1ovs-fields(7)                 Open vSwitch Manual                ovs-fields(7)
2
3
4

NAME

6       ovs-fields - protocol header fields in OpenFlow and Open vSwitch
7

INTRODUCTION

9       This  document aims to comprehensively document all of the fields, both
10       standard and non-standard,  supported  by  OpenFlow  or  Open  vSwitch,
11       regardless of origin.
12
13   Fields
14       A  field  is  a  property of a packet. Most familiarly, data fields are
15       fields that can be extracted from a packet. Most data fields are copied
16       directly  from  protocol  headers, e.g. at layer 2, the Ethernet source
17       and destination addresses, or the VLAN ID; at layer 3, the IPv4 or IPv6
18       source  and  destination;  and  at layer 4, the TCP or UDP ports. Other
19       data fields are computed, e.g. ip_frag describes whether a packet is  a
20       fragment but it is not copied directly from the IP header.
21
22       Data  fields that are always present as a consequence of the basic net‐
23       working technology in use are called called root fields.  Open  vSwitch
24       2.7  and earlier considered Ethernet fields to be root fields, and this
25       remains the default mode of operation for Open vSwitch bridges. When  a
26       packet  is  received  from a non-Ethernet interfaces, such as a layer-3
27       LISP tunnel, Open vSwitch 2.7 and earlier force-fit the packet to  this
28       Ethernet-centric point of view by pretending that an Ethernet header is
29       present whose Ethernet type that indicates  the  packet’s  actual  type
30       (and whose source and destination addresses are all-zero).
31
32       Open vSwitch 2.8 and later implement the ``packet type-aware pipeline’’
33       concept introduced in OpenFlow 1.5. Such a pipeline does not  have  any
34       root  fields. Instead, a new metadata field, packet_type, indicates the
35       basic type of the packet, which can be Ethernet, IPv4, IPv6, or another
36       type.  For backward compatibility, by default Open vSwitch 2.8 imitates
37       the behavior of Open vSwitch 2.7 and earlier. Later  versions  of  Open
38       vSwitch  may  change  the  default, and in the meantime controllers can
39       turn off this legacy behavior, on  a  port-by-port  basis,  by  setting
40       options:packet_type to ptap in the Interface table. This is significant
41       only for ports that can handle non-Ethernet packets, which is currently
42       just  LISP, VXLAN-GPE, and GRE tunnel ports. See ovs-vwitchd.conf.db(5)
43       for more information.
44
45       Non-root data fields are not always  present.  A  packet  contains  ARP
46       fields,  for example, only when its packet type is ARP or when it is an
47       Ethernet packet whose Ethernet header indicates the Ethertype for  ARP,
48       0x0806.  In  this documentation, we say that a field is applicable when
49       it is present in a packet, and inapplicable when it is not. (These  are
50       not  standard terms.) We refer to the conditions that determine whether
51       a field is applicable as prerequisites. Some VLAN-related fields are  a
52       special  case: these fields are always applicable for Ethernet packets,
53       but have a designated value or bit that indicates whether a VLAN header
54       is  present,  with  the  remaining  values  or bits indicating the VLAN
55       header’s content (if it is present).
56
57       An inapplicable field does  not  have  a  value,  not  even  a  nominal
58       ``value’’  such  as  all-zero-bits. In many circumstances, OpenFlow and
59       Open vSwitch allow references only to applicable fields.  For  example,
60       one  may  match  (see  Matching, below) a given field only if the match
61       includes the field’s prerequisite, e.g. matching an ARP field  is  only
62       allowed  if one also matches on Ethertype 0x0806 or the packet_type for
63       ARP in a packet type-aware bridge.
64
65       Sometimes a packet may contain multiple  instances  of  a  header.  For
66       example,  a  packet may contain multiple VLAN or MPLS headers, and tun‐
67       nels can cause any data field to recur. OpenFlow and  Open  vSwitch  do
68       not  address these cases uniformly. For VLAN and MPLS headers, only the
69       outermost header is accessible, so that inner headers may  be  accessed
70       only by ``popping’’ (removing) the outer header. (Open vSwitch supports
71       only a single VLAN header in any case.) For tunnels, e.g. GRE or VXLAN,
72       the  outer  header  and  inner  headers  are  treated as different data
73       fields.
74
75       Many network protocols are built in layers as a stack  of  concatenated
76       headers.  Each  header  typically  contains  a ``next type’’ field that
77       indicates the type of the protocol header that follows,  e.g.  Ethernet
78       contains  an Ethertype and IPv4 contains a IP protocol type. The excep‐
79       tional cases, where protocols are layered but an outer layer  does  not
80       indicate  the  protocol  type  for  the  inner  layer, or gives only an
81       ambiguous indication, are troublesome. An  MPLS  header,  for  example,
82       only  indicates whether another MPLS header or some other protocol fol‐
83       lows, and in the latter case the inner protocol must be known from  the
84       context.  In  these exceptional cases, OpenFlow and Open vSwitch cannot
85       provide insight into the inner protocol data fields without  additional
86       context,  and  thus  they  treat  all later data fields as inapplicable
87       until an OpenFlow action explicitly specifies what protocol follows. In
88       the  case  of  MPLS,  the OpenFlow ``pop MPLS’’ action that removes the
89       last MPLS header from a packet provides this context, as the  Ethertype
90       of the payload. See Layer 2.5: MPLS for more information.
91
92       OpenFlow  and  Open vSwitch support some fields other than data fields.
93       Metadata fields relate to the origin or treatment of a packet, but they
94       are not extracted from the packet data itself. One example is the phys‐
95       ical port on which a packet arrived at the switch. Register fields  act
96       like  variables: they give an OpenFlow switch space for temporary stor‐
97       age while processing a packet. Existing metadata  and  register  fields
98       have no prerequisites.
99
100       A  field’s  value  consists  of  an  integral number of bytes. For data
101       fields, sometimes those bytes are taken directly from the packet. Other
102       data  fields  are copied from a packet with padding (usually with zeros
103       and in the most significant positions). The remaining data  fields  are
104       transformed  in other ways as they are copied from the packets, to make
105       them more useful for matching.
106
107   Matching
108       The most important use of fields in OpenFlow is matching, to  determine
109       whether  particular field values agree with a set of constraints called
110       a match. A match consists of zero or  more  constraints  on  individual
111       fields,  all  of  which must be met to satisfy the match. (A match that
112       contains no constraints is always satisfied.) OpenFlow and Open vSwitch
113       support a number of forms of matching on individual fields:
114
115              Exact match, e.g. nw_src=10.1.2.3
116                     Only  a  particular  value  of  the field is matched; for
117                     example, only one particular  source  IP  address.  Exact
118                     matches  are  written  as field=value. The forms accepted
119                     for value depend on the field.
120
121                     All fields support exact matches.
122
123              Bitwise match, e.g. nw_src=10.1.0.0/255.255.0.0
124                     Specific bits in the field must  have  specified  values;
125                     for  example,  only  source  IP addresses in a particular
126                     subnet. Bitwise matches are written as  field=value/mask,
127                     where  value  and mask take one of the forms accepted for
128                     an exact match on field. Some fields accept  other  forms
129                     for       bitwise       matches;       for       example,
130                     nw_src=10.1.0.0/255.255.0.0   may   also    be    written
131                     nw_src=10.1.0.0/16.
132
133                     Most  OpenFlow switches do not allow every bitwise match‐
134                     ing on every field (and before OpenFlow 1.2, the protocol
135                     did  not  even  provide  for  the  possibility  for  most
136                     fields). Even switches that do allow bitwise matching  on
137                     a  given  field  may restrict the masks that are allowed,
138                     e.g. by allowing matches only on contiguous sets of  bits
139                     starting from the most significant bit, that is, ``CIDR’’
140                     masks [RFC 4632]. Open vSwitch does  not  allows  bitwise
141                     matching  on every field, but it allows arbitrary bitwise
142                     masks on any field that does  support  bitwise  matching.
143                     (Older  versions  had some restrictions, as documented in
144                     the descriptions of individual fields.)
145
146              Wildcard, e.g. ``any nw_src’’
147                     The value of the field  is  not  constrained.  Wildcarded
148                     fields  may be written as field=*, although it is unusual
149                     to mention them  at  all.  (When  specifying  a  wildcard
150                     explicitly  in  a  command  invocation,  be sure to using
151                     quoting to protect against shell expansion.)
152
153                     There is a tiny difference between  wildcarding  a  field
154                     and  not  specifying  any match on a field: wildcarding a
155                     field requires satisfying the field’s prerequisites.
156
157       Some types of matches on individual fields cannot be expressed directly
158       with OpenFlow and Open vSwitch. These can be expressed indirectly:
159
160              Set match, e.g. ``tcp_dst ∈ {80, 443, 8080}’’
161                     The value of a field is one of a specified set of values;
162                     for example, the TCP destination  port  is  80,  443,  or
163                     8080.
164
165                     For  matches  used  in flows (see Flows, below), multiple
166                     flows can simulate set matches.
167
168              Range match, e.g. ``1000 ≤ tcp_dst ≤ 1999’’
169                     The value of the field must lie within a numerical range,
170                     for example, TCP destination ports between 1000 and 1999.
171
172                     Range matches can be expressed as a collection of bitwise
173                     matches. For example, suppose that the goal is  to  match
174                     TCP source ports 1000 to 1999, inclusive. The binary rep‐
175                     resentations of 1000 and 1999 are:
176
177                     01111101000
178                     11111001111
179
180
181                     The following series of bitwise matches will  match  1000
182                     and 1999 and all the values in between:
183
184                     01111101xxx
185                     0111111xxxx
186                     10xxxxxxxxx
187                     110xxxxxxxx
188                     1110xxxxxxx
189                     11110xxxxxx
190                     1111100xxxx
191
192
193                     which can be written as the following matches:
194
195                     tcp,tp_src=0x03e8/0xfff8
196                     tcp,tp_src=0x03f0/0xfff0
197                     tcp,tp_src=0x0400/0xfe00
198                     tcp,tp_src=0x0600/0xff00
199                     tcp,tp_src=0x0700/0xff80
200                     tcp,tp_src=0x0780/0xffc0
201                     tcp,tp_src=0x07c0/0xfff0
202
203
204              Inequality match, e.g. ``tcp_dst ≠ 80’’
205                     The  value  of  the field differs from a specified value,
206                     for example, all TCP destination ports except 80.
207
208                     An inequality match on an n-bit field can be expressed as
209                     a  disjunction  of  n  1-bit  matches.  For  example, the
210                     inequality match ``vlan_pcp ≠ 5’’  can  be  expressed  as
211                     ``vlan_pcp  =  0/4 or vlan_pcp = 2/2 or vlan_pcp = 0/1.’’
212                     For matches used in flows (see Flows,  below),  sometimes
213                     one  can  more  compactly express inequality as a higher-
214                     priority flow that matches the  exceptional  case  paired
215                     with a lower-priority flow that matches the general case.
216
217                     Alternatively,  an inequality match may be converted to a
218                     pair of range matches, e.g. tcp_src ≠ 80 may be expressed
219                     as ``0 ≤ tcp_src < 80 or 80 < tcp_src ≤ 65535’’, and then
220                     each range match may in turn be converted  to  a  bitwise
221                     match.
222
223              Conjunctive  match, e.g. ``tcp_src ∈ {80, 443, 8080} and tcp_dst
224              ∈ {80, 443, 8080}’’
225                     As an OpenFlow extension, Open vSwitch supports  matching
226                     on conditions on conjunctions of the previously mentioned
227                     forms of matching. See the documentation for conj_id  for
228                     more information.
