching flows.
983
984              ·      OpenFlow  prerequisite  checking occurs for the flow with
985                     conj_id=id in the same way as any other flow, e.g. in  an
986                     OpenFlow  1.1+  context, putting a mod_nw_src action into
987                     the example above would require adding an ip match,  like
988                     this:
989
990                               conj_id=1234,ip actions=mod_nw_src:1.2.3.4,controller
991
992
993              ·      OpenFlow  prerequisite checking also occurs for the indi‐
994                     vidual flows that comprise a  conjunctive  match  in  the
995                     same way as any other flow.
996
997              ·      The  flows that constitute a conjunctive flow do not have
998                     useful statistics. They are never updated  with  byte  or
999                     packet  counts,  and  so on. (For such a flow, therefore,
1000                     the idle and hard timeouts work much the same way.)
1001
1002              ·      Sometimes there is a choice of which flows include a par‐
1003                     ticular  match.  For  example,  suppose  that we added an
1004                     extra constraint to our example, to  match  on  ip_src  
1005                     {a,b,c,d} and ip_dst ∈ {e,f,g,h} and tcp_dst = i. One way
1006                     to implement this is to add the  new  constraint  to  the
1007                     conj_id flow, like this:
1008
1009                               conj_id=1234,tcp,tcp_dst=i actions=mod_nw_src:1.2.3.4,controller
1010
1011
1012                     but  this  is  not recommended because of the cost of the
1013                     extra flow table lookup. Instead, add the  constraint  to
1014                     the  individual flows, either in one of the dimensions or
1015                     (slightly better) all of them.
1016
1017              ·      A conjunctive match must have n ≥ 2 dimensions (otherwise
1018                     a  conjunctive  match  is  not  necessary).  Open vSwitch
1019                     enforces this.
1020
1021              ·      Each dimension within a conjunctive match should ordinar‐
1022                     ily  have  more  than  one  flow.  Open  vSwitch does not
1023                     enforce this.
1024
1025       Conjunction ID Field
1026
1027       Name:            conj_id
1028       Width:           32 bits
1029       Format:          decimal
1030       Masking:         not maskable
1031       Prerequisites:   none
1032       Access:          read-only
1033       OpenFlow 1.0:    not supported
1034       OpenFlow 1.1:    not supported
1035       OXM:             none
1036       NXM:             NXM_NX_CONJ_ID (37) since Open vSwitch 2.4
1037
1038       Used for conjunctive matching. See above for more information.
1039

TUNNEL FIELDS

1041   Summary:
1042       Name                   Bytes             Mask   RW?   Prereqs   NXM/OXM Support
1043       ─────────────────────  ────────────────  ─────  ────  ────────  ─────────────────────
1044       tun_id aka tunnel_id   8                 yes    yes   none      OF 1.3+ and OVS 1.1+
1045       tun_src                4                 yes    yes   none      OVS 2.0+
1046       tun_dst                4                 yes    yes   none      OVS 2.0+
1047       tun_ipv6_src           16                yes    yes   none      OVS 2.5+
1048       tun_ipv6_dst           16                yes    yes   none      OVS 2.5+
1049       tun_gbp_id             2                 yes    yes   none      OVS 2.4+
1050       tun_gbp_flags          1                 yes    yes   none      OVS 2.4+
1051       tun_erspan_ver         1 (low 4 bits)    yes    yes   none      OVS 2.10+
1052       tun_erspan_idx         4 (low 20 bits)   yes    yes   none      OVS 2.10+
1053       tun_erspan_dir         1 (low 1 bits)    yes    yes   none      OVS 2.10+
1054
1055       tun_erspan_hwid        1 (low 6 bits)    yes    yes   none      OVS 2.10+
1056       tun_gtpu_flags         1                 yes    no    none      OVS 2.13+
1057       tun_gtpu_msgtype       1                 yes    no    none      OVS 2.13+
1058       tun_metadata0          124               yes    yes   none      OVS 2.5+
1059       tun_metadata1          124               yes    yes   none      OVS 2.5+
1060       tun_metadata2          124               yes    yes   none      OVS 2.5+
1061       tun_metadata3          124               yes    yes   none      OVS 2.5+
1062       tun_metadata4          124               yes    yes   none      OVS 2.5+
1063       tun_metadata5          124               yes    yes   none      OVS 2.5+
1064       tun_metadata6          124               yes    yes   none      OVS 2.5+
1065       tun_metadata7          124               yes    yes   none      OVS 2.5+
1066       tun_metadata8          124               yes    yes   none      OVS 2.5+
1067       tun_metadata9          124               yes    yes   none      OVS 2.5+
1068       tun_metadata10         124               yes    yes   none      OVS 2.5+
1069       tun_metadata11         124               yes    yes   none      OVS 2.5+
1070
1071       tun_metadata12         124               yes    yes   none      OVS 2.5+
1072       tun_metadata13         124               yes    yes   none      OVS 2.5+
1073       tun_metadata14         124               yes    yes   none      OVS 2.5+
1074       tun_metadata15         124               yes    yes   none      OVS 2.5+
1075       tun_metadata16         124               yes    yes   none      OVS 2.5+
1076       tun_metadata17         124               yes    yes   none      OVS 2.5+
1077       tun_metadata18         124               yes    yes   none      OVS 2.5+
1078       tun_metadata19         124               yes    yes   none      OVS 2.5+
1079       tun_metadata20         124               yes    yes   none      OVS 2.5+
1080       tun_metadata21         124               yes    yes   none      OVS 2.5+
1081       tun_metadata22         124               yes    yes   none      OVS 2.5+
1082       tun_metadata23         124               yes    yes   none      OVS 2.5+
1083       tun_metadata24         124               yes    yes   none      OVS 2.5+
1084       tun_metadata25         124               yes    yes   none      OVS 2.5+
1085       tun_metadata26         124               yes    yes   none      OVS 2.5+
1086
1087       tun_metadata27         124               yes    yes   none      OVS 2.5+
1088       tun_metadata28         124               yes    yes   none      OVS 2.5+
1089       tun_metadata29         124               yes    yes   none      OVS 2.5+
1090       tun_metadata30         124               yes    yes   none      OVS 2.5+
1091       tun_metadata31         124               yes    yes   none      OVS 2.5+
1092       tun_metadata32         124               yes    yes   none      OVS 2.5+
1093       tun_metadata33         124               yes    yes   none      OVS 2.5+
1094       tun_metadata34         124               yes    yes   none      OVS 2.5+
1095       tun_metadata35         124               yes    yes   none      OVS 2.5+
1096       tun_metadata36         124               yes    yes   none      OVS 2.5+
1097       tun_metadata37         124               yes    yes   none      OVS 2.5+
1098       tun_metadata38         124               yes    yes   none      OVS 2.5+
1099       tun_metadata39         124               yes    yes   none      OVS 2.5+
1100       tun_metadata40         124               yes    yes   none      OVS 2.5+
1101       tun_metadata41         124               yes    yes   none      OVS 2.5+
1102
1103       tun_metadata42         124               yes    yes   none      OVS 2.5+
1104       tun_metadata43         124               yes    yes   none      OVS 2.5+
1105       tun_metadata44         124               yes    yes   none      OVS 2.5+
1106       tun_metadata45         124               yes    yes   none      OVS 2.5+
1107       tun_metadata46         124               yes    yes   none      OVS 2.5+
1108       tun_metadata47         124               yes    yes   none      OVS 2.5+
1109       tun_metadata48         124               yes    yes   none      OVS 2.5+
1110       tun_metadata49         124               yes    yes   none      OVS 2.5+
1111       tun_metadata50         124               yes    yes   none      OVS 2.5+
1112       tun_metadata51         124               yes    yes   none      OVS 2.5+
1113       tun_metadata52         124               yes    yes   none      OVS 2.5+
1114       tun_metadata53         124               yes    yes   none      OVS 2.5+
1115       tun_metadata54         124               yes    yes   none      OVS 2.5+
1116       tun_metadata55         124               yes    yes   none      OVS 2.5+
1117       tun_metadata56         124               yes    yes   none      OVS 2.5+
1118
1119       tun_metadata57         124               yes    yes   none      OVS 2.5+
1120       tun_metadata58         124               yes    yes   none      OVS 2.5+
1121       tun_metadata59         124               yes    yes   none      OVS 2.5+
1122       tun_metadata60         124               yes    yes   none      OVS 2.5+
1123       tun_metadata61         124               yes    yes   none      OVS 2.5+
1124       tun_metadata62         124               yes    yes   none      OVS 2.5+
1125       tun_metadata63         124               yes    yes   none      OVS 2.5+
1126       tun_flags              2 (low 1 bits)    yes    yes   none      OVS 2.5+
1127
1128       The fields in this group relate to tunnels, which Open vSwitch supports
1129       in  several  forms  (GRE,  VXLAN,  and  so on). Most of these fields do
1130       appear in the wire format of a packet, so they  are  data  fields  from
1131       that  point  of view, but they are metadata from an OpenFlow flow table
1132       point of view because they do not appear in packets that are  forwarded
1133       to the controller or to ordinary (non-tunnel) output ports.
1134
1135       Open vSwitch supports a spectrum of usage models for mapping tunnels to
1136       OpenFlow ports:
1137
1138              ``Port-based’’ tunnels
1139                     In this model, an OpenFlow port represents one tunnel: it
1140                     matches  a  particular type of tunnel traffic between two
1141                     IP endpoints, with a particular tunnel key (if  keys  are
1142                     in  use).  In this situation, in_port suffices to distin‐
1143                     guish one tunnel  from  another,  so  the  tunnel  header
1144                     fields  have  little  importance for OpenFlow processing.
1145                     (They are still populated and may be used if it is conve‐
1146                     nient.)  The tunnel header fields play no role in sending
1147                     packets out such an OpenFlow port,  either,  because  the
1148                     OpenFlow port itself fully specifies the tunnel headers.
1149
1150                     The  following  Open  vSwitch  commands  create  a bridge
1151                     br-int, add port tap0 to the bridge as OpenFlow  port  1,
1152                     establish  a port-based GRE tunnel between the local host
1153                     and remote IP 192.168.1.1 using GRE key 5001 as  OpenFlow
1154                     port  2, and arranges to forward all traffic from tap0 to
1155                     the tunnel and vice versa:
1156
1157                     ovs-vsctl add-br br-int
1158                     ovs-vsctl add-port br-int tap0 -- set interface tap0 ofport_request=1
1159                     ovs-vsctl add-port br-int gre0 -- \
1160                         set interface gre0 ofport_request=2 type=gre \
1161                                            options:remote_ip=192.168.1.1 options:key=5001
1162                     ovs-ofctl add-flow br-int in_port=1,actions=2
1163                     ovs-ofctl add-flow br-int in_port=2,actions=1
1164
1165
1166              ``Flow-based’’ tunnels
1167                     In this model, one OpenFlow port represents all  possible
1168                     tunnels  of  a given type with an endpoint on the current
1169                     host, for example, all GRE tunnels.  In  this  situation,
1170                     in_port  only  indicates that traffic was received on the
1171                     particular kind of  tunnel.  This  is  where  the  tunnel
1172                     header fields are most important: they allow the OpenFlow
1173                     tables to discriminate among tunnels based  on  their  IP
1174                     endpoints  or  keys.  Tunnel header fields also determine
1175                     the IP endpoints and keys of packets sent out such a tun‐
1176                     nel port.
1177
1178                     The  following  Open  vSwitch  commands  create  a bridge
1179                     br-int, add port tap0 to the bridge as OpenFlow  port  1,
1180                     establish a flow-based GRE tunnel port 3, and arranges to
1181                     forward all traffic from tap0 to  remote  IP  192.168.1.1
1182                     over a GRE tunnel with key 5001 and vice versa:
1183
1184                     ovs-vsctl add-br br-int
1185                     ovs-vsctl add-port br-int tap0 -- set interface tap0 ofport_request=1
1186                     ovs-vsctl add-port br-int allgre -- \
1187                         set interface allgre ofport_request=3 type=gre \
1188                                              options:remote_ip=flow options:key=flow
1189                     ovs-ofctl add-flow br-int \
1190                         ’in_port=1 actions=set_tunnel:5001,set_field:192.168.1.1->tun_dst,3’
1191                     ovs-ofctl add-flow br-int ’in_port=3,tun_src=192.168.1.1,tun_id=5001 actions=1’
1192
1193
1194              Mixed models.
1195                     One  may define both flow-based and port-based tunnels at
1196                     the same time. For example, it is valid and possibly use‐
1197                     ful  to  create and configure both gre0 and allgre tunnel
1198                     ports described above.
1199
1200                     Traffic is attributed on ingress  to  the  most  specific
1201                     matching  tunnel. For example, gre0 is more specific than
1202                     allgre. Therefore, if both exist, then gre0 will  be  the
1203                     ingress   port   for   any   GRE  traffic  received  from
1204                     192.168.1.1 with key 5001.
1205
1206                     On egress, traffic may be  directed  to  any  appropriate
1207                     tunnel  port.  If  both gre0 and allgre are configured as
1208                     already  described,  then  the  actions  2  and  set_tun‐
1209                     nel:5001,set_field:192.168.1.1->tun_dst,3  send  the same
1210                     tunnel traffic.
1211
1212              Intermediate models.
1213                     Ports may be  configured  as  partially  flow-based.  For
1214                     example,  one may define an OpenFlow port that represents
1215                     tunnels between a pair of endpoints but leaves  the  flow
1216                     table to discriminate on the flow key.
1217
1218       ovs-vswitchd.conf.db(5)  describes all the details of tunnel configura‐
1219       tion.
1220
1221       These fields do not have any prerequisites, which means that a flow may
1222       match on any or all of them, in any combination.
1223
1224       These fields are zeros for packets that did not arrive on a tunnel.
1225
1226       Tunnel ID Field
1227
1228       Name:            tun_id (aka tunnel_id)
1229       Width:           64 bits
1230       Format:          hexadecimal
1231       Masking:         arbitrary bitwise masks
1232       Prerequisites:   none
1233       Access:          read/write
1234       OpenFlow 1.0:    not supported
1235       OpenFlow 1.1:    not supported
1236
1237       OXM:             OXM_OF_TUNNEL_ID  (38)  since  OpenFlow  1.3  and Open
1238                        vSwitch 1.10
1239       NXM:             NXM_NX_TUN_ID (16) since Open vSwitch 1.1
1240
1241       Many kinds of tunnels support a tunnel ID:
1242
1243              ·      VXLAN and Geneve have a 24-bit virtual network identifier
1244                     (VNI).
1245
1246              ·      LISP has a 24-bit instance ID.
1247
1248              ·      GRE has an optional 32-bit key.
1249
1250              ·      STT has a 64-bit key.
1251
1252              ·      ERSPAN has a 10-bit key (Session ID).
1253
1254              ·      GTPU has a 32-bit key (Tunnel Endpoint ID).
1255
1256       When a packet is received from a tunnel, this field holds the tunnel ID
1257       in its least significant bits, zero-extended to fit. This field is zero
1258       if  the tunnel does not support an ID, or if no ID is in use for a tun‐
1259       nel type that has an optional ID, or if an ID of zero received,  or  if
1260       the packet was not received over a tunnel.
1261
1262       When  a  packet  is  output  to a tunnel port, the tunnel configuration
1263       determines whether the tunnel ID is taken from this field or bound to a
1264       fixed  value. See the earlier description of ``port-based’’ and ``flow-
1265       based’’ tunnels for more information.
1266
1267       The following diagram shows the origin of this field in a typical keyed
1268       GRE tunnel:
1269
1270          Ethernet            IPv4               GRE           Ethernet
1271        <----------->   <--------------->   <------------>   <---------->
1272        48  48   16           8   32  32    16    16   32    48  48   16
1273       +---+---+-----+ +---+-----+---+---+ +---+------+---+ +---+---+----+
1274       |dst|src|type | |...|proto|src|dst| |...| type |key| |dst|src|type| ...
1275       +---+---+-----+ +---+-----+---+---+ +---+------+---+ +---+---+----+
1276                0x800        47                 0x6558
1277
1278
1279       Tunnel IPv4 Source Field
1280
1281       Name:            tun_src
1282       Width:           32 bits
1283       Format:          IPv4
1284       Masking:         arbitrary bitwise masks
1285       Prerequisites:   none
1286       Access:          read/write
1287
1288       OpenFlow 1.0:    not supported
1289       OpenFlow 1.1:    not supported
1290       OXM:             none
1291       NXM:             NXM_NX_TUN_IPV4_SRC (31) since Open vSwitch 2.0
1292
1293       When  a  packet  is  received  from  a tunnel, this field is the source
1294       address in the outer IP header of the tunneled packet.  This  field  is
1295       zero if the packet was not received over a tunnel.
1296
1297       When  a packet is output to a flow-based tunnel port, this field influ‐