229
230       All  of  these supported forms of matching are special cases of bitwise
231       matching. In some cases this influences the  design  of  field  values.
232       ip_frag  is  the  most prominent example: it is designed to make all of
233       the practically useful checks for IP fragmentation possible as a single
234       bitwise match.
235
236     Shorthands
237
238       Some  matches are very commonly used, so Open vSwitch accepts shorthand
239       notations. In some cases, Open vSwitch also  uses  shorthand  notations
240       when  it  displays  matches. The following shorthands are defined, with
241       their long forms shown on the right side:
242
243              eth    packet_type=(0,0) (Open vSwitch 2.8 and later)
244
245              ip     eth_type=0x0800
246
247              ipv6   eth_type=0x86dd
248
249              icmp   eth_type=0x0800,ip_proto=1
250
251              icmp6  eth_type=0x86dd,ip_proto=58
252
253              tcp    eth_type=0x0800,ip_proto=6
254
255              tcp6   eth_type=0x86dd,ip_proto=6
256
257              udp    eth_type=0x0800,ip_proto=17
258
259              udp6   eth_type=0x86dd,ip_proto=17
260
261              sctp   eth_type=0x0800,ip_proto=132
262
263              sctp6  eth_type=0x86dd,ip_proto=132
264
265              arp    eth_type=0x0806
266
267              rarp   eth_type=0x8035
268
269              mpls   eth_type=0x8847
270
271              mplsm  eth_type=0x8848
272
273   Evolution of OpenFlow Fields
274       The discussion so far applies to all OpenFlow  and  Open  vSwitch  ver‐
275       sions.  This section starts to draw in specific information by explain‐
276       ing, in broad terms, the treatment of fields and matches in each  Open‐
277       Flow version.
278
279     OpenFlow 1.0
280
281       OpenFlow  1.0  defined  the  OpenFlow  protocol  format of a match as a
282       fixed-length data structure that could match on the following fields:
283
284              ·      Ingress port.
285
286              ·      Ethernet source and destination MAC.
287
288              ·      Ethertype (with a special value to match frames that lack
289                     an Ethertype).
290
291              ·      VLAN ID and priority.
292
293              ·      IPv4 source, destination, protocol, and DSCP.
294
295              ·      TCP source and destination port.
296
297              ·      UDP source and destination port.
298
299              ·      ICMPv4 type and code.
300
301              ·      ARP IPv4 addresses (SPA and TPA) and opcode.
302
303       Each supported field corresponded to some member of the data structure.
304       Some members represented multiple fields, in the case of the TCP,  UDP,
305       ICMPv4,  and ARP fields whose presence is mutually exclusive. This also
306       meant that some members were poor fits for their fields: only the low 8
307       bits of the 16-bit ARP opcode could be represented, and the ICMPv4 type
308       and code were padded with 8 bits of zeros to fit in the 16-bit  members
309       primarily  meant  for  TCP  and  UDP ports. An additional bitmap member
310       indicated, for each member, whether its field should be an ``exact’’ or
311       ``wildcarded’’  match  (see Matching), with additional support for CIDR
312       prefix matching on the IPv4 source and destination fields.
313
314       Simplicity was recognized early on as the main virtue of this approach.
315       Obviously,  any fixed-length data structure cannot support matching new
316       protocols that do not fit. There was no room, for example, for matching
317       IPv6 fields, which was not a priority at the time. Lack of room to sup‐
318       port matching the Ethernet addresses inside ARP packets actually caused
319       more  of  a  design problem later, leading to an Open vSwitch extension
320       action specialized for dropping ``spoofed’’ ARP packets  in  which  the
321       frame  and  ARP Ethernet source addressed differed. (This extension was
322       never standardized. Open vSwitch dropped support for it a few  releases
323       after it added support for full ARP matching.)
324
325       The  design  of the OpenFlow fixed-length matches also illustrates com‐
326       promises, in both directions, between the strengths and  weaknesses  of
327       software  and  hardware that have always influenced the design of Open‐
328       Flow. Support for matching ARP fields that do fit in the data structure
329       was  only  added  late  in the design process (and remained optional in
330       OpenFlow 1.0), for example, because common switch ASICs did not support
331       matching these fields.
332
333       The compromises in favor of software occurred for more complicated rea‐
334       sons. The OpenFlow designers did not know how to implement matching  in
335       software  that  was  fast, dynamic, and general. (A way was later found
336       [Srinivasan].) Thus, the designers sought to support  dynamic,  general
337       matching  that  would be fast in realistic special cases, in particular
338       when all of the matches were microflows, that is, matches that  specify
339       every  field  present  in  a packet, because such matches can be imple‐
340       mented as a single hash table lookup. Contemporary  research  supported
341       the  feasibility of this approach: the number of microflows in a campus
342       network had been measured to peak  at  about  10,000  [Casado,  section
343       3.2]. (Calculations show that this can only be true in a lightly loaded
344       network [Pepelnjak].)
345
346       As a result, OpenFlow 1.0 required switches to treat microflow  matches
347       as  the  highest  possible priority. This let software switches perform
348       the microflow hash table lookup first.  Only  on  failure  to  match  a
349       microflow did the switch need to fall back to checking the more general
350       and presumed slower matches. Also, the OpenFlow 1.0 flow match was min‐
351       imally  flexible,  with no support for general bitwise matching, partly
352       on the basis that this seemed more likely amenable to relatively  effi‐
353       cient  software  implementation.  (CIDR  masking for IPv4 addresses was
354       added relatively late in the OpenFlow 1.0 design process.)
355
356       Microflow matching was later discovered to aid some hardware  implemen‐
357       tations.  The  TCAM  chips used for matching in hardware do not support
358       priority in the same way as OpenFlow but instead tie priority to order‐
359       ing  [Pagiamtzis]. Thus, adding a new match with a priority between the
360       priorities of existing matches can require reordering an arbitrary num‐
361       ber  of  TCAM  entries.  On the other hand, when microflows are highest
362       priority, they can be managed  as  a  set-aside  portion  of  the  TCAM
363       entries.
364
365       The  emphasis  on  matching  microflows also led designers to carefully
366       consider the bandwidth requirements between switch and  controller:  to
367       maximize  the  number of microflow setups per second, one must minimize
368       the size of each flow’s description. This favored the fixed-length for‐
369       mat in use, because it expressed common TCP and UDP microflows in fewer
370       bytes than more flexible ``type-length-value’’  (TLV)  formats.  (Early
371       versions  of OpenFlow also avoided TLVs in general to head off protocol
372       fragmentation.)
373
374       Inapplicable Fields
375
376       OpenFlow 1.0 does not clearly specify how to treat inapplicable fields.
377       The  members  for  inapplicable  fields are always present in the match
378       data structure, as are the bits that indicate whether  the  fields  are
379       matched,  and  the  ``correct’’  member and bit values for inapplicable
380       fields is unclear. OpenFlow 1.0 implementations changed their  behavior
381       over time as priorities shifted. The early OpenFlow reference implemen‐
382       tation, motivated to make every flow a  microflow  to  enable  hashing,
383       treated  inapplicable  fields  as  exact  matches on a value of 0. Ini‐
384       tially, this behavior was implemented in the reference controller only.
385
386       Later, the reference switch was also  changed  to  actually  force  any
387       wildcarded  inapplicable  fields  into  exact  matches on 0. The latter
388       behavior sometimes caused problems, because the modified flow  was  the
389       one  reported back to the controller later when it queried the flow ta‐
390       ble, and the modifications sometimes meant that  the  controller  could
391       not  properly recognize the flow that it had added. In retrospect, per‐
392       haps this problem should have alerted the designers to a design  error,
393       but  the  ability to use a single hash table was held to be more impor‐
394       tant than almost every other consideration at the time.
395
396       When more flexible match formats were introduced much later, they  dis‐
397       allowed  any  mention  of  inapplicable fields as part of a match. This
398       raised the question of how to translate between this new format and the
399       OpenFlow 1.0 fixed format. It seemed somewhat inconsistent and backward
400       to treat fields as exact-match in one format and forbid  matching  them
401       in  the  other,  so instead the treatment of inapplicable fields in the
402       fixed-length format was changed from exact match on 0  to  wildcarding.
403       (A  better  classifier had by now eliminated software performance prob‐
404       lems with wildcards.)
405
406       The OpenFlow 1.0.1 errata (released only in 2012) added some additional
407       explanation  [OpenFlow 1.0.1, section 3.4], but it did not mandate spe‐
408       cific behavior because of variation among implementations.
409
410     OpenFlow 1.1
411
412       The  OpenFlow  1.1  protocol   match   format   was   designed   as   a
413       type/length/value  (TLV)  format  to  allow for future flexibility. The
414       specification standardized only a single type OFPMT_STANDARD (0) with a
415       fixed-size  payload,  described here. The additional fields and bitwise
416       masks in OpenFlow 1.1 cause this match structure to be  over  twice  as
417       large as in OpenFlow 1.0, 88 bytes versus 40.
418
419       OpenFlow 1.1 added support for the following fields:
420
421              ·      SCTP source and destination port.
422
423              ·      MPLS label and traffic control (TC) fields.
424
425              ·      One 64-bit register (named ``metadata’’).
426
427       OpenFlow  1.1 increased the width of the ingress port number field (and
428       all other port numbers in the protocol) from 16 bits to 32 bits.
429
430       OpenFlow 1.1 increased matching flexibility  by  introducing  arbitrary
431       bitwise  matching  on  Ethernet  and IPv4 address fields and on the new
432       ``metadata’’ register field. Switches were not required to support  all
433       possible masks [OpenFlow 1.1, section 4.3].
434
435       By  a strict reading of the specification, OpenFlow 1.1 removed support
436       for matching ICMPv4 type and code [OpenFlow 1.1,  section  A.2.3],  but
437       this  is  likely  an  editing  error because ICMP matching is described
438       elsewhere [OpenFlow 1.1, Table 3, Table 4, Figure 4]. Open vSwitch does
439       support ICMPv4 type and code matching with OpenFlow 1.1.
440
441       OpenFlow  1.1 avoided the pitfalls of inapplicable fields that OpenFlow
442       1.0 encountered, by requiring the switch to ignore the specified  field
443       values  [OpenFlow  1.1, section A.2.3]. It also implied that the switch
444       should ignore the bits that  indicate  whether  to  match  inapplicable
445       fields.
446
447       Physical Ingress Port
448
449       OpenFlow  1.1 introduced a new pseudo-field, the physical ingress port.
450       The physical ingress port is only a pseudo-field because it  cannot  be
451       used  for  matching.  It appears only one place in the protocol, in the
452       ``packet-in’’ message that passes a packet received at the switch to an
453       OpenFlow controller.
454
455       A  packet’s ingress port and physical ingress port are identical except
456       for packets processed by a switch feature such as bonding or  tunneling
457       that  makes  a packet appear to arrive on a ``virtual’’ port associated
458       with the bond or the tunnel. For such packets, the ingress port is  the
459       virtual  port and the physical ingress port is, naturally, the physical
460       port. Open vSwitch implements both bonding and tunneling, but its bond‐
461       ing implementation does not use virtual ports and its tunnels are typi‐
462       cally not on the same OpenFlow switch as their physical  ingress  ports
463       (which  need not be part of any switch), so the ingress port and physi‐
464       cal ingress port are always the same in Open vSwitch.
465
466     OpenFlow 1.2
467
468       OpenFlow 1.2 abandoned the fixed-length approach to matching. One  rea‐
469       son  was size, since adding support for IPv6 address matching (now seen
470       as important), with bitwise masks, would have added  64  bytes  to  the
471       match  length,  increasing it from 88 bytes in OpenFlow 1.1 to over 150
472       bytes. Extensibility had also become important  as  controller  writers
473       increasingly  wanted  support  for  new fields without having to change
474       messages throughout the OpenFlow protocol. The challenges of  carefully
475       defining  fixed-length  matches  to  avoid  problems  with inapplicable
476       fields had also become clear over time.
477
478       Therefore, OpenFlow 1.2 adopted a flow format using  a  flexible  type-
479       length-value  (TLV) representation, in which each TLV expresses a match
480       on one field. These TLVs were in turn encapsulated inside the outer TLV
481       wrapper  introduced  in  OpenFlow 1.1 with the new identifier OFPMT_OXM
482       (1). (This wrapper fulfilled  its  intended  purpose  of  reducing  the
483       amount  of churn in the protocol when changing match formats; some mes‐
484       sages that included matches remained unchanged from OpenFlow 1.1 to 1.2
485       and later versions.)
486
487       OpenFlow 1.2 added support for the following fields:
488
489              ·      ARP hardware addresses (SHA and THA).
490
491              ·      IPv4 ECN.
492
493              ·      IPv6  source and destination addresses, flow label, DSCP,
494                     ECN, and protocol.
495
496              ·      TCP, UDP, and SCTP port numbers when encapsulated  inside
497                     IPv6.
498
499              ·      ICMPv6 type and code.
500
501              ·      ICMPv6  Neighbor  Discovery target address and source and
502                     target Ethernet addresses.
503
504       The OpenFlow 1.2 format, called OXM (OpenFlow  Extensible  Match),  was
505       modeled  closely  on  an  extension  to OpenFlow 1.0 introduced in Open
506       vSwitch 1.1 called NXM (Nicira Extended Match). Each OXM or NXM TLV has
507       the following format:
508
509               type
510        <---------------->
511             16        7   1    8      length bytes
512       +------------+-----+--+------+ +------------+
513       |vendor/class|field|HM|length| |    body    |
514       +------------+-----+--+------+ +------------+
515
516
517       The most significant 16 bits of the NXM or OXM header, called vendor by
518       NXM and class by OXM, identify an organization  permitted  to  allocate
519       identifiers  for  fields.  NXM  allocates  only two vendors, 0x0000 for
520       fields supported by OpenFlow 1.0 and 0x0001 for fields  implemented  as
521       an Open vSwitch extension. OXM assigns classes as follows:
522
523              0x0000 (OFPXMC_NXM_0).
524              0x0001 (OFPXMC_NXM_1).
525                   Reserved for NXM compatibility.
526
527              0x0002 to 0x7fff
528                   Reserved  for  allocation  to  ONF  members,  but  none yet
529                   assigned.
530
531              0x8000 (OFPXMC_OPENFLOW_BASIC)
532                   Used for most standard OpenFlow fields.
533
534              0x8001 (OFPXMC_PACKET_REGS)
535                   Used for packet register fields in OpenFlow 1.5 and later.
536
537              0x8002 to 0xfffe
538                   Reserved for the OpenFlow specification.
539
540              0xffff (OFPXMC_EXPERIMENTER)
541                   Experimental use.
542
543       When class is 0xffff, the OXM header is extended to 64  bits  by  using
544       the  first 32 bits of the body as an experimenter field whose most sig‐
545       nificant byte is zero and whose remaining bytes are an Organizationally
546       Unique  Identifier  (OUI)  assigned  by  the  IEEE [IEEE OUI], as shown
547       below.
548
549            type                 experimenter
550        <---------->             <---------->
551          16     7   1    8        8     24     (length - 4) bytes
552       +------+-----+--+------+ +------+-----+ +------------------+
553       |class |field|HM|length| | zero | OUI | |       body       |
554       +------+-----+--+------+ +------+-----+ +------------------+
555        0xffff                    0x00
556
557
558       OpenFlow says that support for experimenter fields  is  optional.  Open
559       vSwitch  2.4  and  later  does support them, so that it can support the
560       following experimenter classes:
561
562              0x4f4e4600 (ONFOXM_ET)
563                     Used by official Open Networking Foundation extensions in
564                     OpenFlow  1.3  and  later.  e.g.  [TCP  Flags Match Field
565                     Extension].
566
567              0x005ad650 (NXOXM_NSH)
568                     Used by Open vSwitch for NSH extensions, in  the  absence
569                     of  an official ONF-assigned class. (This OUI is randomly
570                     generated.)
571
572       Taken as a unit, class  (or  vendor),  field,  and  experimenter  (when
573       present) uniquely identify a particular field.
574
575       When  hasmask (abbreviated HM above) is 0, the OXM is an exact match on
576       an entire field. In this case, the  body  (excluding  the  experimenter
577       field, if present) is a single value to be matched.
578
579       When  hasmask is 1, the OXM is a bitwise match. The body (excluding the
580       experimenter field) consists of a value to match, followed by the  bit‐
581       wise  mask to apply. A 1-bit in the mask indicates that the correspond‐
582       ing bit in the value should be matched and a 0-bit that  it  should  be
583       ignored.  For  example, for an IP address field, a value of 192.168.0.0
584       followed by  a  mask  of  255.255.0.0  would  match  addresses  in  the
585       196.168.0.0/16 subnet.
586
587              ·      Some  fields  might  not support masking at all, and some
588                     fields that do support masking might restrict it to  cer‐
589                     tain  patterns.  For example, fields that have IP address
590                     values might be restricted to CIDR  masks.  The  descrip‐
591                     tions of individual fields note these restrictions.
592
593              ·      An  OXM  TLV  with a mask that is all zeros is not useful
594                     (although it is not forbidden), because  it  is  has  the
595                     same effect as omitting the TLV entirely.
596
597              ·      It  is not meaningful to pair a 0-bit in an OXM mask with
598                     a 1-bit in its value, and Open vSwitch  rejects  such  an
599                     OXM  with  the error OFPBMC_BAD_WILDCARDS, as required by
600                     OpenFlow 1.3 and later.
601
602       The length identifies the number of bytes in the  body,  including  the
603       4-byte  experimenter header, if it is present. Each OXM TLV has a fixed
604       length; that is, given class, field,  experimenter  (if  present),  and
605       hasmask,  length  is  a  constant. The length is included explicitly to
606       allow software to minimally parse OXM TLVs of unknown types.
607
608       OXM TLVs must be ordered so that a field’s prerequisites are  satisfied
609       before  it  is parsed. For example, an OXM TLV that matches on the IPv4
610       source address field is only allowed following an OXM TLV that  matches
611       on  the  Ethertype  for IPv4. Similarly, an OXM TLV that matches on the
612       TCP source port must follow a TLV that matches an Ethertype of IPv4  or
613       IPv6  and  one  that matches an IP protocol of TCP (in that order). The
614       order of OXM TLVs is not otherwise restricted; no canonical ordering is
615       defined.
616
617       A given field may be matched only once in a series of OXM TLVs.
618
619     OpenFlow 1.3
620
621       OpenFlow  1.3 showed OXM to be largely successful, by adding new fields
622       without making any changes to how flow  matches  otherwise  worked.  It
623       added OXMs for the following fields supported by Open vSwitch:
624
625              ·      Tunnel  ID  for ports associated with e.g. VXLAN or keyed
626                     GRE.
627
628              ·      MPLS ``bottom of stack’’ (BOS) bit.
629
630       OpenFlow 1.3 also added OXMs for the following  fields  not  documented
631       here and not yet implemented by Open vSwitch:
632
633              ·      IPv6 extension header handling.
634
635              ·      PBB I-SID.
636
637     OpenFlow 1.4
638
639       OpenFlow  1.4  added  OXMs for the following fields not documented here
640       and not yet implemented by Open vSwitch:
641
642              ·      PBB UCA.
643
644     OpenFlow 1.5
645
646       OpenFlow 1.5 added OXMs for the  following  fields  supported  by  Open
647       vSwitch:
648
649              ·      Packet type.
650
651              ·      TCP flags.
652
653              ·      Packet registers.
654
655              ·      The output port in the OpenFlow action set.
656

FIELDS REFERENCE

658       The  following sections document the fields that Open vSwitch supports.
659       Each section provides introductory  material  on  a  group  of  related
660       fields,  followed  by information on each individual field. In addition
661       to field-specific information, each field  begins  with  a  table  with
662       entries for the following important properties:
663
664              Name   The  field’s  name,  used  for parsing and formatting the
665                     field, e.g. in ovs-ofctl commands.  For  historical  rea‐
666                     sons,  some  fields  have  an  additional  name  that  is
667                     accepted as an alternative in parsing.  This  name,  when
668                     there  is  one,  is  listed as well, e.g. ``tun (aka tun‐
669                     nel_id).’’
670
671              Width  The field’s width, always a  multiple  of  8  bits.  Some
672                     fields don’t use all of the bits, so this may be accompa‐
673                     nied by an explanation. For example, OpenFlow embeds  the
674                     2-bit  IP  ECN field as as the low bits in an 8-bit byte,
675                     and so its width is  expressed  as  ``8  bits  (only  the
676                     least-significant 2 bits may be nonzero).’’
677
678              Format How  a  value  for  the  field is formatted or parsed by,
679                     e.g., ovs-ofctl. Some possibilities are generic:
680
681                     decimal
682                            Formats as a decimal  number.  On  input,  accepts
683                            decimal numbers or hexadecimal numbers prefixed by
684                            0x.
685
686                     hexadecimal
687                            Formats as a hexadecimal number prefixed by 0x. On
688                            input, accepts decimal numbers or hexadecimal num‐
689                            bers prefixed by 0x. (The default for  parsing  is
690                            not  hexadecimal: only a 0x prefix causes input to
691                            be treated as hexadecimal.)
692
693                     Ethernet
694                            Formats and accepts the  common  Ethernet  address
695                            format xx:xx:xx:xx:xx:xx.
696
697                     IPv4   Formats   and   accepts   the  dotted-quad  format
698                            a.b.c.d. For bitwise matches, formats and  accepts
699                            address/length   CIDR   notation  in  addition  to
700                            address/mask.
701
702                     IPv6   Formats and accepts the common IPv6  address  for‐
703                            mats, plus CIDR notation for bitwise matches.
704
705                     OpenFlow 1.0 port
706                            Accepts 16-bit port numbers in decimal, plus Open‐
707                            Flow  well-known  port  names  (e.g.  IN_PORT)  in
708                            uppercase or lowercase.
709
710                     OpenFlow 1.1+ port
711                            Same  syntax  as OpenFlow 1.0 ports but for 32-bit
712                            OpenFlow 1.1+ port number fields.
713
714                     Other, field-specific formats are  explained  along  with
715                     their fields.
716
717              Masking
718                     For  most  fields, this says ``arbitrary bitwise masks,’’
719                     meaning that a flow may match any combination of bits  in
720                     the  field. Some fields instead say ``exact match only,’’
721                     which means that a flow that matches on this  field  must
722                     match  on  the  whole field instead of just certain bits.
723                     Either way, this reports masking support for  the  latest
724                     version of Open vSwitch using OXM or NXM (that is, either
725                     OpenFlow 1.2+ or  OpenFlow  1.0  plus  Open  vSwitch  NXM
726                     extensions).  In  particular,  OpenFlow 1.0 (without NXM)
727                     and 1.1 don’t always support masking even if Open vSwitch
728                     itself  does;  refer to the OpenFlow 1.0 and OpenFlow 1.1
729                     rows to learn about masking with these protocol versions.