1298       ences the IPv4 source address used to send the packet. If it  is  zero,
1299       then the kernel chooses an appropriate IP address based using the rout‐
1300       ing table.
1301
1302       The following diagram shows the origin of this field in a typical keyed
1303       GRE tunnel:
1304
1305          Ethernet            IPv4               GRE           Ethernet
1306        <----------->   <--------------->   <------------>   <---------->
1307        48  48   16           8   32  32    16    16   32    48  48   16
1308       +---+---+-----+ +---+-----+---+---+ +---+------+---+ +---+---+----+
1309       |dst|src|type | |...|proto|src|dst| |...| type |key| |dst|src|type| ...
1310       +---+---+-----+ +---+-----+---+---+ +---+------+---+ +---+---+----+
1311                0x800        47                 0x6558
1312
1313
1314       Tunnel IPv4 Destination Field
1315
1316       Name:            tun_dst
1317       Width:           32 bits
1318       Format:          IPv4
1319       Masking:         arbitrary bitwise masks
1320       Prerequisites:   none
1321
1322       Access:          read/write
1323       OpenFlow 1.0:    not supported
1324       OpenFlow 1.1:    not supported
1325       OXM:             none
1326       NXM:             NXM_NX_TUN_IPV4_DST (32) since Open vSwitch 2.0
1327
1328       When  a packet is received from a tunnel, this field is the destination
1329       address in the outer IP header of the tunneled packet.  This  field  is
1330       zero if the packet was not received over a tunnel.
1331
1332       When  a packet is output to a flow-based tunnel port, this field speci‐
1333       fies the destination to which the tunnel packet is sent.
1334
1335       The following diagram shows the origin of this field in a typical keyed
1336       GRE tunnel:
1337
1338          Ethernet            IPv4               GRE           Ethernet
1339        <----------->   <--------------->   <------------>   <---------->
1340        48  48   16           8   32  32    16    16   32    48  48   16
1341       +---+---+-----+ +---+-----+---+---+ +---+------+---+ +---+---+----+
1342       |dst|src|type | |...|proto|src|dst| |...| type |key| |dst|src|type| ...
1343       +---+---+-----+ +---+-----+---+---+ +---+------+---+ +---+---+----+
1344                0x800        47                 0x6558
1345
1346
1347       Tunnel IPv6 Source Field
1348
1349       Name:            tun_ipv6_src
1350       Width:           128 bits
1351       Format:          IPv6
1352       Masking:         arbitrary bitwise masks
1353       Prerequisites:   none
1354       Access:          read/write
1355
1356       OpenFlow 1.0:    not supported
1357       OpenFlow 1.1:    not supported
1358       OXM:             none
1359       NXM:             NXM_NX_TUN_IPV6_SRC (109) since Open vSwitch 2.5
1360
1361       Similar to tun_src, but for tunnels over IPv6.
1362
1363       Tunnel IPv6 Destination Field
1364
1365       Name:            tun_ipv6_dst
1366       Width:           128 bits
1367       Format:          IPv6
1368       Masking:         arbitrary bitwise masks
1369       Prerequisites:   none
1370       Access:          read/write
1371       OpenFlow 1.0:    not supported
1372
1373       OpenFlow 1.1:    not supported
1374       OXM:             none
1375       NXM:             NXM_NX_TUN_IPV6_DST (110) since Open vSwitch 2.5
1376
1377       Similar to tun_dst, but for tunnels over IPv6.
1378
1379   VXLAN Group-Based Policy Fields
1380       The VXLAN header is defined as follows [RFC 7348], where the I bit must
1381       be set to 1, unlabeled bits or those labeled reserved must be set to 0,
1382       and Open vSwitch makes the VNI available via tun_id:
1383
1384          VXLAN flags
1385        <------------->
1386        1 1 1 1 1 1 1 1    24    24     8
1387       +-+-+-+-+-+-+-+-+--------+---+--------+
1388       | | | | |I| | | |reserved|VNI|reserved|
1389       +-+-+-+-+-+-+-+-+--------+---+--------+
1390
1391
1392       VXLAN Group-Based Policy [VXLAN Group Policy Option] adds new interpre‐
1393       tations to existing bits in the VXLAN header, reinterpreting it as fol‐
1394       lows, with changes highlighted:
1395
1396           GBP flags
1397        <------------->
1398        1 1 1 1 1 1 1 1       24        24     8
1399       +-+-+-+-+-+-+-+-+---------------+---+--------+
1400       | |D| | |A| | | |group policy ID|VNI|reserved|
1401       +-+-+-+-+-+-+-+-+---------------+---+--------+
1402
1403
1404       Open vSwitch makes GBP fields and flags available through the following
1405       fields. Only packets that arrive over  a  VXLAN  tunnel  with  the  GBP
1406       extension enabled have these fields set. In other packets they are zero
1407       on receive and ignored on transmit.
1408
1409       VXLAN Group-Based Policy ID Field
1410
1411       Name:            tun_gbp_id
1412       Width:           16 bits
1413       Format:          decimal
1414       Masking:         arbitrary bitwise masks
1415       Prerequisites:   none
1416       Access:          read/write
1417       OpenFlow 1.0:    not supported
1418       OpenFlow 1.1:    not supported
1419       OXM:             none
1420       NXM:             NXM_NX_TUN_GBP_ID (38) since Open vSwitch 2.4
1421
1422       For a packet tunneled over VXLAN  with  the  Group-Based  Policy  (GBP)
1423       extension, this field represents the GBP policy ID, as shown above.
1424
1425       VXLAN Group-Based Policy Flags Field
1426
1427       Name:            tun_gbp_flags
1428       Width:           8 bits
1429       Format:          hexadecimal
1430       Masking:         arbitrary bitwise masks
1431       Prerequisites:   none
1432       Access:          read/write
1433       OpenFlow 1.0:    not supported
1434       OpenFlow 1.1:    not supported
1435       OXM:             none
1436       NXM:             NXM_NX_TUN_GBP_FLAGS (39) since Open vSwitch 2.4
1437
1438       For  a  packet  tunneled  over  VXLAN with the Group-Based Policy (GBP)
1439       extension, this field represents the GBP policy flags, as shown above.
1440
1441       The field has the format shown below:
1442
1443           GBP Flags
1444        <------------->
1445        1 1 1 1 1 1 1 1
1446       +-+-+-+-+-+-+-+-+
1447       | |D| | |A| | | |
1448       +-+-+-+-+-+-+-+-+
1449
1450
1451       Unlabeled bits are reserved and must be transmitted as 0. The VXLAN GBP
1452       draft defines the other bits’ meanings as:
1453
1454              D (Don’t Learn)
1455                     When  set, this bit indicates that the egress tunnel end‐
1456                     point must not learn the source address of  the  encapsu‐
1457                     lated frame.
1458
1459              A (Applied)
1460                     When  set,  indicates  that  the group policy has already
1461                     been applied to this packet. Devices must not apply poli‐
1462                     cies when the A bit is set.
1463
1464   ERSPAN Metadata Fields
1465       These  fields provide access to features in the ERSPAN tunneling proto‐
1466       col [ERSPAN], which has two major versions: version 1 (aka type II) and
1467       version 2 (aka type III).
1468
1469       Regardless of version, ERSPAN is encapsulated within a fixed 8-byte GRE
1470       header that consists of a 4-byte GRE base header and a 4-byte  sequence
1471       number. The ERSPAN version 1 header format is:
1472
1473             GRE                ERSPAN v1            Ethernet
1474        <------------>   <--------------------->   <---------->
1475        16    16   32     4  18    10    12  20    48  48   16
1476       +---+------+---+ +---+---+-------+---+---+ +---+---+----+
1477       |...| type |seq| |ver|...|session|...|idx| |dst|src|type| ...
1478       +---+------+---+ +---+---+-------+---+---+ +---+---+----+
1479            0x88be        1      tun_id
1480
1481
1482       The ERSPAN version 2 header format is:
1483
1484             GRE                         ERSPAN v2                      Ethernet
1485        <------------>   <---------------------------------------->   <---------->
1486        16    16   32     4  18    10       32     22   6    1   3    48  48   16
1487       +---+------+---+ +---+---+-------+---------+---+----+---+---+ +---+---+----+
1488       |...| type |seq| |ver|...|session|timestamp|...|hwid|dir|...| |dst|src|type| ...
1489       +---+------+---+ +---+---+-------+---------+---+----+---+---+ +---+---+----+
1490            0x22eb        2      tun_id                     0/1
1491
1492
1493       ERSPAN Version Field
1494
1495       Name:            tun_erspan_ver
1496       Width:           8 bits (only the least-significant 4 bits may be nonzero)
1497       Format:          decimal
1498       Masking:         arbitrary bitwise masks
1499       Prerequisites:   none
1500       Access:          read/write
1501       OpenFlow 1.0:    not supported
1502       OpenFlow 1.1:    not supported
1503       OXM:             none
1504       NXM:             NXOXM_ET_ERSPAN_VER (12) since Open vSwitch 2.10
1505
1506       ERSPAN version number: 1 for version 1, or 2 for version 2.
1507
1508       ERSPAN Index Field
1509
1510       Name:            tun_erspan_idx
1511       Width:           32 bits (only the least-significant 20 bits may be nonzero)
1512       Format:          hexadecimal
1513       Masking:         arbitrary bitwise masks
1514       Prerequisites:   none
1515       Access:          read/write
1516       OpenFlow 1.0:    not supported
1517       OpenFlow 1.1:    not supported
1518       OXM:             none
1519       NXM:             NXOXM_ET_ERSPAN_IDX (11) since Open vSwitch 2.10
1520
1521       This  field  is  a  20-bit index/port number associated with the ERSPAN
1522       traffic’s source port and direction  (ingress/egress).  This  field  is
1523       platform dependent.
1524
1525       ERSPAN Direction Field
1526
1527       Name:            tun_erspan_dir
1528       Width:           8 bits (only the least-significant 1 bits may be nonzero)
1529       Format:          decimal
1530       Masking:         arbitrary bitwise masks
1531       Prerequisites:   none
1532       Access:          read/write
1533       OpenFlow 1.0:    not supported
1534       OpenFlow 1.1:    not supported
1535       OXM:             none
1536       NXM:             NXOXM_ET_ERSPAN_DIR (13) since Open vSwitch 2.10
1537
1538       For ERSPAN v2, the mirrored traffic’s direction: 0 for ingress traffic,
1539       1 for egress traffic.
1540
1541       ERSPAN Hardware ID Field
1542
1543       Name:            tun_erspan_hwid
1544       Width:           8 bits (only the least-significant 6 bits may be nonzero)
1545       Format:          hexadecimal
1546       Masking:         arbitrary bitwise masks
1547       Prerequisites:   none
1548       Access:          read/write
1549       OpenFlow 1.0:    not supported
1550       OpenFlow 1.1:    not supported
1551       OXM:             none
1552       NXM:             NXOXM_ET_ERSPAN_HWID (14) since Open vSwitch 2.10
1553
1554       A 6-bit unique identifier of an ERSPAN v2 engine within a system.
1555
1556   GTP-U Metadata Fields
1557       These fields provide access to set-up GPRS Tunnelling Protocol for User
1558       Plane  (GTPv1-U),  based on 3GPP TS 29.281. A GTP-U header has the fol‐
1559       lowing format:
1560
1561          8      8       16    32
1562       +-----+--------+------+----+
1563       |flags|msg type|length|TEID| ...
1564       +-----+--------+------+----+
1565
1566
1567       The flags and message type have the Open vSwitch GTP-U specific  fields
1568       described  below.  Open vSwitch makes the TEID (Tunnel Endpoint Identi‐
1569       fier), which identifies a tunnel endpoint in the receiving GTP-U proto‐
1570       col entity, available via tun_id.
1571
1572       GTP-U Flags Field
1573
1574       Name:            tun_gtpu_flags
1575       Width:           8 bits
1576
1577       Format:          hexadecimal
1578       Masking:         arbitrary bitwise masks
1579       Prerequisites:   none
1580       Access:          read-only
1581       OpenFlow 1.0:    not supported
1582       OpenFlow 1.1:    not supported
1583       OXM:             none
1584       NXM:             NXOXM_ET_GTPU_FLAGS (15) since Open vSwitch 2.13
1585
1586       This field holds the 8-bit GTP-U flags, encoded as:
1587
1588         GTP-U Tunnel Flags
1589        <------------------->
1590           3    1   1  1 1 1
1591       +-------+--+---+-+-+--+
1592       |version|PT|rsv|E|S|PN|
1593       +-------+--+---+-+-+--+
1594           1        0
1595
1596
1597       The flags are:
1598
1599              version
1600                     Used  to  determine  the  version  of the GTP-U protocol,
1601                     which should be set to 1.
1602
1603              PT     Protocol type, used as a protocol  discriminator  between
1604                     GTP (1) and GTP’ (0).
1605
1606              rsv    Reserved. Must be zero.
1607
1608              E      If 1, indicates the presence of a meaningful value of the
1609                     Next Extension Header field.
1610
1611              S      If 1, indicates the presence of a meaningful value of the
1612                     Sequence Number field.
1613
1614              PN     If 1, indicates the presence of a meaningful value of the
1615                     N-PDU Number field.
1616
1617       GTP-U Message Type Field
1618
1619       Name:            tun_gtpu_msgtype
1620       Width:           8 bits
1621       Format:          decimal
1622       Masking:         arbitrary bitwise masks
1623       Prerequisites:   none
1624       Access:          read-only
1625       OpenFlow 1.0:    not supported
1626       OpenFlow 1.1:    not supported
1627
1628       OXM:             none
1629       NXM:             NXOXM_ET_GTPU_MSGTYPE (16) since Open vSwitch 2.13
1630
1631       This field indicates whether it’s a signalling message  used  for  path
1632       management,  or a user plane message which carries the original packet.
1633       The complete range of  message  types  can  be  referred  to  [3GPP  TS
1634       29.281].
1635
1636   Geneve Fields
1637       These  fields  provide access to additional features in the Geneve tun‐
1638       neling protocol [Geneve]. Their names are somewhat generic in the  hope
1639       that the same fields could be reused for other protocols in the future;
1640       for example, the NSH protocol [NSH] supports TLV options whose form  is
1641       identical to that for Geneve options.
1642
1643       Generic Tunnel Option 0 Field
1644
1645       Name:            tun_metadata0
1646       Width:           992 bits (124 bytes)
1647       Format:          hexadecimal
1648       Masking:         arbitrary bitwise masks
1649       Prerequisites:   none
1650       Access:          read/write
1651       OpenFlow 1.0:    not supported
1652       OpenFlow 1.1:    not supported
1653       OXM:             none
1654       NXM:             NXM_NX_TUN_METADATA0 (40) since Open vSwitch 2.5
1655
1656       The  above information specifically covers generic tunnel option 0, but
1657       Open vSwitch supports 64 options, numbered  0  through  63,  whose  NXM
1658       field numbers are 40 through 103.
1659
1660       These  fields  provide OpenFlow access to the generic type-length-value
1661       options defined by the Geneve tunneling  protocol  or  other  protocols
1662       with  options  in  the same TLV format as Geneve options. Each of these
1663       options has the following wire format:
1664
1665               header                 body
1666        <-------------------> <------------------>
1667         16    8    3    5    4×(length - 1) bytes
1668       +-----+----+---+------+--------------------+
1669       |class|type|res|length|       value        |
1670       +-----+----+---+------+--------------------+
1671                    0
1672
1673
1674       Taken together, the class and type in the option format mean that there
1675       are  about  16  million distinct kinds of TLV options, too many to give
1676       individual OXM code points. Thus, Open vSwitch  requires  the  user  to
1677       define  the TLV options of interest, by binding up to 64 TLV options to
1678       generic tunnel option NXM code points. Each option may have up  to  124
1679       bytes  in  its  body,  the maximum allowed by the TLV format, but bound
1680       options may total at most 252 bytes of body.
1681
1682       Open vSwitch extensions to the OpenFlow protocol bind  TLV  options  to
1683       NXM  code  points. The ovs-ofctl(8) program offers one way to use these
1684       extensions, e.g. to configure a mapping from a TLV  option  with  class
1685       0xffff, type 0, and a body length of 4 bytes:
1686
1687       ovs-ofctl add-tlv-map br0 "{class=0xffff,type=0,len=4}->tun_metadata0"
1688
1689
1690       Once  a  TLV  option is properly bound, it can be accessed and modified
1691       like any other field, e.g. to send packets that have value 1234 for the
1692       option described above to the controller:
1693
1694       ovs-ofctl add-flow br0 tun_metadata0=1234,actions=controller
1695
1696
1697       An option not received or not bound is matched as all zeros.
1698
1699       Tunnel Flags Field
1700
1701       Name:            tun_flags
1702       Width:           16 bits (only the least-significant 1 bits may be nonzero)
1703       Format:          tunnel flags
1704       Masking:         arbitrary bitwise masks
1705       Prerequisites:   none
1706       Access:          read/write
1707       OpenFlow 1.0:    not supported
1708       OpenFlow 1.1:    not supported
1709       OXM:             none
1710       NXM:             NXM_NX_TUN_FLAGS (104) since Open vSwitch 2.5
1711
1712       Flags indicating various aspects of the tunnel encapsulation.
1713
1714       Matches  on  this  field are most conveniently written in terms of sym‐
1715       bolic names (given in the diagram below), each preceded by either + for
1716       a  flag  that  must be set, or - for a flag that must be unset, without
1717       any other delimiters between the flags. Flags not mentioned  are  wild‐
1718       carded.  For  example, tun_flags=+oam matches only OAM packets. Matches
1719       can also be written as flags/mask, where flags and mask are 16-bit num‐
1720       bers in decimal or in hexadecimal prefixed by 0x.
1721
1722       Currently, only one flag is defined:
1723
1724              oam    The tunnel protocol indicated that this is an OAM (Opera‐
1725                     tions and Management) control packet.
1726
1727       The switch may reject matches against unknown flags.
1728
1729       Newer versions of Open vSwitch may introduce additional flags with  new
1730       meanings. It is therefore not recommended to use an exact match on this
1731       field since the behavior of these new flags is unknown  and  should  be
1732       ignored.
1733
1734       For non-tunneled packets, the value is 0.
1735

METADATA FIELDS

1737   Summary:
1738       Name            Bytes   Mask   RW?   Prereqs   NXM/OXM Support
1739
1740       ──────────────  ──────  ─────  ────  ────────  ─────────────────────
1741       in_port         2       no     yes   none      OVS 1.1+
1742       in_port_oxm     4       no     yes   none      OF 1.2+ and OVS 1.7+
1743       skb_priority    4       no     no    none
1744
1745       pkt_mark        4       yes    yes   none      OVS 2.0+
1746       actset_output   4       no     no    none      OF 1.3+ and OVS 2.4+
1747       packet_type     4       no     no    none      OF 1.5+ and OVS 2.8+
1748
1749       These  fields  relate  to the origin or treatment of a packet, but they
1750       are not extracted from the packet data itself.
1751
1752       Ingress Port Field
1753
1754
1755       Name:            in_port
1756       Width:           16 bits
1757       Format:          OpenFlow 1.0 port
1758       Masking:         not maskable
1759
1760       Prerequisites:   none
1761       Access:          read/write
1762       OpenFlow 1.0:    yes (exact match only)
1763       OpenFlow 1.1:    yes (exact match only)
1764
1765       OXM:             none
1766       NXM:             NXM_OF_IN_PORT (0) since Open vSwitch 1.1
1767
1768       The OpenFlow port on which the packet being processed arrived. This  is
1769       a  16-bit field that holds an OpenFlow 1.0 port number. For receiving a
1770       packet, the only values that appear in this field are:
1771
1772              1 through 0xfeff (65,279), inclusive.
1773                     Conventional OpenFlow port numbers.
1774
1775              OFPP_LOCAL (0xfffe or 65,534).
1776                     The ``local’’ port, which in Open vSwitch is always named
1777                     the  same as the bridge itself. This represents a connec‐
1778                     tion between the switch and the local TCP/IP stack.  This
1779                     port  is  where an IP address is most commonly configured
1780                     on an Open vSwitch switch.
1781
1782                     OpenFlow does not require a switch to have a local  port,
1783                     but  all  existing  versions  of Open vSwitch have always
1784                     included a local port. Future Directions: Future versions
1785                     of  Open  vSwitch  might  be  able to optionally omit the
1786                     local port, if someone submits code to implement  such  a
1787                     feature.
1788
1789              OFPP_NONE  (OpenFlow 1.0) or OFPP_ANY (OpenFlow 1.1+) (0xffff or
1790              65,535).
1791              OFPP_CONTROLLER (0xfffd or 65,533).
1792                   When a controller injects a packet into an OpenFlow  switch
1793                   with  a ``packet-out’’ request, it can specify one of these
1794                   ingress ports to indicate that  the  packet  was  generated
1795                   internally rather than having been received on some port.
1796
1797                   OpenFlow  1.0 specified OFPP_NONE for this purpose. Despite
1798                   that,  some  controllers  used  OFPP_CONTROLLER,  and  some
1799                   switches  only  accepted OFPP_CONTROLLER, so OpenFlow 1.0.2
1800                   required support for both ports.  OpenFlow  1.1  and  later
1801                   were  more  clearly  drafted to allow only OFPP_CONTROLLER.
1802                   For maximum compatibility, Open vSwitch allows  both  ports
1803                   with all OpenFlow versions.
1804
1805       Values  not  mentioned above will never appear when receiving a packet,
1806       including the following notable values:
1807
1808              0      Zero is not a valid OpenFlow port number.
1809
1810              OFPP_MAX (0xff00 or 65,280).
1811                     This value has only been clearly  specified  as  a  valid
1812                     port number as of OpenFlow 1.3.3. Before that, its status
1813                     was unclear,  and  so  Open  vSwitch  has  never  allowed
1814                     OFPP_MAX  to  be  used  as a port number, so packets will
1815                     never be received on this port. (Other OpenFlow switches,
1816                     of course, might use it.)
1817
1818              OFPP_UNSET (0xfff7 or 65,527)
1819              OFPP_IN_PORT (0xfff8 or 65,528)
1820              OFPP_TABLE (0xfff9 or 65,529)
1821              OFPP_NORMAL (0xfffa or 65,530)
1822              OFPP_FLOOD (0xfffb or 65,531)
1823              OFPP_ALL (0xfffc or 65,532)
1824                   These  port  numbers  are  used  only in output actions and
1825                   never appear as ingress ports.
1826
1827                   Most of these port numbers were defined  in  OpenFlow  1.0,
1828                   but OFPP_UNSET was only introduced in OpenFlow 1.5.
1829
1830       Values  that  will  never  appear  when receiving a packet may still be
1831       matched against in the flow table. There  are  still  circumstances  in
1832       which those flows can be matched:
1833
1834              ·      The  resubmit Open vSwitch extension action allows a flow
1835                     table lookup with an arbitrary ingress port.
1836
1837              ·      An action that  modifies  the  ingress  port  field  (see
1838                     below),  such  as  e.g. load or set_field, followed by an
1839                     action or instruction that performs  another  flow  table
1840                     lookup, such as resubmit or goto_table.
1841
1842       This  field  is  heavily  used for matching in OpenFlow tables, but for
1843       packet egress, it has only very limited roles:
1844
1845              ·      OpenFlow requires suppressing output actions to  in_port.
1846                     That  is,  the  following two flows both drop all packets
1847                     that arrive on port 1:
1848
1849                     in_port=1,actions=1
1850                     in_port=1,actions=drop
1851
1852
1853                     (This behavior is occasionally useful for flooding  to  a
1854                     subset of ports. Specifying actions=1,2,3,4, for example,
1855                     outputs to ports 1, 2, 3, and  4,  omitting  the  ingress
1856                     port.)
1857
1858              ·      OpenFlow  has  a  special  port  OFPP_IN_PORT (with value
1859                     0xfff8) that outputs to the ingress port. For example, in
1860                     a  switch  that  has  four  ports  numbered  1 through 4,
1861                     actions=1,2,3,4,in_port outputs to ports 1, 2, 3, and  4,
1862                     including the ingress port.
1863
1864       Because  the  ingress port field has so little influence on packet pro‐
1865       cessing, it does not ordinarily make sense to modify the  ingress  port
1866       field.  The  field  is writable only to support the occasional use case
1867       where the ingress port’s  roles  in  packet  egress,  described  above,
1868       become  troublesome. For example, actions=load:0->NXM_OF_IN_PORT[],out‐
1869       put:123 will output to port 123 regardless of  whether  it  is  in  the
1870       ingress  port.  If the ingress port is important, then one may save and
1871       restore it on the stack:
1872
1873       actions=push:NXM_OF_IN_PORT[],load:0->NXM_OF_IN_PORT[],output:123,pop:NXM_OF_IN_PORT[]
1874
1875
1876       or, in Open vSwitch 2.7 or later, use the  clone  action  to  save  and
1877       restore it:
1878
1879       actions=clone(load:0->NXM_OF_IN_PORT[],output:123)
1880
1881
1882       The  ability to modify the ingress port is an Open vSwitch extension to
1883       OpenFlow.
1884
1885       OXM Ingress Port Field
1886
1887       Name:            in_port_oxm
1888       Width:           32 bits
1889       Format:          OpenFlow 1.1+ port
1890
1891       Masking:         not maskable
1892       Prerequisites:   none
1893       Access:          read/write
1894       OpenFlow 1.0:    not supported
1895       OpenFlow 1.1:    yes (exact match only)
1896       OXM:             OXM_OF_IN_PORT (0) since OpenFlow 1.2 and Open vSwitch
1897                        1.7
1898       NXM:             none
1899
1900       OpenFlow 1.1 and later use a 32-bit port number, so this field supplies
1901       a 32-bit view of the ingress port. Current  versions  of  Open  vSwitch
1902       support only a 16-bit range of ports:
1903
1904              ·      OpenFlow  1.0  ports  0x0000 to 0xfeff, inclusive, map to
1905                     OpenFlow 1.1 port numbers with the same values.
1906
1907              ·      OpenFlow 1.0 ports 0xff00 to 0xffff,  inclusive,  map  to
1908                     OpenFlow 1.1 port numbers 0xffffff00 to 0xffffffff.
1909
1910              ·      OpenFlow  1.1  ports  0x0000ff00  to  0xfffffeff  are not
1911                     mapped and not supported.
1912
1913       in_port and in_port_oxm are two views of the same information,  so  all
1914       of  the comments on in_port apply to in_port_oxm too. Modifying in_port
1915       changes in_port_oxm, and vice versa.
1916
1917       Setting in_port_oxm to an unsupported value yields  unspecified  behav‐
1918       ior.
1919
1920       Output Queue Field
1921
1922       Name:            skb_priority
1923       Width:           32 bits
1924       Format:          hexadecimal
1925       Masking:         not maskable
1926       Prerequisites:   none
1927       Access:          read-only
1928       OpenFlow 1.0:    not supported
1929
1930       OpenFlow 1.1:    not supported
1931       OXM:             none
1932       NXM:             none
1933
1934       Future Directions: Open vSwitch implements the output queue as a field,
1935       but does not currently expose it through OXM or NXM for  matching  pur‐
1936       poses.  If  this  turns  out to be a useful feature, it could be imple‐
1937       mented in future versions. Only the set_queue, enqueue,  and  pop_queue
1938       actions currently influence the output queue.
1939
1940       This field influences how packets in the flow will be queued, for qual‐
1941       ity of service (QoS) purposes, when they egress the switch.  Its  range
1942       of meaningful values, and their meanings, varies greatly from one Open‐
1943       Flow implementation to another. Even within  a  single  implementation,
1944       there is no guarantee that all OpenFlow ports have the same queues con‐
1945       figured or that all OpenFlow ports in an implementation can be  config‐
1946       ured the same way queue-wise.
1947
1948       Configuring queues on OpenFlow is not well standardized. On Linux, Open
1949       vSwitch supports queue configuration via OVSDB,  specifically  the  QoS
1950       and  Queue  tables  (see ovs-vswitchd.conf.db(5) for details). Ports of
1951       Open vSwitch to  other  platforms  might  require  queue  configuration
1952       through  some  separate  protocol  (such as a CLI). Even on Linux, Open
1953       vSwitch exposes only  a  fraction  of  the  kernel’s  queuing  features
1954       through  OVSDB,  so advanced or unusual uses might require use of sepa‐
1955       rate utilities (e.g. tc). OpenFlow switches  other  than  Open  vSwitch
1956       might  use  OF-CONFIG  or  any  of  the configuration methods mentioned
1957       above. Finally, some OpenFlow switches have a fixed  number  of  fixed-
1958       function  queues  (e.g.  eight queues with strictly defined priorities)
1959       and others do not support any control over queuing.
1960
1961       The only output queue that all OpenFlow implementations must support is
1962       zero, to identify a default queue, whose properties are implementation-
1963       defined. Outputting a packet to a queue that does not exist on the out‐
1964       put  port  yields  unpredictable  behavior: among the possibilities are
1965       that the packet might be dropped or transmitted with  a  very  high  or
1966       very low priority.
1967
1968       OpenFlow  1.0  only allowed output queues to be specified as part of an
1969       enqueue action that specified both a queue and an output port. That is,
1970       OpenFlow  1.0  treats  the  queue as an argument to an action, not as a
1971       field.
1972
1973       To increase flexibility, OpenFlow 1.1 added an action to set the output
1974       queue. This model was carried forward, without change, through OpenFlow
1975       1.5.
1976
1977       Open vSwitch implements the native queuing model of each OpenFlow  ver‐
1978       sion  it  supports. Open vSwitch also includes an extension for setting
1979       the output queue as an action in OpenFlow 1.0.
1980
1981       When a packet ingresses into an OpenFlow switch, the  output  queue  is
1982       ordinarily  set  to  0,  indicating  the  default  queue. However, Open
1983       vSwitch supports various ways to forward a  packet  from  one  OpenFlow
1984       switch  to  another  within a single host. In these cases, Open vSwitch
1985       maintains the output queue across the forwarding step. For example:
1986
1987              ·      A hop across an Open vSwitch ``patch port’’  (which  does
1988                     not actually involve queuing) preserves the output queue.
1989
1990              ·      When  a  flow  sets  the  output queue then outputs to an
1991                     OpenFlow tunnel port,  the  encapsulation  preserves  the
1992                     output  queue.  If  the  kernel  TCP/IP  stack routes the
1993                     encapsulated packet directly  to  a  physical  interface,
1994                     then  that output honors the output queue. Alternatively,
1995                     if the kernel routes the encapsulated packet  to  another
1996                     Open vSwitch bridge, then the output queue set previously
1997                     becomes the initial output queue on ingress to the second
1998                     bridge  and  will thus be used for further output actions
1999                     (unless overridden by a new ``set queue’’ action).
2000
2001                     (This description reflects the current behavior  of  Open
2002                     vSwitch  on Linux. This behavior relies on details of the
2003                     Linux TCP/IP stack. It could be difficult to  make  ports
2004                     to other operating systems behave the same way.)
2005
2006       Packet Mark Field
2007
2008       Name:            pkt_mark
2009       Width:           32 bits
2010       Format:          hexadecimal
2011       Masking:         arbitrary bitwise masks
2012       Prerequisites:   none
2013       Access:          read/write
2014       OpenFlow 1.0:    not supported
2015       OpenFlow 1.1:    not supported
2016       OXM:             none
2017       NXM:             NXM_NX_PKT_MARK (33) since Open vSwitch 2.0
2018
2019       Packet  mark  comes to Open vSwitch from the Linux kernel, in which the
2020       sk_buff data structure that represents a packet contains a 32-bit  mem‐
2021       ber  named  skb_mark.  The  value of skb_mark propagates along with the
2022       packet it accompanies wherever the packet goes in the kernel. It has no
2023       predefined  semantics  but  various  kernel-user interfaces can set and
2024       match on it, which makes it suitable for  ``marking’’  packets  at  one
2025       point  in  their handling and then acting on the mark later. With ipta‐
2026       bles, for example, one can mark some traffic specially at  ingress  and
2027       then  handle  that  traffic  differently  at egress based on the marked
2028       value.
2029
2030       Packet mark is an attempt at a generalization of the  skb_mark  concept
2031       beyond  Linux, at least through more generic naming. Like skb_priority,
2032       packet mark is preserved across  forwarding  steps  within  a  machine.
2033       Unlike  skb_priority,  packet  mark has no direct effect on packet for‐
2034       warding: the value set in packet mark does not matter unless some later
2035       OpenFlow  table  or switch matches on packet mark, or unless the packet
2036       passes through some other kernel subsystem that has been configured  to
2037       interpret  packet mark in specific ways, e.g. through iptables configu‐
2038       ration mentioned above.
2039
2040       Preserving packet mark across kernel forwarding steps relies heavily on
2041       kernel  support,  which  ports  to  non-Linux operating systems may not
2042       have. Regardless of operating system  support,  Open  vSwitch  supports
2043       packet mark within a single bridge and across patch ports.
2044
2045       The  value  of  packet mark when a packet ingresses into the first Open
2046       vSwich bridge is typically zero, but it could be nonzero if  its  value
2047       was previously set by some kernel subsystem.
2048
2049       Action Set Output Port Field
2050
2051       Name:            actset_output
2052       Width:           32 bits
2053       Format:          OpenFlow 1.1+ port
2054       Masking:         not maskable
2055       Prerequisites:   none
2056       Access:          read-only
2057       OpenFlow 1.0:    not supported
2058       OpenFlow 1.1:    not supported
2059
2060       OXM:             ONFOXM_ET_ACTSET_OUTPUT  (43)  since  OpenFlow 1.3 and
2061                        Open  vSwitch  2.4;  OXM_OF_ACTSET_OUTPUT  (43)  since
2062                        OpenFlow 1.5 and Open vSwitch 2.4
2063       NXM:             none
2064
2065       Holds  the  output port currently in the OpenFlow action set (i.e. from
2066       an output action within a write_actions instruction). Its value  is  an
2067       OpenFlow port number. If there is no output port in the OpenFlow action
2068       set, or if the output port will be ignored (e.g. because  there  is  an
2069       output  group  in  the  OpenFlow  action  set),  then the value will be
2070       OFPP_UNSET.
2071
2072       Open vSwitch allows any table to match this field.  OpenFlow,  however,
2073       only requires this field to be matchable from within an OpenFlow egress
2074       table (a feature that Open vSwitch does not yet implement).
2075
2076       Packet Type Field
2077
2078       Name:            packet_type
2079       Width:           32 bits
2080       Format:          packet type
2081       Masking:         not maskable
2082       Prerequisites:   none
2083       Access:          read-only
2084       OpenFlow 1.0:    not supported
2085
2086       OpenFlow 1.1:    not supported
2087       OXM:             OXM_OF_PACKET_TYPE (44) since OpenFlow  1.5  and  Open
2088                        vSwitch 2.8
2089       NXM:             none
2090
2091       The type of the packet in the format specified in OpenFlow 1.5:
2092
2093        Packet type
2094        <--------->
2095        16    16
2096       +---+-------+
2097       |ns |ns_type| ...
2098       +---+-------+
2099
2100
2101       The  upper 16 bits, ns, are a namespace. The meaning of ns_type depends
2102       on the namespace. The packet type field is specified and  displayed  in
2103       the format (ns,ns_type).
2104
2105       Open  vSwitch  currently supports the following classes of packet types
2106       for matching:
2107
2108              (0,0)  Ethernet.
2109
2110              (1,ethertype)
2111                     The specified ethertype. Open vSwitch can forward packets
2112                     with  any ethertype, but it can only match on and process
2113                     data fields for the following supported packet types:
2114
2115                     (1,0x800)
2116                            IPv4
2117
2118                     (1,0x806)
2119                            ARP
2120
2121                     (1,0x86dd)
2122                            IPv6
2123
2124                     (1,0x8847)
2125                            MPLS
2126
2127                     (1,0x8848)
2128                            MPLS multicast
2129
2130                     (1,0x8035)
2131                            RARP
2132
2133                     (1,0x894f)
2134                            NSH
2135
2136       Consider the  distinction  between  a  packet  with  packet_type=(0,0),
2137       dl_type=0x800 and one with packet_type=(1,0x800). The former is an Eth‐
2138       ernet frame that contains an IPv4 packet, like this:
2139
2140          Ethernet            IPv4
2141        <----------->   <--------------->
2142        48  48   16           8   32  32
2143       +---+---+-----+ +---+-----+---+---+
2144       |dst|src|type | |...|proto|src|dst| ...
2145       +---+---+-----+ +---+-----+---+---+
2146                0x800
2147
2148
2149       The latter is an IPv4 packet not encapsulated inside any  outer  frame,
2150       like this:
2151
2152              IPv4
2153        <--------------->
2154              8   32  32
2155       +---+-----+---+---+
2156       |...|proto|src|dst| ...
2157       +---+-----+---+---+
2158
2159
2160       Matching  on  packet_type  is  a pre-requisite for matching on any data
2161       field, but for backward compatibility, when a match on a data field  is
2162       present  without  a  packet_type  match,  Open vSwitch acts as though a
2163       match on (0,0) (Ethernet)  had  been  supplied.  Similarly,  when  Open
2164       vSwitch  sends  flow match information to a controller, e.g. in a reply
2165       to a request to dump the flow table, Open  vSwitch  omits  a  match  on
2166       packet type (0,0) if it would be implied by a data field match.
2167