730
731              Prerequisites
732                     Requirements that must be met to match on this field. For
733                     example,  ip_src has IPv4 as a prerequisite, meaning that
734                     a match must include eth_type=0x0800 to match on the IPv4
735                     source  address.  The following prerequisites, with their
736                     requirements, are currently in use:
737
738                     none   (no requirements)
739
740                     VLAN VID
741                            vlan_tci=0x1000/0x1000  (i.e.  a  VLAN  header  is
742                            present)
743
744                     ARP    eth_type=0x0806 (ARP) or eth_type=0x8035 (RARP)
745
746                     IPv4   eth_type=0x0800
747
748                     IPv6   eth_type=0x86dd
749
750                     IPv4/IPv6
751                            IPv4 or IPv6
752
753                     MPLS   eth_type=0x8847 or eth_type=0x8848
754
755                     TCP    IPv4/IPv6 and ip_proto=6
756
757                     UDP    IPv4/IPv6 and ip_proto=17
758
759                     SCTP   IPv4/IPv6 and ip_proto=132
760
761                     ICMPv4 IPv4 and ip_proto=1
762
763                     ICMPv6 IPv6 and ip_proto=58
764
765                     ND solicit
766                            ICMPv6 and icmp_type=135 and icmp_code=0
767
768                     ND advert
769                            ICMPv6 and icmp_type=136 and icmp_code=0
770
771                     ND     ND solicit or ND advert
772
773                     The  TCP,  UDP, and SCTP prerequisites also have the spe‐
774                     cial requirement that nw_frag is not being used to select
775                     ``later fragments.’’ This is because only the first frag‐
776                     ment of a fragmented IPv4 or IPv6 datagram  contains  the
777                     TCP or UDP header.
778
779              Access Most  fields  are ``read/write,’’ which means that common
780                     OpenFlow actions like set_field can modify  them.  Fields
781                     that  are  ``read-only’’ cannot be modified in these gen‐
782                     eral-purpose ways, although there may be other ways  that
783                     actions can modify them.
784
785              OpenFlow 1.0
786              OpenFlow 1.1
787                   These rows report the level of support that OpenFlow 1.0 or
788                   OpenFlow 1.1, respectively, has for a field.  For  OpenFlow
789                   1.0,  supported  fields are reported as either ``yes (exact
790                   match only)’’ for fields that do not  support  any  bitwise
791                   masking  or  ``yes (CIDR match only)’’ for fields that sup‐
792                   port CIDR masking. OpenFlow  1.1  supported  fields  report
793                   either  ``yes  (exact  match  only)’’ or simply ``yes’’ for
794                   fields that do support arbitrary masks. These OpenFlow ver‐
795                   sions supported a fixed collection of fields that cannot be
796                   extended, so many more fields are reported  as  ``not  sup‐
797                   ported.’’
798
799              OXM
800              NXM  These  rows  report the OXM and NXM code points that corre‐
801                   spond to a given field. Either or both may be ``none.’’
802
803                   A field that has only an OXM code point is usually one that
804                   was  standardized  before  it  was added to Open vSwitch. A
805                   field that has only an NXM code point is usually  one  that
806                   is  not yet standardized. When a field has both OXM and NXM
807                   code points, it usually indicates that it was introduced as
808                   an  Open  vSwitch  extension under the NXM code point, then
809                   later standardized under the OXM code point.  A  field  can
810                   have more than one OXM code point if it was standardized in
811                   OpenFlow 1.4 or later and  additionally  introduced  as  an
812                   official  ONF extension for OpenFlow 1.3. (A field that has
813                   neither OXM nor NXM code point  is  typically  an  obsolete
814                   field  that  is  supported  in some other form using OXM or
815                   NXM.)
816
817                   Each code point in these rows  is  described  in  the  form
818                   ``NAME  (number)  since OpenFlow spec and Open vSwitch ver‐
819                   sion,’’ e.g. ``OXM_OF_ETH_TYPE (5) since OpenFlow  1.2  and
820                   Open vSwitch 1.7.’’ First, NAME, which specifies a name for
821                   the code point, starts with  a  prefix  that  designates  a
822                   class  and,  in some cases, a vendor, as listed in the fol‐
823                   lowing table:
824
825                   Prefix           Vendor       Class
826                   ───────────────  ───────────  ───────
827                   NXM_OF           (none)       0x0000
828                   NXM_NX           (none)       0x0001
829                   ERICOXM_OF       (none)       0x1000
830                   OXM_OF           (none)       0x8000
831                   OXM_OF_PKT_REG   (none)       0x8001
832                   NXOXM_ET         0x00002320   0xffff
833                   NXOXM_NSH        0x005ad650   0xffff
834                   ONFOXM_ET        0x4f4e4600   0xffff
835
836                   For more information on OXM/NXM classes and vendors,  refer
837                   back  to  OpenFlow  1.2 under Evolution of OpenFlow Fields.
838                   The number is the field number within the class and vendor.
839                   The OpenFlow spec is the version of OpenFlow that standard‐
840                   ized the code point. It is  omitted  for  NXM  code  points
841                   because they are nonstandard. The version is the version of
842                   Open vSwitch that first supported the code point.
843

CONJUNCTIVE MATCH FIELDS

845   Summary:
846       Name      Bytes   Mask   RW?   Prereqs   NXM/OXM Support
847       ────────  ──────  ─────  ────  ────────  ────────────────
848       conj_id   4       no     no    none      OVS 2.4+
849
850       An individual OpenFlow flow can match only  a  single  value  for  each
851       field.  However, situations often arise where one wants to match one of
852       a set of values within a field or fields. For matching a  single  field
853       against  a  set,  it  is  straightforward and efficient to add multiple
854       flows to the flow table, one for each value in the  set.  For  example,
855       one  might  use  the  following  flows  to  send packets with IP source
856       address a, b, c, or d to the OpenFlow controller:
857
858             ip,ip_src=a actions=controller
859             ip,ip_src=b actions=controller
860             ip,ip_src=c actions=controller
861             ip,ip_src=d actions=controller
862
863
864       Similarly, these flows send packets with IP destination address  e,  f,
865       g, or h to the OpenFlow controller:
866
867             ip,ip_dst=e actions=controller
868             ip,ip_dst=f actions=controller
869             ip,ip_dst=g actions=controller
870             ip,ip_dst=h actions=controller
871
872
873       Installing  all of the above flows in a single flow table yields a dis‐
874       junctive effect: a packet  is  sent  to  the  controller  if  ip_src  ∈
875       {a,b,c,d}  or  ip_dst  ∈ {e,f,g,h} (or both). (Pedantically, if both of
876       the above sets of flows are present in the flow table, they should have
877       different  priorities, because OpenFlow says that the results are unde‐
878       fined when two flows  with  same  priority  can  both  match  a  single
879       packet.)
880
881       Suppose, on the other hand, one wishes to match conjunctively, that is,
882       to send a packet to the controller only if both ip_src ∈ {a,b,c,d}  and
883       ip_dst ∈ {e,f,g,h}. This requires 4 × 4 = 16 flows, one for each possi‐
884       ble pairing of ip_src and ip_dst. That  is  acceptable  for  our  small
885       example,  but  it  does not gracefully extend to larger sets or greater
886       numbers of dimensions.
887
888       The conjunction action is a solution for conjunctive  matches  that  is
889       built into Open vSwitch. A conjunction action ties groups of individual
890       OpenFlow flows into higher-level ``conjunctive flows’’. Each group cor‐
891       responds  to  one dimension, and each flow within the group matches one
892       possible value for the dimension. A packet that matches one  flow  from
893       each group matches the conjunctive flow.
894
895       To  implement  a conjunctive flow with conjunction, assign the conjunc‐
896       tive flow a 32-bit id, which must be unique within an  OpenFlow  table.
897       Assign  each  of  the n ≥ 2 dimensions a unique number from 1 to n; the
898       ordering is unimportant. Add one flow to the OpenFlow  flow  table  for
899       each  possible value of each dimension with conjunction(id, k/n) as the
900       flow’s actions, where k is the number assigned to the flow’s dimension.
901       Together,  these  flows specify the conjunctive flow’s match condition.
902       When the conjunctive match condition is met, Open vSwitch looks up  one
903       more  flow  that  specifies the conjunctive flow’s actions and receives
904       its statistics. This flow is found by setting conj_id to the  specified
905       id and then again searching the flow table.
906
907       The  following  flows provide an example. Whenever the IP source is one
908       of the values in the flows that match on the IP source (dimension 1  of
909       2), and the IP destination is one of the values in the flows that match
910       on IP destination (dimension 2 of 2), Open vSwitch searches for a  flow
911       that  matches  conj_id  against  the conjunction ID (1234), finding the
912       first flow listed below.
913
914             conj_id=1234 actions=controller
915             ip,ip_src=10.0.0.1 actions=conjunction(1234, 1/2)
916             ip,ip_src=10.0.0.4 actions=conjunction(1234, 1/2)
917             ip,ip_src=10.0.0.6 actions=conjunction(1234, 1/2)
918             ip,ip_src=10.0.0.7 actions=conjunction(1234, 1/2)
919             ip,ip_dst=10.0.0.2 actions=conjunction(1234, 2/2)
920             ip,ip_dst=10.0.0.5 actions=conjunction(1234, 2/2)
921             ip,ip_dst=10.0.0.7 actions=conjunction(1234, 2/2)
922             ip,ip_dst=10.0.0.8 actions=conjunction(1234, 2/2)
923
924
925       Many subtleties exist:
926
927              ·      In the example above, every flow in  a  single  dimension
928                     has the same form, that is, dimension 1 matches on ip_src
929                     and dimension 2 on ip_dst, but this is not a requirement.
930                     Different flows within a dimension may match on different
931                     bits within a field (e.g. IP network prefixes of  differ‐
932                     ent  lengths, or TCP/UDP port ranges as bitwise matches),
933                     or even on entirely different fields (e.g. to match pack‐
934                     ets for TCP source port 80 or TCP destination port 80).
935
936              ·      The  flows  within  a  dimension  can  vary their matches
937                     across more than one field, e.g. to match  only  specific
938                     pairs  of  IP source and destination addresses or L4 port
939                     numbers.
940
941              ·      A flow may have multiple conjunction actions,  with  dif‐
942                     ferent id values. This is useful for multiple conjunctive
943                     flows with overlapping  sets.  If  one  conjunctive  flow
944                     matches  packets  with  both  ip_src ∈ {a,b} and ip_dst ∈
945                     {d,e} and a second  conjunctive  flow  matches  ip_src  ∈
946                     {b,c} and ip_dst ∈ {f,g}, for example, then the flow that
947                     matches ip_src=b would have two conjunction actions,  one
948                     for  each  conjunctive  flow.  The  order  of conjunction
949                     actions within a list of actions is not significant.
950
951              ·      A flow with conjunction actions  may  also  include  note
952                     actions  for  annotations,  but  not  any  other  kind of
953                     actions. (They would not be  useful  because  they  would
954                     never be executed.)
955
956              ·      All  of the flows that constitute a conjunctive flow with
957                     a given id must have the same priority. (Flows  with  the
958                     same id but different priorities are currently treated as
959                     different conjunctive flows, that is, currently id values
960                     need  only  be unique within an OpenFlow table at a given
961                     priority. This behavior isn’t guaranteed to stay the same
962                     in  later releases, so please use id values unique within
963                     an OpenFlow table.)
964
965              ·      Conjunctive flows must not overlap with each other, at  a
966                     given priority, that is, any given packet must be able to
967                     match at most one conjunctive flow at a  given  priority.