CONNECTION TRACKING FIELDS

2169   Summary:
2170       Name          Bytes   Mask   RW?   Prereqs   NXM/OXM Support
2171       ────────────  ──────  ─────  ────  ────────  ────────────────
2172       ct_state      4       yes    no    none      OVS 2.5+
2173       ct_zone       2       no     no    none      OVS 2.5+
2174       ct_mark       4       yes    yes   none      OVS 2.5+
2175       ct_label      16      yes    yes   none      OVS 2.5+
2176       ct_nw_src     4       yes    no    CT        OVS 2.8+
2177       ct_nw_dst     4       yes    no    CT        OVS 2.8+
2178
2179       ct_ipv6_src   16      yes    no    CT        OVS 2.8+
2180       ct_ipv6_dst   16      yes    no    CT        OVS 2.8+
2181       ct_nw_proto   1       no     no    CT        OVS 2.8+
2182       ct_tp_src     2       yes    no    CT        OVS 2.8+
2183       ct_tp_dst     2       yes    no    CT        OVS 2.8+
2184
2185       Open  vSwitch  supports  ``connection tracking,’’ which allows bidirec‐
2186       tional streams of packets to be statefully  grouped  into  connections.
2187       Open  vSwitch connection tracking, for example, identifies the patterns
2188       of TCP packets that indicates a successfully initiated  connection,  as
2189       well  as those that indicate that a connection has been torn down. Open
2190       vSwitch connection tracking can also identify related connections, such
2191       as FTP data connections spawned from FTP control connections.
2192
2193       An  individual packet passing through the pipeline may be in one of two
2194       states, ``untracked’’ or ``tracked,’’ which may  be  distinguished  via
2195       the ``trk’’ flag in ct_state. A packet is untracked at the beginning of
2196       the Open vSwitch pipeline and continues to be untracked until the pipe‐
2197       line  invokes  the  ct  action.  The connection tracking fields are all
2198       zeroes in an untracked packet. When a flow in the Open vSwitch pipeline
2199       invokes  the  ct action, the action initializes the connection tracking
2200       fields and the packet becomes tracked for the remainder of its process‐
2201       ing.
2202
2203       The  connection  tracker  stores connection state in an internal table,
2204       but it only adds a new entry to this table when a ct action for  a  new
2205       connection  invokes  ct  with the commit parameter. For a given connec‐
2206       tion, when a pipeline has executed ct, but not  yet  with  commit,  the
2207       connection  is said to be uncommitted. State for an uncommitted connec‐
2208       tion is ephemeral and does not persist past the end of the pipeline, so
2209       some features are only available to committed connections. A connection
2210       would typically be left uncommitted as a way to drop its packets.
2211
2212       Connection tracking is an Open  vSwitch  extension  to  OpenFlow.  Open
2213       vSwitch  2.5  added the initial support for connection tracking. Subse‐
2214       quent versions of Open vSwitch added many refinements and extensions to
2215       the  initial  support.  Many  of  these capabilities depend on the Open
2216       vSwitch datapath rather than simply the userspace version. The capabil‐
2217       ities  column  in  the  Datapath  table  (see  ovs-vswitchd.conf.db(5))
2218       reports the detailed capabilities of a particular  Open  vSwitch  data‐
2219       path.
2220
2221       Connection Tracking State Field
2222
2223       Name:            ct_state
2224       Width:           32 bits
2225       Format:          ct state
2226
2227       Masking:         arbitrary bitwise masks
2228       Prerequisites:   none
2229       Access:          read-only
2230       OpenFlow 1.0:    not supported
2231       OpenFlow 1.1:    not supported
2232       OXM:             none
2233       NXM:             NXM_NX_CT_STATE (105) since Open vSwitch 2.5
2234
2235       This  field holds several flags that can be used to determine the state
2236       of the connection to which the packet belongs.
2237
2238       Matches on this field are most conveniently written in  terms  of  sym‐
2239       bolic  names  (listed below), each preceded by either + for a flag that
2240       must be set, or - for a flag that must  be  unset,  without  any  other
2241       delimiters  between  the flags. Flags not mentioned are wildcarded. For
2242       example, tcp,ct_state=+trk-new matches TCP packets that have  been  run
2243       through  the  connection tracker and do not establish a new connection.
2244       Matches can also be written as flags/mask, where  flags  and  mask  are
2245       32-bit numbers in decimal or in hexadecimal prefixed by 0x.
2246
2247       The following flags are defined:
2248
2249              new (0x01)
2250                     A new connection. Set to 1 if this is an uncommitted con‐
2251                     nection.
2252
2253              est (0x02)
2254                     Part of an existing connection. Set to 1 if packets of  a
2255                     committed  connection  have  been  seen by conntrack from
2256                     both directions.
2257
2258              rel (0x04)
2259                     Related to an existing connection, e.g. an ICMP  ``desti‐
2260                     nation  unreachable’’ message or an FTP data connections.
2261                     This flag will only be 1 if the connection to which  this
2262                     one is related is committed.
2263
2264                     Connections identified as rel are separate from the orig‐
2265                     inating connection and must be committed separately.  All
2266                     packets  for  a related connection will have the rel flag
2267                     set, not just the initial packet.
2268
2269              rpl (0x08)
2270                     This packet is in the reply direction, meaning that it is
2271                     in  the opposite direction from the packet that initiated
2272                     the connection. This flag will only be 1 if  the  connec‐
2273                     tion is committed.
2274
2275              inv (0x10)
2276                     The state is invalid, meaning that the connection tracker
2277                     couldn’t identify the connection. This flag is  a  catch-
2278                     all  for  problems  in  the  connection or the connection
2279                     tracker, such as:
2280
2281                     ·      L3/L4 protocol handler is not  loaded/unavailable.
2282                            With the Linux kernel datapath, this may mean that
2283                            the nf_conntrack_ipv4 or nf_conntrack_ipv6 modules
2284                            are not loaded.
2285
2286                     ·      L3/L4  protocol handler determines that the packet
2287                            is malformed.
2288
2289                     ·      Packets are unexpected length for protocol.
2290
2291              trk (0x20)
2292                     This packet is tracked, meaning that  it  has  previously
2293                     traversed  the  connection  tracker.  If this flag is not
2294                     set, then no other flags will be set.  If  this  flag  is
2295                     set,  then the packet is tracked and other flags may also
2296                     be set.
2297
2298              snat (0x40)
2299                     This packet was transformed by source address/port trans‐
2300                     lation  by  a preceding ct action. Open vSwitch 2.6 added
2301                     this flag.
2302
2303              dnat (0x80)
2304                     This packet was transformed by  destination  address/port
2305                     translation  by  a  preceding ct action. Open vSwitch 2.6
2306                     added this flag.
2307
2308       There are additional constraints on these flags, listed  in  decreasing
2309       order of precedence below:
2310
2311              1.  If trk is unset, no other flags are set.
2312
2313              2.  If trk is set, one or more other flags may be set.
2314
2315              3.  If inv is set, only the trk flag is also set.
2316
2317              4.  new and est are mutually exclusive.
2318
2319              5.  new and rpl are mutually exclusive.
2320
2321              6.  rel may be set in conjunction with any other flags.
2322
2323       Future versions of Open vSwitch may define new flags.
2324
2325       Connection Tracking Zone Field
2326
2327       Name:            ct_zone
2328       Width:           16 bits
2329       Format:          hexadecimal
2330       Masking:         not maskable
2331       Prerequisites:   none
2332       Access:          read-only
2333       OpenFlow 1.0:    not supported
2334       OpenFlow 1.1:    not supported
2335       OXM:             none
2336       NXM:             NXM_NX_CT_ZONE (106) since Open vSwitch 2.5
2337
2338       A connection tracking zone, the zone value passed to the most recent ct
2339       action. Each zone is an independent  connection  tracking  context,  so
2340       tracking  the  same  packet  in multiple contexts requires using the ct
2341       action multiple times.
2342
2343       Connection Tracking Mark Field
2344
2345       Name:            ct_mark
2346       Width:           32 bits
2347       Format:          hexadecimal
2348       Masking:         arbitrary bitwise masks
2349       Prerequisites:   none
2350       Access:          read/write
2351       OpenFlow 1.0:    not supported
2352
2353       OpenFlow 1.1:    not supported
2354       OXM:             none
2355       NXM:             NXM_NX_CT_MARK (107) since Open vSwitch 2.5
2356
2357       The metadata committed, by an action within the exec parameter  to  the
2358       ct action, to the connection to which the current packet belongs.
2359
2360       Connection Tracking Label Field
2361
2362       Name:            ct_label
2363       Width:           128 bits
2364       Format:          hexadecimal
2365       Masking:         arbitrary bitwise masks
2366       Prerequisites:   none
2367
2368       Access:          read/write
2369       OpenFlow 1.0:    not supported
2370       OpenFlow 1.1:    not supported
2371       OXM:             none
2372       NXM:             NXM_NX_CT_LABEL (108) since Open vSwitch 2.5
2373
2374       The  label  committed, by an action within the exec parameter to the ct
2375       action, to the connection to which the current packet belongs.
2376
2377       Open vSwitch 2.8 introduced the matching support for connection tracker
2378       original direction 5-tuple fields.
2379
2380       For non-committed non-related connections the conntrack original direc‐
2381       tion tuple fields always have the  same  values  as  the  corresponding
2382       headers in the packet itself. For any other packets of a committed con‐
2383       nection the conntrack original direction tuple fields reflect the  val‐
2384       ues from that initial non-committed non-related packet, and thus may be
2385       different from the actual packet headers, as the actual packet  headers
2386       may  be  in  reverse  direction (for reply packets), transformed by NAT
2387       (when nat option was applied to the connection),  or  be  of  different
2388       protocol  (i.e.,  when  an  ICMP response is sent to an UDP packet). In
2389       case of related connections, e.g., an FTP data connection, the original
2390       direction tuple contains the original direction headers from the parent
2391       connection, e.g., an FTP control connection.
2392
2393       The following fields are populated by the  ct  action,  and  require  a
2394       match  to a valid connection tracking state as a prerequisite, in addi‐
2395       tion to the IP or IPv6 ethertype match. Examples  of  valid  connection
2396       tracking    state   matches   include   ct_state=+new,   ct_state=+est,
2397       ct_state=+rel, and ct_state=+trk-inv.
2398
2399       Connection Tracking Original Direction IPv4 Source Address Field
2400
2401       Name:            ct_nw_src
2402       Width:           32 bits
2403       Format:          IPv4
2404       Masking:         arbitrary bitwise masks
2405       Prerequisites:   CT
2406       Access:          read-only
2407       OpenFlow 1.0:    not supported
2408       OpenFlow 1.1:    not supported
2409       OXM:             none
2410       NXM:             NXM_NX_CT_NW_SRC (120) since Open vSwitch 2.8
2411
2412       Matches IPv4 conntrack original direction tuple source address. See the
2413       paragraphs  above  for  general  description  to the conntrack original
2414       direction tuple. Introduced in Open vSwitch 2.8.
2415
2416       Connection Tracking Original Direction IPv4 Destination Address Field
2417
2418       Name:            ct_nw_dst
2419       Width:           32 bits
2420       Format:          IPv4
2421       Masking:         arbitrary bitwise masks
2422       Prerequisites:   CT
2423       Access:          read-only
2424       OpenFlow 1.0:    not supported
2425       OpenFlow 1.1:    not supported
2426       OXM:             none
2427
2428       NXM:             NXM_NX_CT_NW_DST (121) since Open vSwitch 2.8
2429
2430       Matches IPv4 conntrack original direction  tuple  destination  address.
2431       See the paragraphs above for general description to the conntrack orig‐
2432       inal direction tuple. Introduced in Open vSwitch 2.8.
2433
2434       Connection Tracking Original Direction IPv6 Source Address Field
2435
2436       Name:            ct_ipv6_src
2437       Width:           128 bits
2438       Format:          IPv6
2439       Masking:         arbitrary bitwise masks
2440       Prerequisites:   CT
2441       Access:          read-only
2442
2443       OpenFlow 1.0:    not supported
2444       OpenFlow 1.1:    not supported
2445       OXM:             none
2446       NXM:             NXM_NX_CT_IPV6_SRC (122) since Open vSwitch 2.8
2447
2448       Matches IPv6 conntrack original direction tuple source address. See the
2449       paragraphs  above  for  general  description  to the conntrack original
2450       direction tuple. Introduced in Open vSwitch 2.8.
2451
2452       Connection Tracking Original Direction IPv6 Destination Address Field
2453
2454       Name:            ct_ipv6_dst
2455       Width:           128 bits
2456       Format:          IPv6
2457
2458       Masking:         arbitrary bitwise masks
2459       Prerequisites:   CT
2460       Access:          read-only
2461       OpenFlow 1.0:    not supported
2462       OpenFlow 1.1:    not supported
2463       OXM:             none
2464       NXM:             NXM_NX_CT_IPV6_DST (123) since Open vSwitch 2.8
2465
2466       Matches IPv6 conntrack original direction  tuple  destination  address.
2467       See the paragraphs above for general description to the conntrack orig‐
2468       inal direction tuple. Introduced in Open vSwitch 2.8.
2469
2470       Connection Tracking Original Direction IP Protocol Field
2471
2472
2473       Name:            ct_nw_proto
2474       Width:           8 bits
2475       Format:          decimal
2476       Masking:         not maskable
2477       Prerequisites:   CT
2478       Access:          read-only
2479       OpenFlow 1.0:    not supported
2480       OpenFlow 1.1:    not supported
2481       OXM:             none
2482       NXM:             NXM_NX_CT_NW_PROTO (119) since Open vSwitch 2.8
2483
2484       Matches conntrack original direction tuple IP protocol type,  which  is
2485       specified  as  a decimal number between 0 and 255, inclusive (e.g. 1 to
2486       match ICMP packets or 6 to match TCP packets). In case of, for example,
2487       an  ICMP  response  to an UDP packet, this may be different from the IP
2488       protocol type of the packet itself. See the paragraphs above  for  gen‐
2489       eral  description to the conntrack original direction tuple. Introduced
2490       in Open vSwitch 2.8.
2491
2492       Connection Tracking Original  Direction  Transport  Layer  Source  Port
2493       Field
2494
2495       Name:            ct_tp_src
2496       Width:           16 bits
2497       Format:          decimal
2498       Masking:         arbitrary bitwise masks
2499       Prerequisites:   CT
2500       Access:          read-only
2501       OpenFlow 1.0:    not supported
2502
2503       OpenFlow 1.1:    not supported
2504       OXM:             none
2505       NXM:             NXM_NX_CT_TP_SRC (124) since Open vSwitch 2.8
2506
2507       Bitwise  match  on  the  conntrack  original  direction tuple transport
2508       source, when MFF_CT_NW_PROTO has value 6 for TCP, 17 for  UDP,  or  132
2509       for  SCTP. When MFF_CT_NW_PROTO has value 1 for ICMP, or 58 for ICMPv6,
2510       the lower 8 bits of MFF_CT_TP_SRC matches the conntrack original direc‐
2511       tion ICMP type. See the paragraphs above for general description to the
2512       conntrack original direction tuple. Introduced in Open vSwitch 2.8.
2513
2514       Connection Tracking Original  Direction  Transport  Layer  Source  Port
2515       Field
2516
2517
2518       Name:            ct_tp_dst
2519       Width:           16 bits
2520       Format:          decimal
2521       Masking:         arbitrary bitwise masks
2522       Prerequisites:   CT
2523       Access:          read-only
2524       OpenFlow 1.0:    not supported
2525       OpenFlow 1.1:    not supported
2526       OXM:             none
2527       NXM:             NXM_NX_CT_TP_DST (125) since Open vSwitch 2.8
2528
2529       Bitwise  match on the conntrack original direction tuple transport des‐
2530       tination port, when MFF_CT_NW_PROTO has value 6 for TCP, 17 for UDP, or
2531       132  for  SCTP.  When  MFF_CT_NW_PROTO  has value 1 for ICMP, or 58 for
2532       ICMPv6, the lower 8 bits of MFF_CT_TP_DST matches the conntrack  origi‐
2533       nal  direction ICMP code. See the paragraphs above for general descrip‐
2534       tion to the conntrack original  direction  tuple.  Introduced  in  Open
2535       vSwitch 2.8.
2536

REGISTER FIELDS

2538   Summary:
2539       Name       Bytes   Mask   RW?   Prereqs   NXM/OXM Support
2540
2541       ─────────  ──────  ─────  ────  ────────  ─────────────────────
2542       metadata   8       yes    yes   none      OF 1.2+ and OVS 1.8+
2543       reg0       4       yes    yes   none      OVS 1.1+
2544       reg1       4       yes    yes   none      OVS 1.1+
2545
2546       reg2       4       yes    yes   none      OVS 1.1+
2547       reg3       4       yes    yes   none      OVS 1.1+
2548       reg4       4       yes    yes   none      OVS 1.3+
2549       reg5       4       yes    yes   none      OVS 1.7+
2550
2551       reg6       4       yes    yes   none      OVS 1.7+
2552       reg7       4       yes    yes   none      OVS 1.7+
2553       reg8       4       yes    yes   none      OVS 2.6+
2554       reg9       4       yes    yes   none      OVS 2.6+
2555
2556       reg10      4       yes    yes   none      OVS 2.6+
2557       reg11      4       yes    yes   none      OVS 2.6+
2558       reg12      4       yes    yes   none      OVS 2.6+
2559       reg13      4       yes    yes   none      OVS 2.6+
2560
2561       reg14      4       yes    yes   none      OVS 2.6+
2562       reg15      4       yes    yes   none      OVS 2.6+
2563       xreg0      8       yes    yes   none      OF 1.3+ and OVS 2.4+
2564       xreg1      8       yes    yes   none      OF 1.3+ and OVS 2.4+
2565
2566       xreg2      8       yes    yes   none      OF 1.3+ and OVS 2.4+
2567       xreg3      8       yes    yes   none      OF 1.3+ and OVS 2.4+
2568       xreg4      8       yes    yes   none      OF 1.3+ and OVS 2.4+
2569       xreg5      8       yes    yes   none      OF 1.3+ and OVS 2.4+
2570
2571       xreg6      8       yes    yes   none      OF 1.3+ and OVS 2.4+
2572       xreg7      8       yes    yes   none      OF 1.3+ and OVS 2.4+
2573       xxreg0     16      yes    yes   none      OVS 2.6+
2574       xxreg1     16      yes    yes   none      OVS 2.6+
2575
2576       xxreg2     16      yes    yes   none      OVS 2.6+
2577       xxreg3     16      yes    yes   none      OVS 2.6+
2578
2579       These  fields give an OpenFlow switch space for temporary storage while
2580       the pipeline is running. Whereas metadata fields can have a  meaningful
2581       initial  value  and  can  persist  across  some  hops  across  OpenFlow
2582       switches, registers are always initially 0 and their values never  per‐
2583       sist across inter-switch hops (not even across patch ports).
2584
2585       OpenFlow Metadata Field
2586
2587       Name:            metadata
2588       Width:           64 bits
2589       Format:          hexadecimal
2590
2591       Masking:         arbitrary bitwise masks
2592       Prerequisites:   none
2593       Access:          read/write
2594       OpenFlow 1.0:    not supported
2595
2596       OpenFlow 1.1:    yes
2597       OXM:             OXM_OF_METADATA   (2)  since  OpenFlow  1.2  and  Open
2598                        vSwitch 1.8
2599       NXM:             none
2600
2601       This field is the oldest standardized OpenFlow register  field,  intro‐
2602       duced in OpenFlow 1.1. It was introduced to model the limited number of
2603       user-defined bits that some ASIC-based switches can carry through their
2604       pipelines. Because of hardware limitations, OpenFlow allows switches to
2605       support writing and masking only an  implementation-defined  subset  of
2606       bits, even no bits at all. The Open vSwitch software switch always sup‐
2607       ports all 64 bits, but of course an Open vSwitch port to an ASIC  would
2608       have the same restriction as the ASIC itself.
2609
2610       This field has an OXM code point, but OpenFlow 1.4 and earlier allow it
2611       to be modified only with a specialized instruction, not with  a  ``set-
2612       field’’  action.  OpenFlow  1.5  removes this restriction. Open vSwitch
2613       does not enforce this restriction, regardless of OpenFlow version.
2614
2615       Register 0 Field
2616
2617       Name:            reg0
2618       Width:           32 bits
2619       Format:          hexadecimal
2620
2621       Masking:         arbitrary bitwise masks
2622       Prerequisites:   none
2623       Access:          read/write
2624       OpenFlow 1.0:    not supported
2625
2626       OpenFlow 1.1:    not supported
2627       OXM:             none
2628       NXM:             NXM_NX_REG0 (0) since Open vSwitch 1.1
2629
2630       This is the first of several Open vSwitch registers, all of which  have
2631       the same properties. Open vSwitch 1.1 introduced registers 0, 1, 2, and
2632       3, version 1.3 added register 4, version 1.7 added registers 5, 6,  and
2633       7, and version 2.6 added registers 8 through 15.
2634
2635       Extended Register 0 Field
2636
2637       Name:            xreg0
2638       Width:           64 bits
2639       Format:          hexadecimal
2640
2641       Masking:         arbitrary bitwise masks
2642       Prerequisites:   none
2643       Access:          read/write
2644       OpenFlow 1.0:    not supported
2645
2646       OpenFlow 1.1:    not supported
2647       OXM:             OXM_OF_PKT_REG0   (0)  since  OpenFlow  1.3  and  Open
2648                        vSwitch 2.4
2649       NXM:             none
2650
2651       This is the first of the registers introduced in OpenFlow 1.5. OpenFlow
2652       1.5  calls these fields just the ``packet registers,’’ but Open vSwitch
2653       already had 32-bit registers by that name, so  Open  vSwitch  uses  the
2654       name  ``extended  registers’’  in  an  attempt to reduce confusion. The
2655       standard allows for up to 128 registers, each 64 bits  wide,  but  Open
2656       vSwitch  only  implements  4 (in versions 2.4 and 2.5) or 8 (in version
2657       2.6 and later).
2658
2659       Each of the 64-bit extended registers overlays two of the 32-bit regis‐
2660       ters:  xreg0  overlays reg0 and reg1, with reg0 supplying the most-sig‐
2661       nificant bits of xreg0 and reg1 the least-significant. Similarly, xreg1
2662       overlays reg2 and reg3, and so on.
2663
2664       The  OpenFlow specification says, ``In most cases, the packet registers
2665       can not be matched in tables, i.e. they usually can not be used in  the
2666       flow  entry  match  structure’’  [OpenFlow  1.5, section 7.2.3.10], but
2667       there is no reason for a software switch to impose such a  restriction,
2668       and Open vSwitch does not.
2669
2670       Double-Extended Register 0 Field
2671
2672       Name:            xxreg0
2673       Width:           128 bits
2674       Format:          hexadecimal
2675
2676       Masking:         arbitrary bitwise masks
2677       Prerequisites:   none
2678       Access:          read/write
2679       OpenFlow 1.0:    not supported
2680
2681       OpenFlow 1.1:    not supported
2682       OXM:             none
2683       NXM:             NXM_NX_XXREG0 (111) since Open vSwitch 2.6
2684
2685       This  is  the  first of the double-extended registers introduce in Open
2686       vSwitch 2.6. Each of the 128-bit extended registers  overlays  four  of
2687       the 32-bit registers: xxreg0 overlays reg0 through reg3, with reg0 sup‐
2688       plying the most-significant bits of xxreg0 and reg3 the  least-signifi‐
2689       cant. xxreg1 similarly overlays reg4 through reg7, and so on.
2690

LAYER 2 (ETHERNET) FIELDS

2692   Summary:
2693       Name                   Bytes   Mask   RW?   Prereqs    NXM/OXM Support
2694
2695       ─────────────────────  ──────  ─────  ────  ─────────  ─────────────────────
2696       eth_src aka dl_src     6       yes    yes   Ethernet   OF 1.2+ and OVS 1.1+
2697       eth_dst aka dl_dst     6       yes    yes   Ethernet   OF 1.2+ and OVS 1.1+
2698       eth_type aka dl_type   2       no     no    Ethernet   OF 1.2+ and OVS 1.1+
2699
2700       Ethernet  is  the  only layer-2 protocol that Open vSwitch supports. As
2701       with most software, Open vSwitch and OpenFlow regard an Ethernet  frame
2702       to  begin  with  the  14-byte header and end with the final byte of the
2703       payload; that is, the frame check sequence is not  considered  part  of
2704       the frame.
2705
2706       Ethernet Source Field
2707
2708       Name:            eth_src (aka dl_src)
2709
2710       Width:           48 bits
2711       Format:          Ethernet
2712       Masking:         arbitrary bitwise masks
2713       Prerequisites:   Ethernet
2714
2715       Access:          read/write
2716       OpenFlow 1.0:    yes (exact match only)
2717       OpenFlow 1.1:    yes
2718
2719
2720       OXM:             OXM_OF_ETH_SRC (4) since OpenFlow 1.2 and Open vSwitch
2721                        1.7
2722       NXM:             NXM_OF_ETH_SRC (2) since Open vSwitch 1.1
2723
2724       The Ethernet source address:
2725
2726          Ethernet
2727        <---------->
2728        48  48   16
2729       +---+---+----+
2730       |dst|src|type| ...
2731       +---+---+----+
2732
2733
2734       Ethernet Destination Field
2735
2736       Name:            eth_dst (aka dl_dst)
2737       Width:           48 bits
2738       Format:          Ethernet
2739
2740       Masking:         arbitrary bitwise masks
2741       Prerequisites:   Ethernet
2742       Access:          read/write
2743       OpenFlow 1.0:    yes (exact match only)
2744
2745       OpenFlow 1.1:    yes
2746       OXM:             OXM_OF_ETH_DST (3) since OpenFlow 1.2 and Open vSwitch
2747                        1.7
2748       NXM:             NXM_OF_ETH_DST (1) since Open vSwitch 1.1
2749
2750       The Ethernet destination address:
2751
2752          Ethernet
2753        <---------->
2754        48  48   16
2755       +---+---+----+
2756       |dst|src|type| ...
2757       +---+---+----+
2758
2759
2760       Open  vSwitch  1.8  and later support arbitrary masks for source and/or
2761       destination. Earlier versions only support masking the destination with
2762       the following masks:
2763
2764              01:00:00:00:00:00
2765                     Match      only      the     multicast     bit.     Thus,
2766                     dl_dst=01:00:00:00:00:00/01:00:00:00:00:00  matches   all
2767                     multicast  (including  broadcast)  Ethernet  packets, and
2768                     dl_dst=00:00:00:00:00:00/01:00:00:00:00:00  matches   all
2769                     unicast Ethernet packets.
2770
2771              fe:ff:ff:ff:ff:ff
2772                     Match all bits except the multicast bit. This is probably
2773                     not useful.
2774
2775              ff:ff:ff:ff:ff:ff
2776                     Exact match (equivalent to omitting the mask).
2777
2778              00:00:00:00:00:00
2779                     Wildcard all bits (equivalent to dl_dst=*).
2780
2781       Ethernet Type Field
2782
2783       Name:            eth_type (aka dl_type)
2784       Width:           16 bits
2785       Format:          hexadecimal
2786       Masking:         not maskable
2787
2788       Prerequisites:   Ethernet
2789       Access:          read-only
2790       OpenFlow 1.0:    yes (exact match only)
2791       OpenFlow 1.1:    yes (exact match only)
2792       OXM:             OXM_OF_ETH_TYPE  (5)  since  OpenFlow  1.2  and   Open
2793                        vSwitch 1.7
2794
2795       NXM:             NXM_OF_ETH_TYPE (3) since Open vSwitch 1.1
2796
2797       The most commonly seen Ethernet frames today use a format called ``Eth‐
2798       ernet II,’’ in which the last two bytes of the Ethernet header  specify
2799       the  Ethertype. For such a frame, this field is copied from those bytes
2800       of the header, like so:
2801
2802             Ethernet
2803        <---------------->
2804        48  48      16
2805       +---+---+----------+
2806       |dst|src|   type   | ...
2807       +---+---+----------+
2808                ≥0x600
2809
2810
2811       Every Ethernet type has a value 0x600 (1,536) or greater. When the last
2812       two bytes of the Ethernet header have a value too small to be an Ether‐
2813       net type, then the value found there is the total length of  the  frame
2814       in  bytes, excluding the Ethernet header. An 802.2 LLC header typically
2815       follows the Ethernet header. OpenFlow and Open vSwitch only support LLC
2816       headers  with  DSAP and SSAP 0xaa and control byte 0x03, which indicate
2817       that a SNAP header follows the LLC header. In turn, OpenFlow  and  Open
2818       vSwitch  only support a SNAP header with organization 0x000000. In such
2819       a case, this field is copied from the type field in  the  SNAP  header,
2820       like this:
2821
2822           Ethernet           LLC                SNAP
2823        <------------>   <------------>   <----------------->
2824        48  48    16      8    8    8        24        16
2825       +---+---+------+ +----+----+----+ +--------+----------+
2826       |dst|src| type | |DSAP|SSAP|cntl| |  org   |   type   | ...
2827       +---+---+------+ +----+----+----+ +--------+----------+
2828                <0x600   0xaa 0xaa 0x03   0x000000 ≥0x600
2829
2830
2831       When  an 802.1Q header is inserted after the Ethernet source and desti‐
2832       nation, this field is populated with the  encapsulated  Ethertype,  not
2833       the 802.1Q Ethertype. With an Ethernet II inner frame, the result looks
2834       like this:
2835
2836        Ethernet     802.1Q     Ethertype
2837        <------>   <-------->   <-------->
2838         48  48      16   16        16
2839       +----+---+ +------+---+ +----------+
2840       |dst |src| | TPID |TCI| |   type   | ...
2841       +----+---+ +------+---+ +----------+
2842                   0x8100       ≥0x600
2843
2844
2845       LLC and SNAP encapsulation look like this with an 802.1Q header:
2846
2847        Ethernet     802.1Q     Ethertype        LLC                SNAP
2848        <------>   <-------->   <------->   <------------>   <----------------->
2849         48  48      16   16       16        8    8    8        24        16
2850       +----+---+ +------+---+ +---------+ +----+----+----+ +--------+----------+
2851       |dst |src| | TPID |TCI| |  type   | |DSAP|SSAP|cntl| |  org   |   type   | ...
2852       +----+---+ +------+---+ +---------+ +----+----+----+ +--------+----------+
2853                   0x8100        <0x600     0xaa 0xaa 0x03   0x000000 ≥0x600
2854
2855
2856       When a packet doesn’t match any of the header formats described  above,
2857       Open    vSwitch    and    OpenFlow    set    this    field   to   0x5ff
2858       (OFP_DL_TYPE_NOT_ETH_TYPE).
2859

VLAN FIELDS

2861   Summary:
2862       Name          Bytes             Mask   RW?   Prereqs    NXM/OXM Support
2863
2864       ────────────  ────────────────  ─────  ────  ─────────  ─────────────────────
2865       dl_vlan       2 (low 12 bits)   no     yes   Ethernet
2866       dl_vlan_pcp   1 (low 3 bits)    no     yes   Ethernet
2867
2868       vlan_vid      2 (low 12 bits)   yes    yes   Ethernet   OF 1.2+ and OVS 1.7+
2869       vlan_pcp      1 (low 3 bits)    no     yes   VLAN VID   OF 1.2+ and OVS 1.7+
2870       vlan_tci      2                 yes    yes   Ethernet   OVS 1.1+
2871
2872       The 802.1Q VLAN header causes more trouble than any other  4  bytes  in
2873       networking.  OpenFlow  1.0,  1.1, and 1.2+ all treat VLANs differently.
2874       Open vSwitch extensions add another variant to the  mix.  Open  vSwitch
2875       reconciles all four treatments as best it can.
2876
2877   VLAN Header Format
2878       An 802.1Q VLAN header consists of two 16-bit fields:
2879
2880          TPID        TCI
2881        <-------> <--------->
2882           16      3   1  12
2883       +---------+---+---+---+
2884       |Ethertype|PCP|CFI|VID|
2885       +---------+---+---+---+
2886         0x8100        0
2887
2888
2889       The  first  16  bits of the VLAN header, the TPID (Tag Protocol IDenti‐
2890       fier), is an Ethertype. When the VLAN header is inserted just after the
2891       source  and  destination  MAC  addresses in a Ethertype frame, the TPID
2892       serves to identify the presence of the VLAN.  The  standard  TPID,  the
2893       only one that Open vSwitch supports, is 0x8100. OpenFlow 1.0 explicitly
2894       supports only TPID 0x8100. OpenFlow 1.1, but not earlier or later  ver‐
2895       sions,  also  requires  support  for TPID 0x88a8 (Open vSwitch does not
2896       support this). OpenFlow 1.2 through 1.5 do not require support for spe‐
2897       cific  TPIDs (the ``push vlan header’’ action does say that only 0x8100
2898       and 0x88a8 should be pushed). No version of OpenFlow provides a way  to
2899       distinguish or match on the TPID.
2900
2901       The remaining 16 bits of the VLAN header, the TCI (Tag Control Informa‐
2902       tion), is subdivided into three subfields:
2903
2904              ·      PCP (Priority Control Point), is a 3-bit 802.1p priority.
2905                     The  lowest  priority  is  value  1, the second-lowest is
2906                     value 0, and priority increases from 2 up to highest pri‐
2907                     ority 7.
2908
2909              ·      CFI (Canonical Format Indicator), is a 1-bit field. On an
2910                     Ethernet network, its value is always 0. This led  to  it
2911                     later being repurposed under the name DEI (Drop Eligibil‐
2912                     ity Indicator). By either name, OpenFlow and Open vSwitch
2913                     don’t provide any way to match or set this bit.
2914
2915              ·      VID (VLAN IDentifier), is a 12-bit VLAN. If the VID is 0,
2916                     then the frame is not part of a VLAN. In that  case,  the
2917                     VLAN  header  is called a priority tag because it is only
2918                     meaningful for assigning the frame a priority. VID  0xfff
2919                     (4,095) is reserved.
2920
2921       See eth_type for illustrations of a complete Ethernet frame with 802.1Q
2922       tag included.
2923
2924   Multiple VLANs
2925       Open vSwitch can match only a single VLAN header. If more than one VLAN
2926       header  is  present,  then  eth_type  holds  the TPID of the inner VLAN
2927       header. Open vSwitch stops parsing the packet after the inner TPID,  so
2928       matching  further  into the packet (e.g. on the inner TCI or L3 fields)
2929       is not possible.
2930
2931       OpenFlow only directly supports matching a single VLAN header. In Open‐
2932       Flow  1.1  or later, one OpenFlow table can match on the outermost VLAN
2933       header and pop it off, and a later OpenFlow table can match on the next
2934       outermost header. Open vSwitch does not support this.
2935
2936   VLAN Field Details
2937       The  four variants have three different levels of expressiveness: Open‐
2938       Flow 1.0 and 1.1 VLAN matching are less  powerful  than  OpenFlow  1.2+
2939       VLAN  matching, which is less powerful than Open vSwitch extension VLAN
2940       matching.
2941
2942   OpenFlow 1.0 VLAN Fields
2943       OpenFlow 1.0 uses two fields, called dl_vlan and dl_vlan_pcp,  each  of
2944       which  can  be  either  exact-matched  or  wildcarded,  to specify VLAN
2945       matches:
2946
2947              ·      When both dl_vlan and  dl_vlan_pcp  are  wildcarded,  the
2948                     flow matches packets without an 802.1Q header or with any
2949                     802.1Q header.
2950
2951              ·      The match dl_vlan=0xffff causes  a  flow  to  match  only
2952                     packets without an 802.1Q header. Such a flow should also
2953                     wildcard dl_vlan_pcp, since a packet  without  an  802.1Q
2954                     header  does  not  have  a PCP. OpenFlow does not specify
2955                     what to do if a match on PCP  is  actually  present,  but
2956                     Open vSwitch ignores it.
2957
2958              ·      Otherwise,  the  flow matches only packets with an 802.1Q
2959                     header. If dl_vlan is not wildcarded, then the flow  only
2960                     matches  packets  with the VLAN ID specified in dl_vlan’s
2961                     low 12 bits. If dl_vlan_pcp is not wildcarded,  then  the
2962                     flow  only matches packets with the priority specified in
2963                     dl_vlan_pcp’s low 3 bits.
2964
2965                     OpenFlow does not specify how to  interpret  the  high  4
2966                     bits  of  dl_vlan or the high 5 bits of dl_vlan_pcp. Open
2967                     vSwitch ignores them.
2968
2969   OpenFlow 1.1 VLAN Fields
2970       VLAN matching in OpenFlow 1.1 is  similar  to  OpenFlow  1.0.  The  one
2971       refinement  is  that  when  dl_vlan matches on 0xfffe (OFVPID_ANY), the
2972       flow matches only packets with an 802.1Q header, with any VLAN  ID.  If
2973       dl_vlan_pcp  is  wildcarded, the flow matches any packet with an 802.1Q
2974       header, regardless of VLAN ID or priority. If dl_vlan_pcp is not  wild‐
2975       carded,  then the flow only matches packets with the priority specified
2976       in dl_vlan_pcp’s low 3 bits.
2977
2978       OpenFlow 1.1 uses the name OFPVID_NONE, instead of OFP_VLAN_NONE, for a
2979       dl_vlan of 0xffff, but it has the same meaning.
2980
2981       In  OpenFlow  1.1,  Open  vSwitch reports error OFPBMC_BAD_VALUE for an
2982       attempt to match on dl_vlan between 4,096  and  0xfffd,  inclusive,  or
2983       dl_vlan_pcp greater than 7.
2984
2985   OpenFlow 1.2 VLAN Fields
2986       OpenFlow 1.2+ VLAN ID Field
2987
2988       Name:            vlan_vid
2989       Width:           16 bits (only the least-significant 12 bits may be nonzero)
2990       Format:          decimal
2991       Masking:         arbitrary bitwise masks
2992       Prerequisites:   Ethernet
2993       Access:          read/write
2994
2995       OpenFlow 1.0:    yes (exact match only)
2996       OpenFlow 1.1:    yes (exact match only)
2997       OXM:             OXM_OF_VLAN_VID (6) since OpenFlow 1.2 and Open vSwitch 1.7
2998       NXM:             none
2999
3000       The  OpenFlow  standard  describes this field as consisting of ``12+1’’
3001       bits. On ingress, its value is 0 if no 802.1Q header  is  present,  and
3002       otherwise  it holds the VLAN VID in its least significant 12 bits, with
3003       bit 12 (0x1000 aka OFPVID_PRESENT) also set to 1. The three  most  sig‐
3004       nificant bits are always zero:
3005
3006        OXM_OF_VLAN_VID
3007        <------------->
3008         3  1     12
3009       +---+--+--------+
3010       |   |P |VLAN ID |
3011       +---+--+--------+
3012         0
3013
3014
3015       As  a  consequence  of this field’s format, one may use it to match the
3016       VLAN ID in all of the ways available with the OpenFlow 1.0 and 1.1 for‐
3017       mats, and a few new ways:
3018
3019              Fully wildcarded
3020                     Matches any packet, that is, one without an 802.1Q header
3021                     or with an 802.1Q header with any TCI value.
3022
3023              Value 0x0000 (OFPVID_NONE), mask 0xffff (or no mask)
3024                     Matches only packets without an 802.1Q header.
3025
3026              Value 0x1000, mask 0x1000
3027                     Matches any packet with an 802.1Q header,  regardless  of
3028                     VLAN ID.
3029
3030              Value 0x1009, mask 0xffff (or no mask)
3031                     Match only packets with an 802.1Q header with VLAN ID 9.
3032
3033              Value 0x1001, mask 0x1001
3034                     Matches  only  packets that have an 802.1Q header with an
3035                     odd-numbered VLAN ID. (This is just an example;  one  can
3036                     match on any desired VLAN ID bit pattern.)
3037
3038       OpenFlow 1.2+ VLAN Priority Field
3039
3040       Name:            vlan_pcp
3041       Width:           8 bits (only the least-significant 3 bits may be nonzero)
3042       Format:          decimal
3043
3044       Masking:         not maskable
3045       Prerequisites:   VLAN VID
3046       Access:          read/write
3047       OpenFlow 1.0:    yes (exact match only)
3048       OpenFlow 1.1:    yes (exact match only)
3049
3050
3051       OXM:             OXM_OF_VLAN_PCP  (7)  since OpenFlow 1.2 and Open vSwitch
3052                        1.7
3053       NXM:             none
3054
3055       The 3 least significant bits may be used to match the PCP  bits  in  an
3056       802.1Q header. Other bits are always zero:
3057
3058        OXM_OF_VLAN_VID
3059        <------------->
3060           5       3
3061       +--------+------+
3062       |  zero  | PCP  |
3063       +--------+------+
3064           0
3065
3066
3067       This  field  may  only be used when vlan_vid is not wildcarded and does
3068       not exact match on 0 (which  only  matches  when  there  is  no  802.1Q
3069       header).
3070
3071       See VLAN Comparison Chart, below, for some examples.
3072
3073   Open vSwitch Extension VLAN Field
3074       The vlan_tci extension can describe more kinds of VLAN matches than the
3075       other variants. It is also simpler than the other variants.
3076
3077       VLAN TCI Field
3078
3079       Name:            vlan_tci
3080       Width:           16 bits
3081       Format:          hexadecimal
3082       Masking:         arbitrary bitwise masks
3083       Prerequisites:   Ethernet
3084       Access:          read/write
3085
3086       OpenFlow 1.0:    yes (exact match only)
3087       OpenFlow 1.1:    yes (exact match only)
3088       OXM:             none
3089       NXM:             NXM_OF_VLAN_TCI (4) since Open vSwitch 1.1
3090
3091       For a packet without an 802.1Q header, this field is zero. For a packet
3092       with  an  802.1Q  header,  this  field is the TCI with the bit in CFI’s
3093       position (marked P for ``present’’ below) forced  to  1.  Thus,  for  a
3094       packet in VLAN 9 with priority 7, it has the value 0xf009:
3095
3096        NXM_VLAN_TCI
3097        <---------->
3098         3   1   12
3099       +----+--+----+
3100       |PCP |P |VID |
3101       +----+--+----+
3102         7   1   9
3103
3104
3105       Usage examples:
3106
3107              vlan_tci=0
3108                     Match packets without an 802.1Q header.
3109
3110              vlan_tci=0x1000/0x1000
3111                     Match  packets  with an 802.1Q header, regardless of VLAN
3112                     and priority values.
3113
3114              vlan_tci=0xf123
3115                     Match packets tagged with priority 7 in VLAN 0x123.
3116
3117              vlan_tci=0x1123/0x1fff
3118                     Match packets tagged with VLAN 0x123 (and any priority).
3119
3120              vlan_tci=0x5000/0xf000
3121                     Match packets tagged with priority 2 (in any VLAN).
3122
3123              vlan_tci=0/0xfff
3124                     Match packets with no 802.1Q header or tagged with VLAN 0
3125                     (and any priority).
3126
3127              vlan_tci=0x5000/0xe000
3128                     Match packets with no 802.1Q header or tagged with prior‐
3129                     ity 2 (in any VLAN).
3130
3131              vlan_tci=0/0xefff
3132                     Match packets with no 802.1Q header or tagged with VLAN 0
3133                     and priority 0.
3134
3135       See VLAN Comparison Chart, below, for more examples.
3136
3137   VLAN Comparison Chart
3138       The  following table describes each of several possible matching crite‐
3139       ria on 802.1Q header may be expressed with each variation of  the  VLAN
3140       matching fields:
3141
3142       Criteria        OpenFlow 1.0    OpenFlow 1.1    OpenFlow 1.2+   NXM
3143                                             _      _      _      _      _
3144
3145           [1]     ????/1,??/?     ????/1,??/?     0000/0000,--  0000/0000
3146           [2]     ffff/0,??/?     ffff/0,??/?     0000/ffff,--  0000/ffff
3147           [3]     0xxx/0,??/1     0xxx/0,??/1     1xxx/ffff,--  1xxx/1fff
3148           [4]     ????/1,0y/0     fffe/0,0y/0     1000/1000,0y  z000/f000
3149           [5]     0xxx/0,0y/0     0xxx/0,0y/0     1xxx/ffff,0y  zxxx/ffff
3150                           [6]     (none)  (none)  1001/1001,--  1001/1001
3151                                 [7]     (none)  (none)  (none)  3000/3000
3152                                 [8]     (none)  (none)  (none)  0000/0fff
3153                                 [9]     (none)  (none)  (none)  0000/f000
3154                                 [10]    (none)  (none)  (none)  0000/efff
3155
3156       All  numbers  in the table are expressed in hexadecimal. The columns in
3157       the table are interpreted as follows:
3158
3159              Criteria
3160                     See the list below.
3161
3162              OpenFlow 1.0
3163              OpenFlow 1.1
3164                   wwww/x,yy/z means VLAN ID match value  wwww  with  wildcard
3165                   bit  x  and  VLAN PCP match value yy with wildcard bit z. ?
3166                   means that the given bits are ignored (and conventionally 0
3167                   for  wwww  or  yy, conventionally 1 for x or z). ``(none)’’
3168                   means that OpenFlow 1.0 (or 1.1) cannot  match  with  these
3169                   criteria.
3170
3171              OpenFlow 1.2+
3172                   xxxx/yyyy,zz  means vlan_vid with value xxxx and mask yyyy,
3173                   and vlan_pcp (which is not  maskable)  with  value  zz.  --
3174                   means that vlan_pcp is omitted. ``(none)’’ means that Open‐
3175                   Flow 1.2 cannot match with these criteria.
3176
3177              NXM  xxxx/yyyy means vlan_tci with value xxxx and mask yyyy.
3178
3179       The matching criteria described by the table are:
3180
3181              [1]    Matches any packet, that is, one without an 802.1Q header
3182                     or with an 802.1Q header with any TCI value.
3183
3184              [2]    Matches only packets without an 802.1Q header.
3185
3186                     OpenFlow  1.0  doesn’t  define the behavior if dl_vlan is
3187                     set to 0xffff and dl_vlan_pcp is  not  wildcarded.  (Open
3188                     vSwitch always ignores dl_vlan_pcp when dl_vlan is set to
3189                     0xffff.)
3190
3191                     OpenFlow 1.1 says explicitly to ignore  dl_vlan_pcp  when
3192                     dl_vlan is set to 0xffff.
3193
3194                     OpenFlow  1.2  doesn’t  say how to interpret a match with
3195                     vlan_vid value 0 and a mask with OFPVID_PRESENT  (0x1000)
3196                     set  to  1 and some other bits in the mask set to 1 also.
3197                     Open vSwitch interprets it the same  way  as  a  mask  of
3198                     0x1000.
3199
3200                     Any  NXM  match with vlan_tci value 0 and the CFI bit set
3201                     to 1 in the mask is equivalent to the one listed  in  the
3202                     table.
3203
3204              [3]    Matches  only packets that have an 802.1Q header with VID
3205                     xxx (and any PCP).
3206
3207              [4]    Matches only packets that have an 802.1Q header with  PCP
3208                     y (and any VID).
3209
3210                     OpenFlow 1.0 doesn’t clearly define the behavior for this
3211                     case. Open vSwitch implements it this way.
3212
3213                     In the NXM value, z equals (y << 1) | 1.
3214
3215              [5]    Matches only packets that have an 802.1Q header with  VID
3216                     xxx and PCP y.
3217
3218                     In the NXM value, z equals (y << 1) | 1.
3219
3220              [6]    Matches  only  packets that have an 802.1Q header with an
3221                     odd-numbered VID (and any PCP). Only possible with  Open‐
3222                     Flow 1.2 and NXM. (This is just an example; one can match
3223                     on any desired VID bit pattern.)
3224
3225              [7]    Matches only packets that have an 802.1Q header  with  an
3226                     odd-numbered  PCP  (and any VID). Only possible with NXM.
3227                     (This is just an example; one can match  on  any  desired
3228                     VID bit pattern.)
3229
3230              [8]    Matches  packets  with no 802.1Q header or with an 802.1Q
3231                     header with a VID of 0. Only possible with NXM.
3232
3233              [9]    Matches packets with no 802.1Q header or with  an  802.1Q
3234                     header with a PCP of 0. Only possible with NXM.
3235
3236              [10]   Matches  packets  with no 802.1Q header or with an 802.1Q
3237                     header with both VID and PCP of  0.  Only  possible  with
3238                     NXM.