968                     Overlapping   conjunctive   flows   yield   unpredictable
969                     results. (The flows that constitute  a  conjunctive  flow
970                     may  overlap  with  those  that  constitute  the  same or
971                     another conjunctive flow.)
972
973              ·      Following a conjunctive flow match, the  search  for  the
974                     flow  with conj_id=id is done in the same general-purpose
975                     way as other flow table searches, so one  can  use  flows
976                     with  conj_id=id  to act differently depending on circum‐
977                     stances. (One  exception  is  that  the  search  for  the
978                     conj_id=id  flow  itself  ignores  conjunctive  flows, to
979                     avoid recursion.) If the search  with  conj_id=id  fails,
980                     Open  vSwitch  acts  as  if  the conjunctive flow had not
981                     matched at all, and continues searching  the  flow  table
982                     for other matching flows.
983
984              ·      OpenFlow  prerequisite  checking occurs for the flow with
985                     conj_id=id in the same way as any other flow, e.g. in  an
986                     OpenFlow  1.1+  context, putting a mod_nw_src action into
987                     the example above would require adding an ip match,  like
988                     this:
989
990                               conj_id=1234,ip actions=mod_nw_src:1.2.3.4,controller
991
992
993              ·      OpenFlow  prerequisite checking also occurs for the indi‐
994                     vidual flows that comprise a  conjunctive  match  in  the
995                     same way as any other flow.
996
997              ·      The  flows that constitute a conjunctive flow do not have
998                     useful statistics. They are never updated  with  byte  or
999                     packet  counts,  and  so on. (For such a flow, therefore,
1000                     the idle and hard timeouts work much the same way.)
1001
1002              ·      Sometimes there is a choice of which flows include a par‐
1003                     ticular  match.  For  example,  suppose  that we added an
1004                     extra constraint to our example, to  match  on  ip_src  ∈
1005                     {a,b,c,d} and ip_dst ∈ {e,f,g,h} and tcp_dst = i. One way
1006                     to implement this is to add the  new  constraint  to  the
1007                     conj_id flow, like this:
1008
1009                               conj_id=1234,tcp,tcp_dst=i actions=mod_nw_src:1.2.3.4,controller
1010
1011
1012                     but  this  is  not recommended because of the cost of the
1013                     extra flow table lookup. Instead, add the  constraint  to
1014                     the  individual flows, either in one of the dimensions or
1015                     (slightly better) all of them.
1016
1017              ·      A conjunctive match must have n ≥ 2 dimensions (otherwise
1018                     a  conjunctive  match  is  not  necessary).  Open vSwitch
1019                     enforces this.
1020
1021              ·      Each dimension within a conjunctive match should ordinar‐
1022                     ily  have  more  than  one  flow.  Open  vSwitch does not
1023                     enforce this.
1024
1025       Conjunction ID Field
1026
1027       Name:            conj_id
1028       Width:           32 bits
1029       Format:          decimal
1030       Masking:         not maskable
1031       Prerequisites:   none
1032       Access:          read-only
1033       OpenFlow 1.0:    not supported
1034       OpenFlow 1.1:    not supported
1035       OXM:             none
1036       NXM:             NXM_NX_CONJ_ID (37) since Open vSwitch 2.4
1037
1038       Used for conjunctive matching. See above for more information.
1039

TUNNEL FIELDS

1041   Summary:
1042       Name                   Bytes             Mask   RW?   Prereqs   NXM/OXM Support
1043       ─────────────────────  ────────────────  ─────  ────  ────────  ─────────────────────
1044       tun_id aka tunnel_id   8                 yes    yes   none      OF 1.3+ and OVS 1.1+
1045       tun_src                4                 yes    yes   none      OVS 2.0+
1046       tun_dst                4                 yes    yes   none      OVS 2.0+
1047       tun_ipv6_src           16                yes    yes   none      OVS 2.5+
1048       tun_ipv6_dst           16                yes    yes   none      OVS 2.5+
1049       tun_gbp_id             2                 yes    yes   none      OVS 2.4+
1050       tun_gbp_flags          1                 yes    yes   none      OVS 2.4+
1051       tun_erspan_ver         1 (low 4 bits)    yes    yes   none      OVS 2.10+
1052       tun_erspan_idx         4 (low 20 bits)   yes    yes   none      OVS 2.10+
1053       tun_erspan_dir         1 (low 1 bits)    yes    yes   none      OVS 2.10+
1054
1055       tun_erspan_hwid        1 (low 6 bits)    yes    yes   none      OVS 2.10+
1056       tun_gtpu_flags         1                 yes    no    none      OVS 2.13+
1057       tun_gtpu_msgtype       1                 yes    no    none      OVS 2.13+
1058       tun_metadata0          124               yes    yes   none      OVS 2.5+
1059       tun_metadata1          124               yes    yes   none      OVS 2.5+
1060       tun_metadata2          124               yes    yes   none      OVS 2.5+
1061       tun_metadata3          124               yes    yes   none      OVS 2.5+
1062       tun_metadata4          124               yes    yes   none      OVS 2.5+
1063       tun_metadata5          124               yes    yes   none      OVS 2.5+
1064       tun_metadata6          124               yes    yes   none      OVS 2.5+
1065       tun_metadata7          124               yes    yes   none      OVS 2.5+
1066       tun_metadata8          124               yes    yes   none      OVS 2.5+
1067       tun_metadata9          124               yes    yes   none      OVS 2.5+
1068       tun_metadata10         124               yes    yes   none      OVS 2.5+
1069       tun_metadata11         124               yes    yes   none      OVS 2.5+
1070
1071       tun_metadata12         124               yes    yes   none      OVS 2.5+
1072       tun_metadata13         124               yes    yes   none      OVS 2.5+
1073       tun_metadata14         124               yes    yes   none      OVS 2.5+
1074       tun_metadata15         124               yes    yes   none      OVS 2.5+
1075       tun_metadata16         124               yes    yes   none      OVS 2.5+
1076       tun_metadata17         124               yes    yes   none      OVS 2.5+
1077       tun_metadata18         124               yes    yes   none      OVS 2.5+
1078       tun_metadata19         124               yes    yes   none      OVS 2.5+
1079       tun_metadata20         124               yes    yes   none      OVS 2.5+
1080       tun_metadata21         124               yes    yes   none      OVS 2.5+
1081       tun_metadata22         124               yes    yes   none      OVS 2.5+
1082       tun_metadata23         124               yes    yes   none      OVS 2.5+
1083       tun_metadata24         124               yes    yes   none      OVS 2.5+
1084       tun_metadata25         124               yes    yes   none      OVS 2.5+
1085       tun_metadata26         124               yes    yes   none      OVS 2.5+
1086
1087       tun_metadata27         124               yes    yes   none      OVS 2.5+
1088       tun_metadata28         124               yes    yes   none      OVS 2.5+
1089       tun_metadata29         124               yes    yes   none      OVS 2.5+
1090       tun_metadata30         124               yes    yes   none      OVS 2.5+
1091       tun_metadata31         124               yes    yes   none      OVS 2.5+
1092       tun_metadata32         124               yes    yes   none      OVS 2.5+
1093       tun_metadata33         124               yes    yes   none      OVS 2.5+
1094       tun_metadata34         124               yes    yes   none      OVS 2.5+
1095       tun_metadata35         124               yes    yes   none      OVS 2.5+
1096       tun_metadata36         124               yes    yes   none      OVS 2.5+
1097       tun_metadata37         124               yes    yes   none      OVS 2.5+
1098       tun_metadata38         124               yes    yes   none      OVS 2.5+
1099       tun_metadata39         124               yes    yes   none      OVS 2.5+
1100       tun_metadata40         124               yes    yes   none      OVS 2.5+
1101       tun_metadata41         124               yes    yes   none      OVS 2.5+
1102
1103       tun_metadata42         124               yes    yes   none      OVS 2.5+
1104       tun_metadata43         124               yes    yes   none      OVS 2.5+
1105       tun_metadata44         124               yes    yes   none      OVS 2.5+
1106       tun_metadata45         124               yes    yes   none      OVS 2.5+
1107       tun_metadata46         124               yes    yes   none      OVS 2.5+
1108       tun_metadata47         124               yes    yes   none      OVS 2.5+
1109       tun_metadata48         124               yes    yes   none      OVS 2.5+
1110       tun_metadata49         124               yes    yes   none      OVS 2.5+
1111       tun_metadata50         124               yes    yes   none      OVS 2.5+
1112       tun_metadata51         124               yes    yes   none      OVS 2.5+
1113       tun_metadata52         124               yes    yes   none      OVS 2.5+
1114       tun_metadata53         124               yes    yes   none      OVS 2.5+
1115       tun_metadata54         124               yes    yes   none      OVS 2.5+
1116       tun_metadata55         124               yes    yes   none      OVS 2.5+
1117       tun_metadata56         124               yes    yes   none      OVS 2.5+
1118
1119       tun_metadata57         124               yes    yes   none      OVS 2.5+
1120       tun_metadata58         124               yes    yes   none      OVS 2.5+
1121       tun_metadata59         124               yes    yes   none      OVS 2.5+
1122       tun_metadata60         124               yes    yes   none      OVS 2.5+
1123       tun_metadata61         124               yes    yes   none      OVS 2.5+
1124       tun_metadata62         124               yes    yes   none      OVS 2.5+
1125       tun_metadata63         124               yes    yes   none      OVS 2.5+
1126       tun_flags              2 (low 1 bits)    yes    yes   none      OVS 2.5+
1127
1128       The fields in this group relate to tunnels, which Open vSwitch supports
1129       in  several  forms  (GRE,  VXLAN,  and  so on). Most of these fields do
1130       appear in the wire format of a packet, so they  are  data  fields  from
1131       that  point  of view, but they are metadata from an OpenFlow flow table
1132       point of view because they do not appear in packets that are  forwarded
1133       to the controller or to ordinary (non-tunnel) output ports.
1134
1135       Open vSwitch supports a spectrum of usage models for mapping tunnels to
1136       OpenFlow ports:
1137
1138              ``Port-based’’ tunnels
1139                     In this model, an OpenFlow port represents one tunnel: it
1140                     matches  a  particular type of tunnel traffic between two
1141                     IP endpoints, with a particular tunnel key (if  keys  are
1142                     in  use).  In this situation, in_port suffices to distin‐
1143                     guish one tunnel  from  another,  so  the  tunnel  header
1144                     fields  have  little  importance for OpenFlow processing.
1145                     (They are still populated and may be used if it is conve‐
1146                     nient.)  The tunnel header fields play no role in sending
1147                     packets out such an OpenFlow port,  either,  because  the
1148                     OpenFlow port itself fully specifies the tunnel headers.
1149
1150                     The  following  Open  vSwitch  commands  create  a bridge
1151                     br-int, add port tap0 to the bridge as OpenFlow  port  1,
1152                     establish  a port-based GRE tunnel between the local host
1153                     and remote IP 192.168.1.1 using GRE key 5001 as  OpenFlow
1154                     port  2, and arranges to forward all traffic from tap0 to
1155                     the tunnel and vice versa:
1156
1157                     ovs-vsctl add-br br-int
1158                     ovs-vsctl add-port br-int tap0 -- set interface tap0 ofport_request=1
1159                     ovs-vsctl add-port br-int gre0 -- \
1160                         set interface gre0 ofport_request=2 type=gre \
1161                                            options:remote_ip=192.168.1.1 options:key=5001
1162                     ovs-ofctl add-flow br-int in_port=1,actions=2
1163                     ovs-ofctl add-flow br-int in_port=2,actions=1
1164
1165
1166              ``Flow-based’’ tunnels
1167                     In this model, one OpenFlow port represents all  possible
1168                     tunnels  of  a given type with an endpoint on the current
1169                     host, for example, all GRE tunnels.  In  this  situation,
1170                     in_port  only  indicates that traffic was received on the
1171                     particular kind of  tunnel.  This  is  where  the  tunnel
1172                     header fields are most important: they allow the OpenFlow
1173                     tables to discriminate among tunnels based  on  their  IP
1174                     endpoints  or  keys.  Tunnel header fields also determine
1175                     the IP endpoints and keys of packets sent out such a tun‐
1176                     nel port.