LAYER 2.5: MPLS FIELDS

3240   Summary:
3241       Name         Bytes             Mask   RW?   Prereqs   NXM/OXM Support
3242
3243       ───────────  ────────────────  ─────  ────  ────────  ──────────────────────
3244       mpls_label   4 (low 20 bits)   no     yes   MPLS      OF 1.2+ and OVS 1.11+
3245       mpls_tc      1 (low 3 bits)    no     yes   MPLS      OF 1.2+ and OVS 1.11+
3246
3247       mpls_bos     1 (low 1 bits)    no     no    MPLS      OF 1.3+ and OVS 1.11+
3248       mpls_ttl     1                 no     yes   MPLS      OVS 2.6+
3249
3250       One  or  more MPLS headers (more commonly called MPLS labels) follow an
3251       Ethernet type field that specifies an MPLS Ethernet  type  [RFC  3032].
3252       Ethertype  0x8847  is  used  for all unicast. Multicast MPLS is divided
3253       into two specific classes, one of which uses Ethertype 0x8847  and  the
3254       other 0x8848 [RFC 5332].
3255
3256       The most common overall packet format is Ethernet II, shown below (SNAP
3257       encapsulation may be used but is not ordinarily seen in  Ethernet  net‐
3258       works):
3259
3260           Ethernet           MPLS
3261        <------------>   <------------>
3262        48  48    16      20   3  1  8
3263       +---+---+------+ +-----+--+-+---+
3264       |dst|src| type | |label|TC|S|TTL| ...
3265       +---+---+------+ +-----+--+-+---+
3266                0x8847
3267
3268
3269       MPLS  can  be  encapsulated  inside an 802.1Q header, in which case the
3270       combination looks like this:
3271
3272        Ethernet     802.1Q     Ethertype        MPLS
3273        <------>   <-------->   <------->   <------------>
3274         48  48      16   16       16        20   3  1  8
3275       +----+---+ +------+---+ +---------+ +-----+--+-+---+
3276       |dst |src| | TPID |TCI| |  type   | |label|TC|S|TTL| ...
3277       +----+---+ +------+---+ +---------+ +-----+--+-+---+
3278                   0x8100        0x8847
3279
3280
3281       The fields within an MPLS label are:
3282
3283              Label, 20 bits.
3284                     An identifier.
3285
3286              Traffic control (TC), 3 bits.
3287                     Used for quality of service.
3288
3289              Bottom of stack (BOS), 1 bit (labeled just ``S’’ above).
3290                     0 indicates that another MPLS label follows this one.
3291
3292                     1 indicates that this MPLS label is the last one  in  the
3293                     stack, so that some other protocol follows this one.
3294
3295              Time to live (TTL), 8 bits.
3296                     Each  hop across an MPLS network decrements the TTL by 1.
3297                     If it reaches 0, the packet is discarded.
3298
3299                     OpenFlow does not make the MPLS TTL available as a  match
3300                     field, but actions are available to set and decrement the
3301                     TTL. Open vSwitch 2.6 and later makes the MPLS TTL avail‐
3302                     able as an extension.
3303
3304   MPLS Label Stacks
3305       Unlike the other encapsulations supported by OpenFlow and Open vSwitch,
3306       MPLS labels are routinely used in ``stacks’’  two  or  three  deep  and
3307       sometimes  even  deeper.  Open  vSwitch  currently supports up to three
3308       labels.
3309
3310       The OpenFlow specification only supports matching on the outermost MPLS
3311       label  at  any given time. To match on the second label, one must first
3312       ``pop’’ the outer label and advance to another  OpenFlow  table,  where
3313       the  inner  label may be matched. To match on the third label, one must
3314       pop the two outer labels, and so on.
3315
3316   MPLS Inner Protocol
3317       Unlike all other forms of encapsulation that Open vSwitch and  OpenFlow
3318       support,  an MPLS label does not indicate what inner protocol it encap‐
3319       sulates. Different deployments determine the inner protocol in  differ‐
3320       ent ways [RFC 3032]:
3321
3322              ·      A  few  reserved label values do indicate an inner proto‐
3323                     col. Label 0, the ``IPv4 Explicit NULL Label,’’ indicates
3324                     inner  IPv4.  Label  2, the ``IPv6 Explicit NULL Label,’’
3325                     indicates inner IPv6.
3326
3327              ·      Some deployments use  a  single  inner  protocol  consis‐
3328                     tently.
3329
3330              ·      In  some deployments, the inner protocol must be inferred
3331                     from the innermost label.
3332
3333              ·      In some deployments, the inner protocol must be  inferred
3334                     from  the innermost label and the encapsulated data, e.g.
3335                     to distinguish between  inner  IPv4  and  IPv6  based  on
3336                     whether the first nibble of the inner protocol data are 4
3337                     or 6. OpenFlow and Open vSwitch do not currently  support
3338                     these cases.
3339
3340       Open  vSwitch  and  OpenFlow  do  not infer the inner protocol, even if
3341       reserved label values are in use. Instead, the flow table must  specify
3342       the inner protocol at the time it pops the bottommost MPLS label, using
3343       the Ethertype argument to the pop_mpls action.
3344
3345   Field Details
3346       MPLS Label Field
3347
3348       Name:            mpls_label
3349       Width:           32 bits (only the least-significant 20 bits may be nonzero)
3350       Format:          decimal
3351       Masking:         not maskable
3352       Prerequisites:   MPLS
3353       Access:          read/write
3354       OpenFlow 1.0:    not supported
3355       OpenFlow 1.1:    yes (exact match only)
3356
3357       OXM:             OXM_OF_MPLS_LABEL (34) since OpenFlow 1.2 and Open  vSwitch
3358                        1.11
3359       NXM:             none
3360
3361       The  least  significant  20 bits hold the ``label’’ field from the MPLS
3362       label. Other bits are zero:
3363
3364        OXM_OF_MPLS_LABEL
3365        <--------------->
3366           12       20
3367       +--------+--------+
3368       |  zero  | label  |
3369       +--------+--------+
3370           0
3371
3372
3373       Most label values are available for  any  use  by  deployments.  Values
3374       under 16 are reserved.
3375
3376       MPLS Traffic Class Field
3377
3378       Name:            mpls_tc
3379       Width:           8 bits (only the least-significant 3 bits may be nonzero)
3380       Format:          decimal
3381       Masking:         not maskable
3382       Prerequisites:   MPLS
3383
3384       Access:          read/write
3385       OpenFlow 1.0:    not supported
3386       OpenFlow 1.1:    yes (exact match only)
3387       OXM:             OXM_OF_MPLS_TC  (35)  since OpenFlow 1.2 and Open vSwitch
3388                        1.11
3389       NXM:             none
3390
3391       The least significant 3 bits hold the TC field  from  the  MPLS  label.
3392       Other bits are zero:
3393
3394        OXM_OF_MPLS_TC
3395        <------------>
3396           5       3
3397       +--------+-----+
3398       |  zero  | TC  |
3399       +--------+-----+
3400           0
3401
3402
3403       This  field  is  intended  for  use  for  Quality  of Service (QoS) and
3404       Explicit Congestion Notification purposes, but its particular interpre‐
3405       tation is deployment specific.
3406
3407       Before 2009, this field was named EXP and reserved for experimental use
3408       [RFC 5462].
3409
3410       MPLS Bottom of Stack Field
3411
3412       Name:            mpls_bos
3413       Width:           8 bits (only the least-significant 1 bits may be nonzero)
3414       Format:          decimal
3415       Masking:         not maskable
3416       Prerequisites:   MPLS
3417       Access:          read-only
3418       OpenFlow 1.0:    not supported
3419
3420       OpenFlow 1.1:    not supported
3421       OXM:             OXM_OF_MPLS_BOS (36) since OpenFlow 1.3 and Open  vSwitch
3422                        1.11
3423       NXM:             none
3424
3425       The  least  significant  bit  holds  the BOS field from the MPLS label.
3426       Other bits are zero:
3427
3428        OXM_OF_MPLS_BOS
3429        <------------->
3430           7       1
3431       +--------+------+
3432       |  zero  | BOS  |
3433       +--------+------+
3434           0
3435
3436
3437       This field is useful as part of processing a series  of  incoming  MPLS
3438       labels.  A  flow that includes a pop_mpls action should generally match
3439       on mpls_bos:
3440
3441              ·      When mpls_bos is 0, there is another MPLS label following
3442                     this  one,  so the Ethertype passed to pop_mpls should be
3443                     an MPLS Ethertype. For example: table=0,  dl_type=0x8847,
3444                     mpls_bos=0, actions=pop_mpls:0x8847, goto_table:1
3445
3446              ·      When  mpls_bos  is 1, this MPLS label is the last one, so
3447                     the Ethertype passed to pop_mpls  should  be  a  non-MPLS
3448                     Ethertype   such   as   IPv4.   For   example:   table=1,
3449                     dl_type=0x8847,   mpls_bos=1,    actions=pop_mpls:0x0800,
3450                     goto_table:2
3451
3452       MPLS Time-to-Live Field
3453
3454       Name:            mpls_ttl
3455       Width:           8 bits
3456       Format:          decimal
3457
3458       Masking:         not maskable
3459       Prerequisites:   MPLS
3460       Access:          read/write
3461       OpenFlow 1.0:    not supported
3462       OpenFlow 1.1:    not supported
3463       OXM:             none
3464       NXM:             NXM_NX_MPLS_TTL (30) since Open vSwitch 2.6
3465
3466       Holds the 8-bit time-to-live field from the MPLS label:
3467
3468        NXM_NX_MPLS_TTL
3469        <------------->
3470               8
3471       +---------------+
3472       |      TTL      |
3473       +---------------+
3474
3475

LAYER 3: IPV4 AND IPV6 FIELDS

3477   Summary:
3478       Name                    Bytes             Mask   RW?   Prereqs     NXM/OXM Support
3479       ──────────────────────  ────────────────  ─────  ────  ──────────  ─────────────────────
3480       ip_src aka nw_src       4                 yes    yes   IPv4        OF 1.2+ and OVS 1.1+
3481
3482       ip_dst aka nw_dst       4                 yes    yes   IPv4        OF 1.2+ and OVS 1.1+
3483       ipv6_src                16                yes    yes   IPv6        OF 1.2+ and OVS 1.1+
3484       ipv6_dst                16                yes    yes   IPv6        OF 1.2+ and OVS 1.1+
3485       ipv6_label              4 (low 20 bits)   yes    yes   IPv6        OF 1.2+ and OVS 1.4+
3486       nw_proto aka ip_proto   1                 no     no    IPv4/IPv6   OF 1.2+ and OVS 1.1+
3487       nw_ttl                  1                 no     yes   IPv4/IPv6   OVS 1.4+
3488
3489       ip_frag aka nw_frag     1 (low 2 bits)    yes    no    IPv4/IPv6   OVS 1.3+
3490       nw_tos                  1                 no     yes   IPv4/IPv6   OVS 1.1+
3491       ip_dscp                 1 (low 6 bits)    no     yes   IPv4/IPv6   OF 1.2+ and OVS 1.7+
3492       nw_ecn aka ip_ecn       1 (low 2 bits)    no     yes   IPv4/IPv6   OF 1.2+ and OVS 1.4+
3493
3494   IPv4 Specific Fields
3495       These  fields  are  applicable  only to IPv4 flows, that is, flows that
3496       match on the IPv4 Ethertype 0x0800.
3497
3498       IPv4 Source Address Field
3499
3500       Name:            ip_src (aka nw_src)
3501       Width:           32 bits
3502       Format:          IPv4
3503       Masking:         arbitrary bitwise masks
3504
3505       Prerequisites:   IPv4
3506       Access:          read/write
3507       OpenFlow 1.0:    yes (CIDR match only)
3508       OpenFlow 1.1:    yes
3509       OXM:             OXM_OF_IPV4_SRC  (11)  since  OpenFlow  1.2  and  Open
3510                        vSwitch 1.7
3511       NXM:             NXM_OF_IP_SRC (7) since Open vSwitch 1.1
3512
3513       The source address from the IPv4 header:
3514
3515          Ethernet            IPv4
3516        <----------->   <--------------->
3517        48  48   16           8   32  32
3518       +---+---+-----+ +---+-----+---+---+
3519       |dst|src|type | |...|proto|src|dst| ...
3520       +---+---+-----+ +---+-----+---+---+
3521                0x800
3522
3523
3524       For historical reasons, in an ARP or RARP flow, Open vSwitch interprets
3525       matches on nw_src as actually referring to the ARP SPA.
3526
3527       IPv4 Destination Address Field
3528
3529       Name:            ip_dst (aka nw_dst)
3530       Width:           32 bits
3531       Format:          IPv4
3532       Masking:         arbitrary bitwise masks
3533       Prerequisites:   IPv4
3534       Access:          read/write
3535       OpenFlow 1.0:    yes (CIDR match only)
3536
3537       OpenFlow 1.1:    yes
3538       OXM:             OXM_OF_IPV4_DST  (12)  since  OpenFlow  1.2  and  Open
3539                        vSwitch 1.7
3540       NXM:             NXM_OF_IP_DST (8) since Open vSwitch 1.1
3541
3542       The destination address from the IPv4 header:
3543
3544          Ethernet            IPv4
3545        <----------->   <--------------->
3546        48  48   16           8   32  32
3547       +---+---+-----+ +---+-----+---+---+
3548       |dst|src|type | |...|proto|src|dst| ...
3549       +---+---+-----+ +---+-----+---+---+
3550                0x800
3551
3552
3553       For historical reasons, in an ARP or RARP flow, Open vSwitch interprets
3554       matches on nw_dst as actually referring to the ARP TPA.
3555
3556   IPv6 Specific Fields
3557       These fields apply only to IPv6 flows, that is, flows that match on the
3558       IPv6 Ethertype 0x86dd.
3559
3560       IPv6 Source Address Field
3561
3562       Name:            ipv6_src
3563       Width:           128 bits
3564       Format:          IPv6
3565       Masking:         arbitrary bitwise masks
3566       Prerequisites:   IPv6
3567       Access:          read/write
3568
3569       OpenFlow 1.0:    not supported
3570       OpenFlow 1.1:    not supported
3571       OXM:             OXM_OF_IPV6_SRC  (26)  since  OpenFlow  1.2  and  Open
3572                        vSwitch 1.1
3573       NXM:             NXM_NX_IPV6_SRC (19) since Open vSwitch 1.1
3574
3575       The source address from the IPv6 header:
3576
3577           Ethernet            IPv6
3578        <------------>   <-------------->
3579        48  48    16          8   128 128
3580       +---+---+------+ +---+----+---+---+
3581       |dst|src| type | |...|next|src|dst| ...
3582       +---+---+------+ +---+----+---+---+
3583                0x86dd
3584
3585
3586       Open vSwitch 1.8 added support for bitwise matching;  earlier  versions
3587       supported only CIDR masks.
3588
3589       IPv6 Destination Address Field
3590
3591       Name:            ipv6_dst
3592
3593       Width:           128 bits
3594       Format:          IPv6
3595       Masking:         arbitrary bitwise masks
3596       Prerequisites:   IPv6
3597       Access:          read/write
3598       OpenFlow 1.0:    not supported
3599       OpenFlow 1.1:    not supported
3600
3601       OXM:             OXM_OF_IPV6_DST  (27)  since  OpenFlow  1.2  and  Open
3602                        vSwitch 1.1
3603       NXM:             NXM_NX_IPV6_DST (20) since Open vSwitch 1.1
3604
3605       The destination address from the IPv6 header:
3606
3607           Ethernet            IPv6
3608        <------------>   <-------------->
3609        48  48    16          8   128 128
3610       +---+---+------+ +---+----+---+---+
3611       |dst|src| type | |...|next|src|dst| ...
3612       +---+---+------+ +---+----+---+---+
3613                0x86dd
3614
3615
3616       Open vSwitch 1.8 added support for bitwise matching;  earlier  versions
3617       supported only CIDR masks.
3618
3619       IPv6 Flow Label Field
3620
3621       Name:            ipv6_label
3622       Width:           32 bits (only the least-significant 20 bits may be nonzero)
3623       Format:          hexadecimal
3624
3625       Masking:         arbitrary bitwise masks
3626       Prerequisites:   IPv6
3627       Access:          read/write
3628       OpenFlow 1.0:    not supported
3629       OpenFlow 1.1:    not supported
3630       OXM:             OXM_OF_IPV6_FLABEL (28) since OpenFlow 1.2 and Open vSwitch
3631                        1.7
3632
3633       NXM:             NXM_NX_IPV6_LABEL (27) since Open vSwitch 1.4
3634
3635       The least significant 20 bits hold the flow label field from  the  IPv6
3636       header. Other bits are zero:
3637
3638        OXM_OF_IPV6_FLABEL
3639        <---------------->
3640           12       20
3641       +--------+---------+
3642       |  zero  |  label  |
3643       +--------+---------+
3644           0
3645
3646
3647   IPv4/IPv6 Fields
3648       These fields exist with at least approximately the same meaning in both
3649       IPv4 and IPv6, so they are treated as a single field for matching  pur‐
3650       poses.  Any  flow that matches on the IPv4 Ethertype 0x0800 or the IPv6
3651       Ethertype 0x86dd may match on these fields.
3652
3653       IPv4/v6 Protocol Field
3654
3655       Name:            nw_proto (aka ip_proto)
3656       Width:           8 bits
3657       Format:          decimal
3658
3659       Masking:         not maskable
3660       Prerequisites:   IPv4/IPv6
3661       Access:          read-only
3662       OpenFlow 1.0:    yes (exact match only)
3663       OpenFlow 1.1:    yes (exact match only)
3664       OXM:             OXM_OF_IP_PROTO  (10)  since  OpenFlow  1.2  and  Open
3665                        vSwitch 1.7
3666       NXM:             NXM_OF_IP_PROTO (6) since Open vSwitch 1.1
3667
3668       Matches the IPv4 or IPv6 protocol type.
3669
3670       For historical reasons, in an ARP or RARP flow, Open vSwitch interprets
3671       matches on nw_proto as actually referring to the ARP  opcode.  The  ARP
3672       opcode  is a 16-bit field, so for matching purposes ARP opcodes greater
3673       than 255 are treated as 0; this works adequately  because  in  practice
3674       ARP and RARP only use opcodes 1 through 4.
3675
3676       IPv4/v6 TTL/Hop Limit Field
3677
3678       Name:            nw_ttl
3679       Width:           8 bits
3680       Format:          decimal
3681       Masking:         not maskable
3682       Prerequisites:   IPv4/IPv6
3683       Access:          read/write
3684       OpenFlow 1.0:    not supported
3685
3686       OpenFlow 1.1:    not supported
3687       OXM:             none
3688       NXM:             NXM_NX_IP_TTL (29) since Open vSwitch 1.4
3689
3690       The  main  reason  to  match on the TTL or hop limit field is to detect
3691       whether a dec_ttl action will fail due to a TTL exceeded error. Another
3692       way  that  a  controller  can  detect  TTL  exceeded  is  to listen for
3693       OFPR_INVALID_TTL ``packet-in’’ messages via OpenFlow.
3694
3695       IPv4/v6 Fragment Bitmask Field
3696
3697       Name:            ip_frag (aka nw_frag)
3698       Width:           8 bits (only the least-significant 2 bits may be nonzero)
3699       Format:          frag
3700       Masking:         arbitrary bitwise masks
3701       Prerequisites:   IPv4/IPv6
3702       Access:          read-only
3703
3704       OpenFlow 1.0:    not supported
3705       OpenFlow 1.1:    not supported
3706       OXM:             none
3707       NXM:             NXM_NX_IP_FRAG (26) since Open vSwitch 1.3
3708
3709       Specifies what kinds of IP fragments or  non-fragments  to  match.  The
3710       value  for this field is most conveniently specified as one of the fol‐
3711       lowing:
3712
3713              no     Match only non-fragmented packets.
3714
3715              yes    Matches all fragments.
3716
3717              first  Matches only fragments with offset 0.
3718
3719              later  Matches only fragments with nonzero offset.
3720
3721              not_later
3722                     Matches non-fragmented packets and  fragments  with  zero
3723                     offset.
3724
3725       The field is internally formatted as 2 bits: bit 0 is 1 for an IP frag‐
3726       ment with any offset (and otherwise 0), and bit 1 is 1 for an IP  frag‐
3727       ment with nonzero offset (and otherwise 0), like so:
3728
3729        NXM_NX_IP_FRAG
3730        <------------>
3731         6     1    1
3732       +----+-----+---+
3733       |zero|later|any|
3734       +----+-----+---+
3735         0
3736
3737
3738       Even  though  2  bits have 4 possible values, this field only uses 3 of
3739       them:
3740
3741              ·      A packet that is not an IP fragment has value 0.
3742
3743              ·      A packet that is an IP fragment with offset 0 (the  first
3744                     fragment) has bit 0 set and thus value 1.
3745
3746              ·      A  packet  that is an IP fragment with nonzero offset has
3747                     bits 0 and 1 set and thus value 3.
3748
3749       The switch may reject matches against values that can never appear.
3750
3751       It is important to understand how this field interacts with  the  Open‐
3752       Flow fragment handling mode:
3753
3754              ·      In  OFPC_FRAG_DROP mode, the OpenFlow switch drops all IP
3755                     fragments before they reach  the  flow  table,  so  every
3756                     packet  that  is available for matching will have value 0
3757                     in this field.
3758
3759              ·      Open vSwitch does not implement OFPC_FRAG_REASM mode, but
3760                     if  it  did then IP fragments would be reassembled before
3761                     they reached the flow table and again every packet avail‐
3762                     able for matching would always have value 0.
3763
3764              ·      In  OFPC_FRAG_NORMAL mode, all three values are possible,
3765                     but OpenFlow 1.0 says that fragments’ transport ports are
3766                     always  0,  even for the first fragment, so this does not
3767                     provide much extra information.
3768
3769              ·      In OFPC_FRAG_NX_MATCH mode, all three values  are  possi‐
3770                     ble.  For  fragments with offset 0, Open vSwitch makes L4
3771                     header information available.
3772
3773       Thus, this field is likely to be most useful for an Open vSwitch switch
3774       configured  in  OFPC_FRAG_NX_MATCH  mode.  See  the  description of the
3775       set-frags command in ovs-ofctl(8), for more details.
3776
3777     IPv4/IPv6 TOS Fields
3778
3779       IPv4 and IPv6 contain a one-byte ``type of service’’ or TOS field  that
3780       has the following format:
3781
3782        type of service
3783        <------------->
3784           6       2
3785       +--------+------+
3786       |  DSCP  | ECN  |
3787       +--------+------+
3788
3789
3790       IPv4/v6 DSCP (Bits 2-7) Field
3791
3792       Name:            nw_tos
3793       Width:           8 bits
3794       Format:          decimal
3795       Masking:         not maskable
3796       Prerequisites:   IPv4/IPv6
3797       Access:          read/write
3798       OpenFlow 1.0:    yes (exact match only)
3799       OpenFlow 1.1:    yes (exact match only)
3800
3801       OXM:             none
3802       NXM:             NXM_OF_IP_TOS (5) since Open vSwitch 1.1
3803
3804       This field is the TOS byte with the two ECN bits cleared to 0:
3805
3806        NXM_OF_IP_TOS
3807        <----------->
3808          6      2
3809       +------+------+
3810       | DSCP | zero |
3811       +------+------+
3812                 0
3813
3814
3815       IPv4/v6 DSCP (Bits 0-5) Field
3816
3817       Name:            ip_dscp
3818       Width:           8 bits (only the least-significant 6 bits may be nonzero)
3819       Format:          decimal
3820       Masking:         not maskable
3821       Prerequisites:   IPv4/IPv6
3822
3823       Access:          read/write
3824       OpenFlow 1.0:    yes (exact match only)
3825       OpenFlow 1.1:    yes (exact match only)
3826       OXM:             OXM_OF_IP_DSCP  (8)  since  OpenFlow 1.2 and Open vSwitch
3827                        1.7
3828       NXM:             none
3829
3830       This field is the TOS byte shifted right to put the DSCP bits in the  6
3831       least-significant bits:
3832
3833        OXM_OF_IP_DSCP
3834        <------------>
3835           2      6
3836       +-------+------+
3837       | zero  | DSCP |
3838       +-------+------+
3839           0
3840
3841
3842       IPv4/v6 ECN Field
3843
3844
3845       Name:            nw_ecn (aka ip_ecn)
3846       Width:           8 bits (only the least-significant 2 bits may be nonzero)
3847       Format:          decimal
3848       Masking:         not maskable
3849       Prerequisites:   IPv4/IPv6
3850       Access:          read/write
3851       OpenFlow 1.0:    not supported
3852       OpenFlow 1.1:    yes (exact match only)
3853       OXM:             OXM_OF_IP_ECN (9) since OpenFlow 1.2 and Open vSwitch 1.7
3854       NXM:             NXM_NX_IP_ECN (28) since Open vSwitch 1.4
3855
3856       This field is the TOS byte with the DSCP bits cleared to 0:
3857
3858        OXM_OF_IP_ECN
3859        <----------->
3860           6      2
3861       +-------+-----+
3862       | zero  | ECN |
3863       +-------+-----+
3864           0
3865
3866

LAYER 3: ARP FIELDS

3868   Summary:
3869       Name      Bytes   Mask   RW?   Prereqs   NXM/OXM Support
3870       ────────  ──────  ─────  ────  ────────  ─────────────────────
3871       arp_op    2       no     yes   ARP       OF 1.2+ and OVS 1.1+
3872       arp_spa   4       yes    yes   ARP       OF 1.2+ and OVS 1.1+
3873       arp_tpa   4       yes    yes   ARP       OF 1.2+ and OVS 1.1+
3874       arp_sha   6       yes    yes   ARP       OF 1.2+ and OVS 1.1+
3875
3876       arp_tha   6       yes    yes   ARP       OF 1.2+ and OVS 1.1+
3877
3878       In  theory,  Address Resolution Protocol, or ARP, is a generic protocol
3879       generic protocol that can be used to obtain the hardware  address  that
3880       corresponds  to  any  higher-level  protocol  address.  In contemporary
3881       usage, ARP is used only in Ethernet networks  to  obtain  the  Ethernet
3882       address  for  a given IPv4 address. OpenFlow and Open vSwitch only sup‐
3883       port this usage of ARP. For this use case, an ARP packet has  the  fol‐
3884       lowing format, with the ARP fields exposed as Open vSwitch fields high‐
3885       lighted:
3886
3887          Ethernet                      ARP
3888        <----------->   <---------------------------------->
3889        48  48   16     16   16    8   8  16 48  16  48  16
3890       +---+---+-----+ +---+-----+---+---+--+---+---+---+---+
3891       |dst|src|type | |hrd| pro |hln|pln|op|sha|spa|tha|tpa|
3892       +---+---+-----+ +---+-----+---+---+--+---+---+---+---+
3893                0x806    1  0x800  6   4
3894
3895
3896       The ARP fields are also used for RARP, the Reverse  Address  Resolution
3897       Protocol, which shares ARP’s wire format.
3898
3899       ARP Opcode Field
3900
3901       Name:            arp_op
3902       Width:           16 bits
3903       Format:          decimal
3904       Masking:         not maskable
3905
3906       Prerequisites:   ARP
3907       Access:          read/write
3908       OpenFlow 1.0:    yes (exact match only)
3909       OpenFlow 1.1:    yes (exact match only)
3910       OXM:             OXM_OF_ARP_OP (21) since OpenFlow 1.2 and Open vSwitch
3911                        1.7
3912       NXM:             NXM_OF_ARP_OP (15) since Open vSwitch 1.1
3913
3914       Even though this is a 16-bit field, Open vSwitch does not  support  ARP
3915       opcodes greater than 255; it treats them to zero. This works adequately
3916       because in practice ARP and RARP only use opcodes 1 through 4.
3917
3918       ARP Source IPv4 Address Field
3919
3920       Name:            arp_spa
3921       Width:           32 bits
3922       Format:          IPv4
3923       Masking:         arbitrary bitwise masks
3924       Prerequisites:   ARP
3925
3926       Access:          read/write
3927       OpenFlow 1.0:    yes (CIDR match only)
3928       OpenFlow 1.1:    yes
3929       OXM:             OXM_OF_ARP_SPA  (22)  since  OpenFlow  1.2  and   Open
3930                        vSwitch 1.7
3931       NXM:             NXM_OF_ARP_SPA (16) since Open vSwitch 1.1
3932
3933       ARP Target IPv4 Address Field
3934
3935
3936       Name:            arp_tpa
3937       Width:           32 bits
3938       Format:          IPv4
3939       Masking:         arbitrary bitwise masks
3940       Prerequisites:   ARP
3941       Access:          read/write
3942       OpenFlow 1.0:    yes (CIDR match only)
3943       OpenFlow 1.1:    yes
3944
3945
3946       OXM:             OXM_OF_ARP_TPA   (23)  since  OpenFlow  1.2  and  Open
3947                        vSwitch 1.7
3948       NXM:             NXM_OF_ARP_TPA (17) since Open vSwitch 1.1
3949
3950       ARP Source Ethernet Address Field
3951
3952       Name:            arp_sha
3953       Width:           48 bits
3954       Format:          Ethernet
3955
3956       Masking:         arbitrary bitwise masks
3957       Prerequisites:   ARP
3958       Access:          read/write
3959       OpenFlow 1.0:    not supported
3960       OpenFlow 1.1:    not supported
3961       OXM:             OXM_OF_ARP_SHA  (24)  since  OpenFlow  1.2  and   Open
3962                        vSwitch 1.7
3963       NXM:             NXM_NX_ARP_SHA (17) since Open vSwitch 1.1
3964
3965       ARP Target Ethernet Address Field
3966
3967       Name:            arp_tha
3968       Width:           48 bits
3969       Format:          Ethernet
3970       Masking:         arbitrary bitwise masks
3971       Prerequisites:   ARP
3972       Access:          read/write
3973       OpenFlow 1.0:    not supported
3974       OpenFlow 1.1:    not supported
3975
3976       OXM:             OXM_OF_ARP_THA   (25)  since  OpenFlow  1.2  and  Open
3977                        vSwitch 1.7
3978       NXM:             NXM_NX_ARP_THA (18) since Open vSwitch 1.1
3979

LAYER 3: NSH FIELDS

3981   Summary:
3982       Name               Bytes             Mask   RW?   Prereqs   NXM/OXM Support
3983
3984       ─────────────────  ────────────────  ─────  ────  ────────  ────────────────
3985       nsh_flags          1                 yes    yes   NSH       OVS 2.8+
3986       nsh_ttl            1                 no     yes   NSH       OVS 2.9+
3987       nsh_mdtype         1                 no     no    NSH       OVS 2.8+
3988
3989       nsh_np             1                 no     no    NSH       OVS 2.8+
3990       nsh_spi aka nsp    4 (low 24 bits)   no     yes   NSH       OVS 2.8+
3991       nsh_si aka nsi     1                 no     yes   NSH       OVS 2.8+
3992       nsh_c1 aka nshc1   4                 yes    yes   NSH       OVS 2.8+
3993
3994       nsh_c2 aka nshc2   4                 yes    yes   NSH       OVS 2.8+
3995       nsh_c3 aka nshc3   4                 yes    yes   NSH       OVS 2.8+
3996       nsh_c4 aka nshc4   4                 yes    yes   NSH       OVS 2.8+
3997
3998       Service functions are widely deployed and essential in  many  networks.
3999       These  service  functions provide a range of features such as security,
4000       WAN acceleration, and server load balancing. Service functions  may  be
4001       instantiated  at different points in the network infrastructure such as
4002       the wide area network, data center, and so forth.
4003
4004       Prior to development of the SFC architecture [RFC 7665] and the  proto‐
4005       col  specified  in  this  document, current service function deployment
4006       models have been relatively static and bound to topology for  insertion
4007       and  policy  selection.  Furthermore, they do not adapt well to elastic
4008       service environments enabled by virtualization.
4009
4010       New data center network and cloud architectures require  more  flexible
4011       service  function  deployment  models.  Additionally, the transition to
4012       virtual platforms demands an agile service insertion  model  that  sup‐
4013       ports dynamic and elastic service delivery. Specifically, the following
4014       functions are necessary:
4015
4016              1.  The movement of service functions and application  workloads
4017                  in the network.
4018
4019              2.  The ability to easily bind service policy to granular infor‐
4020                  mation, such as per-subscriber state.
4021
4022              3.  The capability to steer traffic  to  the  requisite  service
4023                  function(s).
4024
4025       The Network Service Header (NSH) specification defines a new data plane
4026       protocol, which is an encapsulation for service  function  chains.  The
4027       NSH is designed to encapsulate an original packet or frame, and in turn
4028       be encapsulated by an outer transport encapsulation (which is  used  to
4029       deliver the NSH to NSH-aware network elements), as shown below:
4030
4031       +-----------------------+----------------------------+---------------------+
4032       |Transport Encapsulation|Network Service Header (NSH)|Original Packet/Frame|
4033       +-----------------------+----------------------------+---------------------+
4034
4035
4036       The NSH is composed of the following elements:
4037
4038              1.  Service Function Path identification.
4039
4040              2.  Indication of location within a Service Function Path.
4041
4042              3.  Optional, per packet metadata (fixed length or variable).
4043
4044       [RFC 7665] provides an overview of a service chaining architecture that
4045       clearly defines the roles of the various elements and the  scope  of  a
4046       service function chaining encapsulation. Figure 3 of [RFC 7665] depicts
4047       the SFC architectural components after classification. The NSH  is  the
4048       SFC encapsulation referenced in [RFC 7665].
4049
4050       flags field (2 bits) Field
4051
4052       Name:            nsh_flags
4053       Width:           8 bits
4054       Format:          decimal
4055       Masking:         arbitrary bitwise masks
4056       Prerequisites:   NSH
4057
4058       Access:          read/write
4059       OpenFlow 1.0:    not supported
4060       OpenFlow 1.1:    not supported
4061       OXM:             none
4062       NXM:             NXOXM_NSH_FLAGS (1) since Open vSwitch 2.8
4063
4064       TTL field (6 bits) Field
4065
4066       Name:            nsh_ttl
4067       Width:           8 bits
4068       Format:          decimal
4069
4070       Masking:         not maskable
4071       Prerequisites:   NSH
4072       Access:          read/write
4073       OpenFlow 1.0:    not supported
4074       OpenFlow 1.1:    not supported
4075
4076       OXM:             none
4077       NXM:             NXOXM_NSH_TTL (10) since Open vSwitch 2.9
4078
4079       mdtype field (8 bits) Field
4080
4081
4082       Name:            nsh_mdtype
4083       Width:           8 bits
4084       Format:          decimal
4085       Masking:         not maskable
4086       Prerequisites:   NSH
4087
4088       Access:          read-only
4089       OpenFlow 1.0:    not supported
4090       OpenFlow 1.1:    not supported
4091       OXM:             none
4092       NXM:             NXOXM_NSH_MDTYPE (2) since Open vSwitch 2.8
4093
4094       np (next protocol) field (8 bits) Field
4095
4096       Name:            nsh_np
4097       Width:           8 bits
4098       Format:          decimal
4099
4100       Masking:         not maskable
4101       Prerequisites:   NSH
4102       Access:          read-only
4103       OpenFlow 1.0:    not supported
4104       OpenFlow 1.1:    not supported
4105
4106       OXM:             none
4107       NXM:             NXOXM_NSH_NP (3) since Open vSwitch 2.8
4108
4109       spi (service path identifier) field (24 bits) Field
4110
4111
4112       Name:            nsh_spi (aka nsp)
4113       Width:           32 bits (only the least-significant 24 bits may be nonzero)
4114       Format:          hexadecimal
4115       Masking:         not maskable
4116       Prerequisites:   NSH
4117
4118       Access:          read/write
4119       OpenFlow 1.0:    not supported
4120       OpenFlow 1.1:    not supported
4121       OXM:             none
4122       NXM:             NXOXM_NSH_SPI (4) since Open vSwitch 2.8
4123
4124       si (service index) field (8 bits) Field
4125
4126       Name:            nsh_si (aka nsi)
4127       Width:           8 bits
4128       Format:          decimal
4129
4130       Masking:         not maskable
4131       Prerequisites:   NSH
4132       Access:          read/write
4133       OpenFlow 1.0:    not supported
4134       OpenFlow 1.1:    not supported
4135
4136       OXM:             none
4137       NXM:             NXOXM_NSH_SI (5) since Open vSwitch 2.8
4138
4139       c1 (Network Platform Context) field (32 bits) Field
4140
4141
4142       Name:            nsh_c1 (aka nshc1)
4143       Width:           32 bits
4144       Format:          hexadecimal
4145       Masking:         arbitrary bitwise masks
4146       Prerequisites:   NSH
4147
4148       Access:          read/write
4149       OpenFlow 1.0:    not supported
4150       OpenFlow 1.1:    not supported
4151       OXM:             none
4152       NXM:             NXOXM_NSH_C1 (6) since Open vSwitch 2.8
4153
4154       c2 (Network Shared Context) field (32 bits) Field
4155
4156       Name:            nsh_c2 (aka nshc2)
4157       Width:           32 bits
4158       Format:          hexadecimal
4159
4160       Masking:         arbitrary bitwise masks
4161       Prerequisites:   NSH
4162       Access:          read/write
4163       OpenFlow 1.0:    not supported
4164       OpenFlow 1.1:    not supported
4165
4166       OXM:             none
4167       NXM:             NXOXM_NSH_C2 (7) since Open vSwitch 2.8
4168
4169       c3 (Service Platform Context) field (32 bits) Field
4170
4171
4172       Name:            nsh_c3 (aka nshc3)
4173       Width:           32 bits
4174       Format:          hexadecimal
4175       Masking:         arbitrary bitwise masks
4176       Prerequisites:   NSH
4177
4178       Access:          read/write
4179       OpenFlow 1.0:    not supported
4180       OpenFlow 1.1:    not supported
4181       OXM:             none
4182       NXM:             NXOXM_NSH_C3 (8) since Open vSwitch 2.8
4183
4184       c4 (Service Shared Context) field (32 bits) Field
4185
4186       Name:            nsh_c4 (aka nshc4)
4187       Width:           32 bits
4188       Format:          hexadecimal
4189
4190       Masking:         arbitrary bitwise masks
4191       Prerequisites:   NSH
4192       Access:          read/write
4193       OpenFlow 1.0:    not supported
4194       OpenFlow 1.1:    not supported
4195
4196       OXM:             none
4197       NXM:             NXOXM_NSH_C4 (9) since Open vSwitch 2.8
4198