1177
1178                     The  following  Open  vSwitch  commands  create  a bridge
1179                     br-int, add port tap0 to the bridge as OpenFlow  port  1,
1180                     establish a flow-based GRE tunnel port 3, and arranges to
1181                     forward all traffic from tap0 to  remote  IP  192.168.1.1
1182                     over a GRE tunnel with key 5001 and vice versa:
1183
1184                     ovs-vsctl add-br br-int
1185                     ovs-vsctl add-port br-int tap0 -- set interface tap0 ofport_request=1
1186                     ovs-vsctl add-port br-int allgre -- \
1187                         set interface allgre ofport_request=3 type=gre \
1188                                              options:remote_ip=flow options:key=flow
1189                     ovs-ofctl add-flow br-int \
1190                         ’in_port=1 actions=set_tunnel:5001,set_field:192.168.1.1->tun_dst,3’
1191                     ovs-ofctl add-flow br-int ’in_port=3,tun_src=192.168.1.1,tun_id=5001 actions=1’
1192
1193
1194              Mixed models.
1195                     One  may define both flow-based and port-based tunnels at
1196                     the same time. For example, it is valid and possibly use‐
1197                     ful  to  create and configure both gre0 and allgre tunnel
1198                     ports described above.
1199
1200                     Traffic is attributed on ingress  to  the  most  specific
1201                     matching  tunnel. For example, gre0 is more specific than
1202                     allgre. Therefore, if both exist, then gre0 will  be  the
1203                     ingress   port   for   any   GRE  traffic  received  from
1204                     192.168.1.1 with key 5001.
1205
1206                     On egress, traffic may be  directed  to  any  appropriate
1207                     tunnel  port.  If  both gre0 and allgre are configured as
1208                     already  described,  then  the  actions  2  and  set_tun‐
1209                     nel:5001,set_field:192.168.1.1->tun_dst,3  send  the same
1210                     tunnel traffic.
1211
1212              Intermediate models.
1213                     Ports may be  configured  as  partially  flow-based.  For
1214                     example,  one may define an OpenFlow port that represents
1215                     tunnels between a pair of endpoints but leaves  the  flow
1216                     table to discriminate on the flow key.
1217
1218       ovs-vswitchd.conf.db(5)  describes all the details of tunnel configura‐
1219       tion.
1220
1221       These fields do not have any prerequisites, which means that a flow may
1222       match on any or all of them, in any combination.
1223
1224       These fields are zeros for packets that did not arrive on a tunnel.
1225
1226       Tunnel ID Field
1227
1228       Name:            tun_id (aka tunnel_id)
1229       Width:           64 bits
1230       Format:          hexadecimal
1231       Masking:         arbitrary bitwise masks
1232       Prerequisites:   none
1233       Access:          read/write
1234       OpenFlow 1.0:    not supported
1235       OpenFlow 1.1:    not supported
1236
1237       OXM:             OXM_OF_TUNNEL_ID  (38)  since  OpenFlow  1.3  and Open
1238                        vSwitch 1.10
1239       NXM:             NXM_NX_TUN_ID (16) since Open vSwitch 1.1
1240
1241       Many kinds of tunnels support a tunnel ID:
1242
1243              ·      VXLAN and Geneve have a 24-bit virtual network identifier
1244                     (VNI).
1245
1246              ·      LISP has a 24-bit instance ID.
1247
1248              ·      GRE has an optional 32-bit key.
1249
1250              ·      STT has a 64-bit key.
1251
1252              ·      ERSPAN has a 10-bit key (Session ID).
1253
1254              ·      GTPU has a 32-bit key (Tunnel Endpoint ID).
1255
1256       When a packet is received from a tunnel, this field holds the tunnel ID
1257       in its least significant bits, zero-extended to fit. This field is zero
1258       if  the tunnel does not support an ID, or if no ID is in use for a tun‐
1259       nel type that has an optional ID, or if an ID of zero received,  or  if
1260       the packet was not received over a tunnel.
1261
1262       When  a  packet  is  output  to a tunnel port, the tunnel configuration
1263       determines whether the tunnel ID is taken from this field or bound to a
1264       fixed  value. See the earlier description of ``port-based’’ and ``flow-
1265       based’’ tunnels for more information.
1266
1267       The following diagram shows the origin of this field in a typical keyed
1268       GRE tunnel:
1269
1270          Ethernet            IPv4               GRE           Ethernet
1271        <----------->   <--------------->   <------------>   <---------->
1272        48  48   16           8   32  32    16    16   32    48  48   16
1273       +---+---+-----+ +---+-----+---+---+ +---+------+---+ +---+---+----+
1274       |dst|src|type | |...|proto|src|dst| |...| type |key| |dst|src|type| ...
1275       +---+---+-----+ +---+-----+---+---+ +---+------+---+ +---+---+----+
1276                0x800        47                 0x6558
1277
1278
1279       Tunnel IPv4 Source Field
1280
1281       Name:            tun_src
1282       Width:           32 bits
1283       Format:          IPv4
1284       Masking:         arbitrary bitwise masks
1285       Prerequisites:   none
1286       Access:          read/write
1287
1288       OpenFlow 1.0:    not supported
1289       OpenFlow 1.1:    not supported
1290       OXM:             none
1291       NXM:             NXM_NX_TUN_IPV4_SRC (31) since Open vSwitch 2.0
1292
1293       When  a  packet  is  received  from  a tunnel, this field is the source
1294       address in the outer IP header of the tunneled packet.  This  field  is
1295       zero if the packet was not received over a tunnel.
1296
1297       When  a packet is output to a flow-based tunnel port, this field influ‐
1298       ences the IPv4 source address used to send the packet. If it  is  zero,
1299       then the kernel chooses an appropriate IP address based using the rout‐
1300       ing table.
1301
1302       The following diagram shows the origin of this field in a typical keyed
1303       GRE tunnel:
1304
1305          Ethernet            IPv4               GRE           Ethernet
1306        <----------->   <--------------->   <------------>   <---------->
1307        48  48   16           8   32  32    16    16   32    48  48   16
1308       +---+---+-----+ +---+-----+---+---+ +---+------+---+ +---+---+----+
1309       |dst|src|type | |...|proto|src|dst| |...| type |key| |dst|src|type| ...
1310       +---+---+-----+ +---+-----+---+---+ +---+------+---+ +---+---+----+
1311                0x800        47                 0x6558
1312
1313
1314       Tunnel IPv4 Destination Field
1315
1316       Name:            tun_dst
1317       Width:           32 bits
1318       Format:          IPv4
1319       Masking:         arbitrary bitwise masks
1320       Prerequisites:   none
1321
1322       Access:          read/write
1323       OpenFlow 1.0:    not supported
1324       OpenFlow 1.1:    not supported
1325       OXM:             none
1326       NXM:             NXM_NX_TUN_IPV4_DST (32) since Open vSwitch 2.0
1327
1328       When  a packet is received from a tunnel, this field is the destination
1329       address in the outer IP header of the tunneled packet.  This  field  is
1330       zero if the packet was not received over a tunnel.
1331
1332       When  a packet is output to a flow-based tunnel port, this field speci‐
1333       fies the destination to which the tunnel packet is sent.
1334
1335       The following diagram shows the origin of this field in a typical keyed
1336       GRE tunnel:
1337
1338          Ethernet            IPv4               GRE           Ethernet
1339        <----------->   <--------------->   <------------>   <---------->
1340        48  48   16           8   32  32    16    16   32    48  48   16
1341       +---+---+-----+ +---+-----+---+---+ +---+------+---+ +---+---+----+
1342       |dst|src|type | |...|proto|src|dst| |...| type |key| |dst|src|type| ...
1343       +---+---+-----+ +---+-----+---+---+ +---+------+---+ +---+---+----+
1344                0x800        47                 0x6558
1345
1346
1347       Tunnel IPv6 Source Field
1348
1349       Name:            tun_ipv6_src
1350       Width:           128 bits
1351       Format:          IPv6
1352       Masking:         arbitrary bitwise masks
1353       Prerequisites:   none
1354       Access:          read/write
1355
1356       OpenFlow 1.0:    not supported
1357       OpenFlow 1.1:    not supported
1358       OXM:             none
1359       NXM:             NXM_NX_TUN_IPV6_SRC (109) since Open vSwitch 2.5
1360
1361       Similar to tun_src, but for tunnels over IPv6.
1362
1363       Tunnel IPv6 Destination Field
1364
1365       Name:            tun_ipv6_dst
1366       Width:           128 bits
1367       Format:          IPv6
1368       Masking:         arbitrary bitwise masks
1369       Prerequisites:   none
1370       Access:          read/write
1371       OpenFlow 1.0:    not supported
1372
1373       OpenFlow 1.1:    not supported
1374       OXM:             none
1375       NXM:             NXM_NX_TUN_IPV6_DST (110) since Open vSwitch 2.5
1376
1377       Similar to tun_dst, but for tunnels over IPv6.
1378
1379   VXLAN Group-Based Policy Fields
1380       The VXLAN header is defined as follows [RFC 7348], where the I bit must
1381       be set to 1, unlabeled bits or those labeled reserved must be set to 0,
1382       and Open vSwitch makes the VNI available via tun_id:
1383
1384          VXLAN flags
1385        <------------->
1386        1 1 1 1 1 1 1 1    24    24     8
1387       +-+-+-+-+-+-+-+-+--------+---+--------+
1388       | | | | |I| | | |reserved|VNI|reserved|
1389       +-+-+-+-+-+-+-+-+--------+---+--------+
1390
1391
1392       VXLAN Group-Based Policy [VXLAN Group Policy Option] adds new interpre‐
1393       tations to existing bits in the VXLAN header, reinterpreting it as fol‐
1394       lows, with changes highlighted:
1395
1396           GBP flags
1397        <------------->
1398        1 1 1 1 1 1 1 1       24        24     8
1399       +-+-+-+-+-+-+-+-+---------------+---+--------+
1400       | |D| | |A| | | |group policy ID|VNI|reserved|
1401       +-+-+-+-+-+-+-+-+---------------+---+--------+
1402
1403
1404       Open vSwitch makes GBP fields and flags available through the following
1405       fields. Only packets that arrive over  a  VXLAN  tunnel  with  the  GBP
1406       extension enabled have these fields set. In other packets they are zero
1407       on receive and ignored on transmit.
1408
1409       VXLAN Group-Based Policy ID Field
1410
1411       Name:            tun_gbp_id
1412       Width:           16 bits
1413       Format:          decimal
1414       Masking:         arbitrary bitwise masks
1415       Prerequisites:   none
1416       Access:          read/write
1417       OpenFlow 1.0:    not supported
1418       OpenFlow 1.1:    not supported
1419       OXM:             none
1420       NXM:             NXM_NX_TUN_GBP_ID (38) since Open vSwitch 2.4
1421
1422       For a packet tunneled over VXLAN  with  the  Group-Based  Policy  (GBP)
1423       extension, this field represents the GBP policy ID, as shown above.