LAYER 4: TCP, UDP, AND SCTP FIELDS

4200   Summary:
4201       Name                 Bytes             Mask   RW?   Prereqs   NXM/OXM Support
4202
4203       ───────────────────  ────────────────  ─────  ────  ────────  ─────────────────────
4204       tcp_src aka tp_src   2                 yes    yes   TCP       OF 1.2+ and OVS 1.1+
4205       tcp_dst aka tp_dst   2                 yes    yes   TCP       OF 1.2+ and OVS 1.1+
4206       tcp_flags            2 (low 12 bits)   yes    no    TCP       OF 1.3+ and OVS 2.1+
4207
4208       udp_src              2                 yes    yes   UDP       OF 1.2+ and OVS 1.1+
4209       udp_dst              2                 yes    yes   UDP       OF 1.2+ and OVS 1.1+
4210       sctp_src             2                 yes    yes   SCTP      OF 1.2+ and OVS 2.0+
4211       sctp_dst             2                 yes    yes   SCTP      OF 1.2+ and OVS 2.0+
4212
4213       For  matching  purposes, no distinction is made whether these protocols
4214       are encapsulated within IPv4 or IPv6.
4215
4216   TCP
4217       The following diagram shows TCP within IPv4. Open vSwitch also supports
4218       TCP  in  IPv6.  Only  TCP fields implemented as Open vSwitch fields are
4219       shown:
4220
4221          Ethernet            IPv4                   TCP
4222        <----------->   <--------------->   <------------------->
4223        48  48   16           8   32  32    16  16       12
4224       +---+---+-----+ +---+-----+---+---+ +---+---+---+-----+---+
4225       |dst|src|type | |...|proto|src|dst| |src|dst|...|flags|...| ...
4226       +---+---+-----+ +---+-----+---+---+ +---+---+---+-----+---+
4227                0x800         6
4228
4229
4230       TCP Source Port Field
4231
4232       Name:            tcp_src (aka tp_src)
4233       Width:           16 bits
4234       Format:          decimal
4235       Masking:         arbitrary bitwise masks
4236
4237       Prerequisites:   TCP
4238       Access:          read/write
4239       OpenFlow 1.0:    yes (exact match only)
4240       OpenFlow 1.1:    yes (exact match only)
4241
4242
4243       OXM:             OXM_OF_TCP_SRC  (13)  since  OpenFlow  1.2  and   Open
4244                        vSwitch 1.7
4245       NXM:             NXM_OF_TCP_SRC (9) since Open vSwitch 1.1
4246
4247       Open vSwitch 1.6 added support for bitwise matching.
4248
4249       TCP Destination Port Field
4250
4251       Name:            tcp_dst (aka tp_dst)
4252       Width:           16 bits
4253       Format:          decimal
4254
4255       Masking:         arbitrary bitwise masks
4256       Prerequisites:   TCP
4257       Access:          read/write
4258       OpenFlow 1.0:    yes (exact match only)
4259       OpenFlow 1.1:    yes (exact match only)
4260
4261       OXM:             OXM_OF_TCP_DST   (14)  since  OpenFlow  1.2  and  Open
4262                        vSwitch 1.7
4263       NXM:             NXM_OF_TCP_DST (10) since Open vSwitch 1.1
4264
4265       Open vSwitch 1.6 added support for bitwise matching.
4266
4267       TCP Flags Field
4268
4269       Name:            tcp_flags
4270       Width:           16 bits (only the least-significant 12 bits may be nonzero)
4271       Format:          TCP flags
4272
4273       Masking:         arbitrary bitwise masks
4274       Prerequisites:   TCP
4275       Access:          read-only
4276       OpenFlow 1.0:    not supported
4277       OpenFlow 1.1:    not supported
4278
4279       OXM:             ONFOXM_ET_TCP_FLAGS  (42)  since  OpenFlow  1.3  and   Open
4280                        vSwitch  2.4;  OXM_OF_TCP_FLAGS (42) since OpenFlow 1.5 and
4281                        Open vSwitch 2.3
4282       NXM:             NXM_NX_TCP_FLAGS (34) since Open vSwitch 2.1
4283
4284       This field holds the TCP flags. TCP currently defines 9 flag  bits.  An
4285       additional  3  bits  are reserved. For more information, see [RFC 793],
4286       [RFC 3168], and [RFC 3540].
4287
4288       Matches on this field are most conveniently written in  terms  of  sym‐
4289       bolic names (given in the diagram below), each preceded by either + for
4290       a flag that must be set, or - for a flag that must  be  unset,  without
4291       any  other  delimiters between the flags. Flags not mentioned are wild‐
4292       carded. For example, tcp,tcp_flags=+syn-ack matches TCP SYNs  that  are
4293       not  ACKs,  and  tcp,tcp_flags=+[200]  matches  TCP  packets  with  the
4294       reserved [200] flag set. Matches can also  be  written  as  flags/mask,
4295       where  flags  and  mask are 16-bit numbers in decimal or in hexadecimal
4296       prefixed by 0x.
4297
4298       The flag bits are:
4299
4300                 reserved      later RFCs         RFC 793
4301             <---------------> <--------> <--------------------->
4302         4     1     1     1   1   1   1   1   1   1   1   1   1
4303       +----+-----+-----+-----+--+---+---+---+---+---+---+---+---+
4304       |zero|[800]|[400]|[200]|NS|CWR|ECE|URG|ACK|PSH|RST|SYN|FIN|
4305       +----+-----+-----+-----+--+---+---+---+---+---+---+---+---+
4306         0
4307
4308
4309   UDP
4310       The following diagram shows UDP within IPv4. Open vSwitch also supports
4311       UDP  in  IPv6.  Only UDP fields that Open vSwitch exposes as fields are
4312       shown:
4313
4314          Ethernet            IPv4              UDP
4315        <----------->   <--------------->   <--------->
4316        48  48   16           8   32  32    16  16
4317       +---+---+-----+ +---+-----+---+---+ +---+---+---+
4318       |dst|src|type | |...|proto|src|dst| |src|dst|...| ...
4319       +---+---+-----+ +---+-----+---+---+ +---+---+---+
4320                0x800        17
4321
4322
4323       UDP Source Port Field
4324
4325       Name:            udp_src
4326
4327       Width:           16 bits
4328       Format:          decimal
4329       Masking:         arbitrary bitwise masks
4330       Prerequisites:   UDP
4331       Access:          read/write
4332
4333       OpenFlow 1.0:    yes (exact match only)
4334       OpenFlow 1.1:    yes (exact match only)
4335       OXM:             OXM_OF_UDP_SRC  (15)  since  OpenFlow  1.2  and   Open
4336                        vSwitch 1.7
4337       NXM:             NXM_OF_UDP_SRC (11) since Open vSwitch 1.1
4338
4339       UDP Destination Port Field
4340
4341       Name:            udp_dst
4342       Width:           16 bits
4343       Format:          decimal
4344
4345       Masking:         arbitrary bitwise masks
4346       Prerequisites:   UDP
4347       Access:          read/write
4348       OpenFlow 1.0:    yes (exact match only)
4349       OpenFlow 1.1:    yes (exact match only)
4350
4351       OXM:             OXM_OF_UDP_DST   (16)  since  OpenFlow  1.2  and  Open
4352                        vSwitch 1.7
4353       NXM:             NXM_OF_UDP_DST (12) since Open vSwitch 1.1
4354
4355   SCTP
4356       The following diagram shows SCTP within IPv4. Open  vSwitch  also  sup‐
4357       ports  SCTP  in  IPv6.  Only  SCTP  fields that Open vSwitch exposes as
4358       fields are shown:
4359
4360          Ethernet            IPv4             SCTP
4361        <----------->   <--------------->   <--------->
4362        48  48   16           8   32  32    16  16
4363       +---+---+-----+ +---+-----+---+---+ +---+---+---+
4364       |dst|src|type | |...|proto|src|dst| |src|dst|...| ...
4365       +---+---+-----+ +---+-----+---+---+ +---+---+---+
4366                0x800        132
4367
4368
4369       SCTP Source Port Field
4370
4371
4372       Name:            sctp_src
4373       Width:           16 bits
4374       Format:          decimal
4375       Masking:         arbitrary bitwise masks
4376       Prerequisites:   SCTP
4377       Access:          read/write
4378
4379       OpenFlow 1.0:    not supported
4380       OpenFlow 1.1:    yes (exact match only)
4381       OXM:             OXM_OF_SCTP_SRC  (17)  since  OpenFlow  1.2  and  Open
4382                        vSwitch 2.0
4383       NXM:             none
4384
4385       SCTP Destination Port Field
4386
4387       Name:            sctp_dst
4388       Width:           16 bits
4389       Format:          decimal
4390       Masking:         arbitrary bitwise masks
4391       Prerequisites:   SCTP
4392
4393       Access:          read/write
4394       OpenFlow 1.0:    not supported
4395       OpenFlow 1.1:    yes (exact match only)
4396       OXM:             OXM_OF_SCTP_DST  (18)  since  OpenFlow  1.2  and  Open
4397                        vSwitch 2.0
4398       NXM:             none
4399

LAYER 4: ICMPV4 AND ICMPV6 FIELDS

4401   Summary:
4402       Name              Bytes   Mask   RW?   Prereqs      NXM/OXM Support
4403       ────────────────  ──────  ─────  ────  ───────────  ─────────────────────
4404
4405       icmp_type         1       no     yes   ICMPv4       OF 1.2+ and OVS 1.1+
4406       icmp_code         1       no     yes   ICMPv4       OF 1.2+ and OVS 1.1+
4407       icmpv6_type       1       no     yes   ICMPv6       OF 1.2+ and OVS 1.1+
4408       icmpv6_code       1       no     yes   ICMPv6       OF 1.2+ and OVS 1.1+
4409       nd_target         16      yes    yes   ND           OF 1.2+ and OVS 1.1+
4410
4411       nd_sll            6       yes    yes   ND solicit   OF 1.2+ and OVS 1.1+
4412       nd_tll            6       yes    yes   ND advert    OF 1.2+ and OVS 1.1+
4413       nd_reserved       4       no     yes   ND           OVS 2.11+
4414       nd_options_type   1       no     yes   ND           OVS 2.11+
4415
4416   ICMPv4
4417          Ethernet            IPv4             ICMPv4
4418        <----------->   <--------------->   <----------->
4419        48  48   16           8   32  32     8    8
4420       +---+---+-----+ +---+-----+---+---+ +----+----+---+
4421       |dst|src|type | |...|proto|src|dst| |type|code|...| ...
4422       +---+---+-----+ +---+-----+---+---+ +----+----+---+
4423                0x800         1
4424
4425
4426       ICMPv4 Type Field
4427
4428       Name:            icmp_type
4429       Width:           8 bits
4430       Format:          decimal
4431       Masking:         not maskable
4432       Prerequisites:   ICMPv4
4433       Access:          read/write
4434
4435       OpenFlow 1.0:    yes (exact match only)
4436       OpenFlow 1.1:    yes (exact match only)
4437       OXM:             OXM_OF_ICMPV4_TYPE (19) since OpenFlow  1.2  and  Open
4438                        vSwitch 1.7
4439       NXM:             NXM_OF_ICMP_TYPE (13) since Open vSwitch 1.1
4440
4441       For  historical  reasons,  in  an  ICMPv4 flow, Open vSwitch interprets
4442       matches on tp_src as actually referring to the ICMP type.
4443
4444       ICMPv4 Code Field
4445
4446       Name:            icmp_code
4447       Width:           8 bits
4448       Format:          decimal
4449       Masking:         not maskable
4450
4451       Prerequisites:   ICMPv4
4452       Access:          read/write
4453       OpenFlow 1.0:    yes (exact match only)
4454       OpenFlow 1.1:    yes (exact match only)
4455       OXM:             OXM_OF_ICMPV4_CODE (20) since OpenFlow  1.2  and  Open
4456                        vSwitch 1.7
4457       NXM:             NXM_OF_ICMP_CODE (14) since Open vSwitch 1.1
4458
4459       For  historical  reasons,  in  an  ICMPv4 flow, Open vSwitch interprets
4460       matches on tp_dst as actually referring to the ICMP code.
4461
4462   ICMPv6
4463           Ethernet            IPv6            ICMPv6
4464        <------------>   <-------------->   <----------->
4465        48  48    16          8   128 128    8    8
4466       +---+---+------+ +---+----+---+---+ +----+----+---+
4467       |dst|src| type | |...|next|src|dst| |type|code|...| ...
4468       +---+---+------+ +---+----+---+---+ +----+----+---+
4469                0x86dd        58
4470
4471
4472       ICMPv6 Type Field
4473
4474
4475       Name:            icmpv6_type
4476       Width:           8 bits
4477       Format:          decimal
4478       Masking:         not maskable
4479       Prerequisites:   ICMPv6
4480       Access:          read/write
4481       OpenFlow 1.0:    not supported
4482
4483       OpenFlow 1.1:    not supported
4484       OXM:             OXM_OF_ICMPV6_TYPE (29) since OpenFlow  1.2  and  Open
4485                        vSwitch 1.7
4486       NXM:             NXM_NX_ICMPV6_TYPE (21) since Open vSwitch 1.1
4487
4488       ICMPv6 Code Field
4489
4490
4491       Name:            icmpv6_code
4492       Width:           8 bits
4493       Format:          decimal
4494       Masking:         not maskable
4495       Prerequisites:   ICMPv6
4496       Access:          read/write
4497       OpenFlow 1.0:    not supported
4498
4499       OpenFlow 1.1:    not supported
4500       OXM:             OXM_OF_ICMPV6_CODE  (30)  since  OpenFlow 1.2 and Open
4501                        vSwitch 1.7
4502       NXM:             NXM_NX_ICMPV6_CODE (22) since Open vSwitch 1.1
4503
4504   ICMPv6 Neighbor Discovery
4505           Ethernet            IPv6              ICMPv6            ICMPv6 ND
4506        <------------>   <-------------->   <-------------->   <--------------->
4507        48  48    16          8   128 128      8     8          128
4508       +---+---+------+ +---+----+---+---+ +-------+----+---+ +------+----------+
4509       |dst|src| type | |...|next|src|dst| | type  |code|...| |target|option ...|
4510       +---+---+------+ +---+----+---+---+ +-------+----+---+ +------+----------+
4511                0x86dd        58            135/136  0
4512
4513
4514       ICMPv6 Neighbor Discovery Target IPv6 Field
4515
4516       Name:            nd_target
4517       Width:           128 bits
4518       Format:          IPv6
4519       Masking:         arbitrary bitwise masks
4520       Prerequisites:   ND
4521       Access:          read/write
4522
4523       OpenFlow 1.0:    not supported
4524       OpenFlow 1.1:    not supported
4525       OXM:             OXM_OF_IPV6_ND_TARGET (31) since OpenFlow 1.2 and Open
4526                        vSwitch 1.7
4527       NXM:             NXM_NX_ND_TARGET (23) since Open vSwitch 1.1
4528
4529       ICMPv6 Neighbor Discovery Source Ethernet Address Field
4530
4531       Name:            nd_sll
4532       Width:           48 bits
4533       Format:          Ethernet
4534       Masking:         arbitrary bitwise masks
4535       Prerequisites:   ND solicit
4536       Access:          read/write
4537       OpenFlow 1.0:    not supported
4538
4539       OpenFlow 1.1:    not supported
4540       OXM:             OXM_OF_IPV6_ND_SLL  (32)  since  OpenFlow 1.2 and Open
4541                        vSwitch 1.7
4542       NXM:             NXM_NX_ND_SLL (24) since Open vSwitch 1.1
4543
4544       ICMPv6 Neighbor Discovery Target Ethernet Address Field
4545
4546
4547       Name:            nd_tll
4548       Width:           48 bits
4549       Format:          Ethernet
4550       Masking:         arbitrary bitwise masks
4551       Prerequisites:   ND advert
4552       Access:          read/write
4553       OpenFlow 1.0:    not supported
4554
4555       OpenFlow 1.1:    not supported
4556       OXM:             OXM_OF_IPV6_ND_TLL (33) since OpenFlow  1.2  and  Open
4557                        vSwitch 1.7
4558       NXM:             NXM_NX_ND_TLL (25) since Open vSwitch 1.1
4559
4560       ICMPv6 Neighbor Discovery Reserved Field Field
4561
4562
4563       Name:            nd_reserved
4564       Width:           32 bits
4565       Format:          decimal
4566       Masking:         not maskable
4567       Prerequisites:   ND
4568       Access:          read/write
4569       OpenFlow 1.0:    not supported
4570
4571       OpenFlow 1.1:    not supported
4572       OXM:             none
4573       NXM:             ERICOXM_OF_ICMPV6_ND_RESERVED  (1)  since Open vSwitch
4574                        2.11
4575
4576       This is used to set the R,S,O bits in Neighbor Advertisement Messages
4577
4578       ICMPv6 Neighbor Discovery Options Type Field Field
4579
4580       Name:            nd_options_type
4581       Width:           8 bits
4582       Format:          decimal
4583       Masking:         not maskable
4584       Prerequisites:   ND
4585       Access:          read/write
4586
4587       OpenFlow 1.0:    not supported
4588       OpenFlow 1.1:    not supported
4589       OXM:             none
4590       NXM:             ERICOXM_OF_ICMPV6_ND_OPTIONS_TYPE   (2)   since   Open
4591                        vSwitch 2.11
4592
4593       A value of 1 indicates that the option is Source Link Layer. A value of
4594       2 indicates that the options is Target Link Layer.  See  RFC  4861  for
4595       further details.
4596

REFERENCES

4598              Casado M. Casado, M. J. Freedman, J. Pettit, J. Luo, N. McKeown,
4599                     and S. Shenker, ``Ethane: Taking Control  of  the  Enter‐
4600                     prise,’’ Computer Communications Review, October 2007.
4601
4602              ERSPAN M. Foschiano, K. Ghosh, M. Mehta, ``Cisco Systems’ Encap‐
4603                     sulated Remote Switch Port Analyzer (ERSPAN),’’ ⟨https://
4604                     tools.ietf.org/html/draft-foschiano-erspan-03⟩ .
4605
4606              EXT-56 J.  Tonsing,  ``Permit  one  of a set of prerequisites to
4607                     apply, e.g. don’t preclude non-Ethernet media,’’
4608https://rs.opennetworking.org/bugs/browse/EXT-56⟩   (ONF
4609                     members only).
4610
4611              EXT-112
4612                     J. Tourrilhes, ``Support non-Ethernet packets  throughout
4613                     the pipeline,’’ ⟨https://rs.opennetworking.org/bugs/
4614                     browse/EXT-112⟩ (ONF members only).
4615
4616              EXT-134
4617                     J. Tourrilhes, ``Match first  nibble  of  the  MPLS  pay‐
4618                     load,’’ ⟨https://rs.opennetworking.org/bugs/browse/
4619                     EXT-134⟩ (ONF members only).
4620
4621              Geneve J. Gross, I. Ganga, and T.  Sridhar,  editors,  ``Geneve:
4622                     Generic Network Virtualization Encapsulation,’’ ⟨https://
4623                     datatracker.ietf.org/doc/draft-ietf-nvo3-geneve/⟩ .
4624
4625              IEEE OUI
4626                     IEEE Standards Association,  ``MAC  Address  Block  Large
4627                     (MA-L),’’ ⟨https://standards.ieee.org/develop/regauth/
4628                     oui/index.html⟩ .
4629
4630              NSH    P.  Quinn  and  U.  Elzur,  editors,  ``Network   Service
4631                     Header,’’ ⟨https://datatracker.ietf.org/doc/
4632                     draft-ietf-sfc-nsh/⟩ .
4633
4634              OpenFlow 1.0.1
4635                     Open Networking  Foundation,  ``OpenFlow  Switch  Errata,
4636                     Version 1.0.1,’’ June 2012.
4637
4638              OpenFlow 1.1
4639                     OpenFlow Consortium, ``OpenFlow Switch Specification Ver‐
4640                     sion 1.1.0 Implemented (Wire Protocol  0x02),’’  February
4641                     2011.
4642
4643              OpenFlow 1.5
4644                     Open  Networking Foundation, ``OpenFlow Switch Specifica‐
4645                     tion Version 1.5.0 (Protocol  version  0x06),’’  December
4646                     2014.
4647
4648              OpenFlow Extensions 1.3.x Package 2
4649                     Open  Networking  Foundation, ``OpenFlow Extensions 1.3.x
4650                     Package 2,’’ December 2013.
4651
4652              TCP Flags Match Field Extension
4653                     Open  Networking  Foundation,  ``TCP  flags  match  field
4654                     Extension,’’ December 2014. In [OpenFlow Extensions 1.3.x
4655                     Package 2].
4656
4657              Pepelnjak
4658                     I. Pepelnjak, ``OpenFlow and Fermi Estimates,’’ ⟨http://
4659                     blog.ipspace.net/2013/09/openflow-and-fermi-esti‐
4660                     mates.html⟩ .
4661
4662              RFC 793
4663                     ``Transmission Control Protocol,’’ ⟨http://www.ietf.org/
4664                     rfc/rfc793.txt⟩ .
4665
4666              RFC 3032
4667                     E.  Rosen,  D.  Tappan, G. Fedorkow, Y. Rekhter, D. Fari‐
4668                     nacci, T. Li, and A. Conta,  ``MPLS  Label  Stack  Encod‐
4669                     ing,’’ ⟨http://www.ietf.org/rfc/rfc3032.txt⟩ .
4670
4671              RFC 3168
4672                     K.  Ramakrishnan,  S. Floyd, and D. Black, ``The Addition
4673                     of Explicit Congestion Notification (ECN) to IP,’’
4674https://tools.ietf.org/html/rfc3168⟩ .
4675
4676              RFC 3540
4677                     N.  Spring,  D.  Wetherall, and D. Ely, ``Robust Explicit
4678                     Congestion Notification (ECN) Signaling with Nonces,’’
4679https://tools.ietf.org/html/rfc3540⟩ .
4680
4681              RFC 4632
4682                     V.  Fuller  and  T.  Li, ``Classless Inter-domain Routing
4683                     (CIDR): The Internet Address Assignment  and  Aggregation
4684                     Plan,’’ ⟨https://tools.ietf.org/html/rfc4632⟩ .
4685
4686              RFC 5462
4687                     L.  Andersson and R. Asati, ``Multiprotocol Label Switch‐
4688                     ing (MPLS) Label Stack Entry: ``EXP’’  Field  Renamed  to
4689                     ``Traffic Class’’ Field,’’ ⟨http://www.ietf.org/rfc/
4690                     rfc5462.txt⟩ .
4691
4692              RFC 6830
4693                     D. Farinacci, V. Fuller, D. Meyer, and  D.  Lewis,  ``The
4694                     Locator/ID Separation Protocol (LISP),’’ ⟨http://
4695                     www.ietf.org/rfc/rfc6830.txt⟩ .
4696
4697              RFC 7348
4698                     M. Mahalingam, D. Dutt, K. Duda, P. Agarwal, L.  Kreeger,
4699                     T. Sridhar, M. Bursell, and C. Wright, ``Virtual eXtensi‐
4700                     ble Local Area Network (VXLAN): A Framework for  Overlay‐
4701                     ing  Virtualized  Layer 2 Networks over Layer 3 Networks,
4702                     ’’ ⟨https://tools.ietf.org/html/rfc7348⟩ .
4703
4704              RFC 7665
4705                     J. Halpern, Ed. and C. Pignataro, Ed., ``Service Function
4706                     Chaining (SFC) Architecture,’’ ⟨https://tools.ietf.org/
4707                     html/rfc7665⟩ .
4708
4709              Srinivasan
4710                     V. Srinivasan, S. Suriy, and G. Varghese, ``Packet  Clas‐
4711                     sification using Tuple Space Search,’’ SIGCOMM 1999.
4712
4713              Pagiamtzis
4714                     K.  Pagiamtzis  and A. Sheikholeslami, ``Content-address‐
4715                     able memory (CAM) circuits and architectures: A  tutorial
4716                     and  survey,’’ IEEE Journal of Solid-State Circuits, vol.
4717                     41, no. 3, pp. 712-727, March 2006.
4718
4719              VXLAN Group Policy Option
4720                     M. Smith and L. Kreeger, `` VXLAN Group Policy  Option.’’
4721                     Internet-Draft.  ⟨https://tools.ietf.org/html/
4722                     draft-smith-vxlan-group-policy⟩ .
4723

AUTHORS

4725       Ben Pfaff, with advice from Justin Pettit and Jean Tourrilhes.
4726
4727
4728
4729Open vSwitch                        2.15.0                       ovs-fields(7)
Impressum