1424
1425       VXLAN Group-Based Policy Flags Field
1426
1427       Name:            tun_gbp_flags
1428       Width:           8 bits
1429       Format:          hexadecimal
1430       Masking:         arbitrary bitwise masks
1431       Prerequisites:   none
1432       Access:          read/write
1433       OpenFlow 1.0:    not supported
1434       OpenFlow 1.1:    not supported
1435       OXM:             none
1436       NXM:             NXM_NX_TUN_GBP_FLAGS (39) since Open vSwitch 2.4
1437
1438       For  a  packet  tunneled  over  VXLAN with the Group-Based Policy (GBP)
1439       extension, this field represents the GBP policy flags, as shown above.
1440
1441       The field has the format shown below:
1442
1443           GBP Flags
1444        <------------->
1445        1 1 1 1 1 1 1 1
1446       +-+-+-+-+-+-+-+-+
1447       | |D| | |A| | | |
1448       +-+-+-+-+-+-+-+-+
1449
1450
1451       Unlabeled bits are reserved and must be transmitted as 0. The VXLAN GBP
1452       draft defines the other bits’ meanings as:
1453
1454              D (Don’t Learn)
1455                     When  set, this bit indicates that the egress tunnel end‐
1456                     point must not learn the source address of  the  encapsu‐
1457                     lated frame.
1458
1459              A (Applied)
1460                     When  set,  indicates  that  the group policy has already
1461                     been applied to this packet. Devices must not apply poli‐
1462                     cies when the A bit is set.
1463
1464   ERSPAN Metadata Fields
1465       These  fields provide access to features in the ERSPAN tunneling proto‐
1466       col [ERSPAN], which has two major versions: version 1 (aka type II) and
1467       version 2 (aka type III).
1468
1469       Regardless of version, ERSPAN is encapsulated within a fixed 8-byte GRE
1470       header that consists of a 4-byte GRE base header and a 4-byte  sequence
1471       number. The ERSPAN version 1 header format is:
1472
1473             GRE                ERSPAN v1            Ethernet
1474        <------------>   <--------------------->   <---------->
1475        16    16   32     4  18    10    12  20    48  48   16
1476       +---+------+---+ +---+---+-------+---+---+ +---+---+----+
1477       |...| type |seq| |ver|...|session|...|idx| |dst|src|type| ...
1478       +---+------+---+ +---+---+-------+---+---+ +---+---+----+
1479            0x88be        1      tun_id
1480
1481
1482       The ERSPAN version 2 header format is:
1483
1484             GRE                         ERSPAN v2                      Ethernet
1485        <------------>   <---------------------------------------->   <---------->
1486        16    16   32     4  18    10       32     22   6    1   3    48  48   16
1487       +---+------+---+ +---+---+-------+---------+---+----+---+---+ +---+---+----+
1488       |...| type |seq| |ver|...|session|timestamp|...|hwid|dir|...| |dst|src|type| ...
1489       +---+------+---+ +---+---+-------+---------+---+----+---+---+ +---+---+----+
1490            0x22eb        2      tun_id                     0/1
1491
1492
1493       ERSPAN Version Field
1494
1495       Name:            tun_erspan_ver
1496       Width:           8 bits (only the least-significant 4 bits may be nonzero)
1497       Format:          decimal
1498       Masking:         arbitrary bitwise masks
1499       Prerequisites:   none
1500       Access:          read/write
1501       OpenFlow 1.0:    not supported
1502       OpenFlow 1.1:    not supported
1503       OXM:             none
1504       NXM:             NXOXM_ET_ERSPAN_VER (12) since Open vSwitch 2.10
1505
1506       ERSPAN version number: 1 for version 1, or 2 for version 2.
1507
1508       ERSPAN Index Field
1509
1510       Name:            tun_erspan_idx
1511       Width:           32 bits (only the least-significant 20 bits may be nonzero)
1512       Format:          hexadecimal
1513       Masking:         arbitrary bitwise masks
1514       Prerequisites:   none
1515       Access:          read/write
1516       OpenFlow 1.0:    not supported
1517       OpenFlow 1.1:    not supported
1518       OXM:             none
1519       NXM:             NXOXM_ET_ERSPAN_IDX (11) since Open vSwitch 2.10
1520
1521       This  field  is  a  20-bit index/port number associated with the ERSPAN
1522       traffic’s source port and direction  (ingress/egress).  This  field  is
1523       platform dependent.
1524
1525       ERSPAN Direction Field
1526
1527       Name:            tun_erspan_dir
1528       Width:           8 bits (only the least-significant 1 bits may be nonzero)
1529       Format:          decimal
1530       Masking:         arbitrary bitwise masks
1531       Prerequisites:   none
1532       Access:          read/write
1533       OpenFlow 1.0:    not supported
1534       OpenFlow 1.1:    not supported
1535       OXM:             none
1536       NXM:             NXOXM_ET_ERSPAN_DIR (13) since Open vSwitch 2.10
1537
1538       For ERSPAN v2, the mirrored traffic’s direction: 0 for ingress traffic,
1539       1 for egress traffic.
1540
1541       ERSPAN Hardware ID Field
1542
1543       Name:            tun_erspan_hwid
1544       Width:           8 bits (only the least-significant 6 bits may be nonzero)
1545       Format:          hexadecimal
1546       Masking:         arbitrary bitwise masks
1547       Prerequisites:   none
1548       Access:          read/write
1549       OpenFlow 1.0:    not supported
1550       OpenFlow 1.1:    not supported
1551       OXM:             none
1552       NXM:             NXOXM_ET_ERSPAN_HWID (14) since Open vSwitch 2.10
1553
1554       A 6-bit unique identifier of an ERSPAN v2 engine within a system.
1555
1556   GTP-U Metadata Fields
1557       These fields provide access to set-up GPRS Tunnelling Protocol for User
1558       Plane  (GTPv1-U),  based on 3GPP TS 29.281. A GTP-U header has the fol‐
1559       lowing format:
1560
1561          8      8       16    32
1562       +-----+--------+------+----+
1563       |flags|msg type|length|TEID| ...
1564       +-----+--------+------+----+
1565
1566
1567       The flags and message type have the Open vSwitch GTP-U specific  fields
1568       described  below.  Open vSwitch makes the TEID (Tunnel Endpoint Identi‐
1569       fier), which identifies a tunnel endpoint in the receiving GTP-U proto‐
1570       col entity, available via tun_id.
1571
1572       GTP-U Flags Field
1573
1574       Name:            tun_gtpu_flags
1575       Width:           8 bits
1576
1577       Format:          hexadecimal
1578       Masking:         arbitrary bitwise masks
1579       Prerequisites:   none
1580       Access:          read-only
1581       OpenFlow 1.0:    not supported
1582       OpenFlow 1.1:    not supported
1583       OXM:             none
1584       NXM:             NXOXM_ET_GTPU_FLAGS (15) since Open vSwitch 2.13
1585
1586       This field holds the 8-bit GTP-U flags, encoded as:
1587
1588         GTP-U Tunnel Flags
1589        <------------------->
1590           3    1   1  1 1 1
1591       +-------+--+---+-+-+--+
1592       |version|PT|rsv|E|S|PN|
1593       +-------+--+---+-+-+--+
1594           1        0
1595
1596
1597       The flags are:
1598
1599              version
1600                     Used  to  determine  the  version  of the GTP-U protocol,
1601                     which should be set to 1.
1602
1603              PT     Protocol type, used as a protocol  discriminator  between
1604                     GTP (1) and GTP’ (0).
1605
1606              rsv    Reserved. Must be zero.
1607
1608              E      If 1, indicates the presence of a meaningful value of the
1609                     Next Extension Header field.
1610
1611              S      If 1, indicates the presence of a meaningful value of the
1612                     Sequence Number field.
1613
1614              PN     If 1, indicates the presence of a meaningful value of the
1615                     N-PDU Number field.
1616
1617       GTP-U Message Type Field
1618
1619       Name:            tun_gtpu_msgtype
1620       Width:           8 bits
1621       Format:          decimal
1622       Masking:         arbitrary bitwise masks
1623       Prerequisites:   none
1624       Access:          read-only
1625       OpenFlow 1.0:    not supported
1626       OpenFlow 1.1:    not supported
1627
1628       OXM:             none
1629       NXM:             NXOXM_ET_GTPU_MSGTYPE (16) since Open vSwitch 2.13
1630
1631       This field indicates whether it’s a signalling message  used  for  path
1632       management,  or a user plane message which carries the original packet.
1633       The complete range of  message  types  can  be  referred  to  [3GPP  TS
1634       29.281].
1635
1636   Geneve Fields
1637       These  fields  provide access to additional features in the Geneve tun‐
1638       neling protocol [Geneve]. Their names are somewhat generic in the  hope
1639       that the same fields could be reused for other protocols in the future;
1640       for example, the NSH protocol [NSH] supports TLV options whose form  is
1641       identical to that for Geneve options.
1642
1643       Generic Tunnel Option 0 Field
1644
1645       Name:            tun_metadata0
1646       Width:           992 bits (124 bytes)
1647       Format:          hexadecimal
1648       Masking:         arbitrary bitwise masks
1649       Prerequisites:   none
1650       Access:          read/write
1651       OpenFlow 1.0:    not supported
1652       OpenFlow 1.1:    not supported
1653       OXM:             none
1654       NXM:             NXM_NX_TUN_METADATA0 (40) since Open vSwitch 2.5
1655
1656       The  above information specifically covers generic tunnel option 0, but
1657       Open vSwitch supports 64 options, numbered  0  through  63,  whose  NXM
1658       field numbers are 40 through 103.
1659
1660       These  fields  provide OpenFlow access to the generic type-length-value
1661       options defined by the Geneve tunneling  protocol  or  other  protocols
1662       with  options  in  the same TLV format as Geneve options. Each of these
1663       options has the following wire format:
1664
1665               header                 body
1666        <-------------------> <------------------>
1667         16    8    3    5    4×(length - 1) bytes
1668       +-----+----+---+------+--------------------+
1669       |class|type|res|length|       value        |
1670       +-----+----+---+------+--------------------+
1671                    0
1672
1673
1674       Taken together, the class and type in the option format mean that there
1675       are  about  16  million distinct kinds of TLV options, too many to give
1676       individual OXM code points. Thus, Open vSwitch  requires  the  user  to
1677       define  the TLV options of interest, by binding up to 64 TLV options to
1678       generic tunnel option NXM code points. Each option may have up  to  124
1679       bytes  in  its  body,  the maximum allowed by the TLV format, but bound
1680       options may total at most 252 bytes of body.
1681
1682       Open vSwitch extensions to the OpenFlow protocol bind  TLV  options  to
1683       NXM  code  points. The ovs-ofctl(8) program offers one way to use these
1684       extensions, e.g. to configure a mapping from a TLV  option  with  class
1685       0xffff, type 0, and a body length of 4 bytes:
1686
1687       ovs-ofctl add-tlv-map br0 "{class=0xffff,type=0,len=4}->tun_metadata0"
1688
1689
1690       Once  a  TLV  option is properly bound, it can be accessed and modified
1691       like any other field, e.g. to send packets that have value 1234 for the
1692       option described above to the controller:
1693
1694       ovs-ofctl add-flow br0 tun_metadata0=1234,actions=controller
1695
1696
1697       An option not received or not bound is matched as all zeros.
1698
1699       Tunnel Flags Field
1700
1701       Name:            tun_flags
1702       Width:           16 bits (only the least-significant 1 bits may be nonzero)
1703       Format:          tunnel flags
1704       Masking:         arbitrary bitwise masks
1705       Prerequisites:   none
1706       Access:          read/write
1707       OpenFlow 1.0:    not supported
1708       OpenFlow 1.1:    not supported
1709       OXM:             none
1710       NXM:             NXM_NX_TUN_FLAGS (104) since Open vSwitch 2.5
1711
1712       Flags indicating various aspects of the tunnel encapsulation.
1713
1714       Matches  on  this  field are most conveniently written in terms of sym‐
1715       bolic names (given in the diagram below), each preceded by either + for
1716       a  flag  that  must be set, or - for a flag that must be unset, without
1717       any other delimiters between the flags. Flags not mentioned  are  wild‐
1718       carded.  For  example, tun_flags=+oam matches only OAM packets. Matches
1719       can also be written as flags/mask, where flags and mask are 16-bit num‐
1720       bers in decimal or in hexadecimal prefixed by 0x.
1721
1722       Currently, only one flag is defined:
1723
1724              oam    The tunnel protocol indicated that this is an OAM (Opera‐
1725                     tions and Management) control packet.
1726
1727       The switch may reject matches against unknown flags.
1728
1729       Newer versions of Open vSwitch may introduce additional flags with  new
1730       meanings. It is therefore not recommended to use an exact match on this
1731       field since the behavior of these new flags is unknown  and  should  be
1732       ignored.
1733
1734       For non-tunneled packets, the value is 0.
1735

METADATA FIELDS

1737   Summary:
1738       Name            Bytes   Mask   RW?   Prereqs   NXM/OXM Support
1739
1740       ──────────────  ──────  ─────  ────  ────────  ─────────────────────
1741       in_port         2       no     yes   none      OVS 1.1+
1742       in_port_oxm     4       no     yes   none      OF 1.2+ and OVS 1.7+
1743       skb_priority    4       no     no    none
1744
1745       pkt_mark        4       yes    yes   none      OVS 2.0+
1746       actset_output   4       no     no    none      OF 1.3+ and OVS 2.4+
1747       packet_type     4       no     no    none      OF 1.5+ and OVS 2.8+
1748
1749       These  fields  relate  to the origin or treatment of a packet, but they
1750       are not extracted from the packet data itself.
1751
1752       Ingress Port Field
1753
1754
1755       Name:            in_port
1756       Width:           16 bits
1757       Format:          OpenFlow 1.0 port
1758       Masking:         not maskable
1759
1760       Prerequisites:   none
1761       Access:          read/write
1762       OpenFlow 1.0:    yes (exact match only)
1763       OpenFlow 1.1:    yes (exact match only)
1764
1765       OXM:             none
1766       NXM:             NXM_OF_IN_PORT (0) since Open vSwitch 1.1
1767
1768       The OpenFlow port on which the packet being processed arrived. This  is
1769       a  16-bit field that holds an OpenFlow 1.0 port number. For receiving a
1770       packet, the only values that appear in this field are:
1771
1772              1 through 0xfeff (65,279), inclusive.
1773                     Conventional OpenFlow port numbers.
1774
1775              OFPP_LOCAL (0xfffe or 65,534).
1776                     The ``local’’ port, which in Open vSwitch is always named
1777                     the  same as the bridge itself. This represents a connec‐
1778                     tion between the switch and the local TCP/IP stack.  This
1779                     port  is  where an IP address is most commonly configured
1780                     on an Open vSwitch switch.
1781
1782                     OpenFlow does not require a switch to have a local  port,
1783                     but  all  existing  versions  of Open vSwitch have always
1784                     included a local port. Future Directions: Future versions
1785                     of  Open  vSwitch  might  be  able to optionally omit the
1786                     local port, if someone submits code to implement  such  a
1787                     feature.
1788
1789              OFPP_NONE  (OpenFlow 1.0) or OFPP_ANY (OpenFlow 1.1+) (0xffff or
1790              65,535).
1791              OFPP_CONTROLLER (0xfffd or 65,533).
1792                   When a controller injects a packet into an OpenFlow  switch
1793                   with  a ``packet-out’’ request, it can specify one of these
1794                   ingress ports to indicate that  the  packet  was  generated
1795                   internally rather than having been received on some port.
1796
1797                   OpenFlow  1.0 specified OFPP_NONE for this purpose. Despite
1798                   that,  some  controllers  used  OFPP_CONTROLLER,  and  some
1799                   switches  only  accepted OFPP_CONTROLLER, so OpenFlow 1.0.2
1800                   required support for both ports.  OpenFlow  1.1  and  later
1801                   were  more  clearly  drafted to allow only OFPP_CONTROLLER.
1802                   For maximum compatibility, Open vSwitch allows  both  ports
1803                   with all OpenFlow versions.
1804
1805       Values  not  mentioned above will never appear when receiving a packet,
1806       including the following notable values:
1807
1808              0      Zero is not a valid OpenFlow port number.
1809
1810              OFPP_MAX (0xff00 or 65,280).
1811                     This value has only been clearly  specified  as  a  valid
1812                     port number as of OpenFlow 1.3.3. Before that, its status
1813                     was unclear,  and  so  Open  vSwitch  has  never  allowed
1814                     OFPP_MAX  to  be  used  as a port number, so packets will
1815                     never be received on this port. (Other OpenFlow switches,
1816                     of course, might use it.)
1817
1818              OFPP_UNSET (0xfff7 or 65,527)
1819              OFPP_IN_PORT (0xfff8 or 65,528)
1820              OFPP_TABLE (0xfff9 or 65,529)
1821              OFPP_NORMAL (0xfffa or 65,530)
1822              OFPP_FLOOD (0xfffb or 65,531)
1823              OFPP_ALL (0xfffc or 65,532)
1824                   These  port  numbers  are  used  only in output actions and
1825                   never appear as ingress ports.
1826
1827                   Most of these port numbers were defined  in  OpenFlow  1.0,
1828                   but OFPP_UNSET was only introduced in OpenFlow 1.5.
1829
1830       Values  that  will  never  appear  when receiving a packet may still be
1831       matched against in the flow table. There  are  still  circumstances  in
1832       which those flows can be matched:
1833
1834              ·      The  resubmit Open vSwitch extension action allows a flow
1835                     table lookup with an arbitrary ingress port.
1836
1837              ·      An action that  modifies  the  ingress  port  field  (see
1838                     below),  such  as  e.g. load or set_field, followed by an
1839                     action or instruction that performs  another  flow  table
1840                     lookup, such as resubmit or goto_table.
1841
1842       This  field  is  heavily  used for matching in OpenFlow tables, but for
1843       packet egress, it has only very limited roles:
1844
1845              ·      OpenFlow requires suppressing output actions to  in_port.
1846                     That  is,  the  following two flows both drop all packets
1847                     that arrive on port 1:
1848
1849                     in_port=1,actions=1
1850                     in_port=1,actions=drop
1851
1852
1853                     (This behavior is occasionally useful for flooding  to  a
1854                     subset of ports. Specifying actions=1,2,3,4, for example,
1855                     outputs to ports 1, 2, 3, and  4,  omitting  the  ingress
1856                     port.)
1857
1858              ·      OpenFlow  has  a  special  port  OFPP_IN_PORT (with value
1859                     0xfff8) that outputs to the ingress port. For example, in
1860                     a  switch  that  has  four  ports  numbered  1 through 4,
1861                     actions=1,2,3,4,in_port outputs to ports 1, 2, 3, and  4,
1862                     including the ingress port.
1863
1864       Because  the  ingress port field has so little influence on packet pro‐
1865       cessing, it does not ordinarily make sense to modify the  ingress  port
1866       field.  The  field  is writable only to support the occasional use case
1867       where the ingress port’s  roles  in  packet  egress,  described  above,
1868       become  troublesome. For example, actions=load:0->NXM_OF_IN_PORT[],out‐
1869       put:123 will output to port 123 regardless of  whether  it  is  in  the
1870       ingress  port.  If the ingress port is important, then one may save and
1871       restore it on the stack:
1872
1873       actions=push:NXM_OF_IN_PORT[],load:0->NXM_OF_IN_PORT[],output:123,pop:NXM_OF_IN_PORT[]
1874
1875
1876       or, in Open vSwitch 2.7 or later, use the  clone  action  to  save  and
1877       restore it:
1878
1879       actions=clone(load:0->NXM_OF_IN_PORT[],output:123)
1880
1881
1882       The  ability to modify the ingress port is an Open vSwitch extension to
1883       OpenFlow.
1884
1885       OXM Ingress Port Field
1886
1887       Name:            in_port_oxm
1888       Width:           32 bits
1889       Format:          OpenFlow 1.1+ port
1890
1891       Masking:         not maskable
1892       Prerequisites:   none
1893       Access:          read/write
1894       OpenFlow 1.0:    not supported
1895       OpenFlow 1.1:    yes (exact match only)
1896       OXM:             OXM_OF_IN_PORT (0) since OpenFlow 1.2 and Open vSwitch
1897                        1.7
1898       NXM:             none
1899
1900       OpenFlow 1.1 and later use a 32-bit port number, so this field supplies
1901       a 32-bit view of the ingress port. Current  versions  of  Open  vSwitch
1902       support only a 16-bit range of ports:
1903
1904              ·      OpenFlow  1.0  ports  0x0000 to 0xfeff, inclusive, map to
1905                     OpenFlow 1.1 port numbers with the same values.
1906
1907              ·      OpenFlow 1.0 ports 0xff00 to 0xffff,  inclusive,  map  to
1908                     OpenFlow 1.1 port numbers 0xffffff00 to 0xffffffff.
1909
1910              ·      OpenFlow  1.1  ports  0x0000ff00  to  0xfffffeff  are not
1911                     mapped and not supported.
1912
1913       in_port and in_port_oxm are two views of the same information,  so  all
1914       of  the comments on in_port apply to in_port_oxm too. Modifying in_port
1915       changes in_port_oxm, and vice versa.
1916
1917       Setting in_port_oxm to an unsupported value yields  unspecified  behav‐
1918       ior.
1919
1920       Output Queue Field
1921
1922       Name:            skb_priority
1923       Width:           32 bits
1924       Format:          hexadecimal
1925       Masking:         not maskable
1926       Prerequisites:   none
1927       Access:          read-only
1928       OpenFlow 1.0:    not supported
1929
1930       OpenFlow 1.1:    not supported
1931       OXM:             none
1932       NXM:             none
1933
1934       Future Directions: Open vSwitch implements the output queue as a field,
1935       but does not currently expose it through OXM or NXM for  matching  pur‐
1936       poses.  If  this  turns  out to be a useful feature, it could be imple‐
1937       mented in future versions. Only the set_queue, enqueue,  and  pop_queue
1938       actions currently influence the output queue.
1939
1940       This field influences how packets in the flow will be queued, for qual‐
1941       ity of service (QoS) purposes, when they egress the switch.  Its  range
1942       of meaningful values, and their meanings, varies greatly from one Open‐
1943       Flow implementation to another. Even within  a  single  implementation,
1944       there is no guarantee that all OpenFlow ports have the same queues con‐
1945       figured or that all OpenFlow ports in an implementation can be  config‐
1946       ured the same way queue-wise.
1947
1948       Configuring queues on OpenFlow is not well standardized. On Linux, Open
1949       vSwitch supports queue configuration via OVSDB,  specifically  the  QoS
1950       and  Queue  tables  (see ovs-vswitchd.conf.db(5) for details). Ports of
1951       Open vSwitch to  other  platforms  might  require  queue  configuration
1952       through  some  separate  protocol  (such as a CLI). Even on Linux, Open
1953       vSwitch exposes only  a  fraction  of  the  kernel’s  queuing  features
1954       through  OVSDB,  so advanced or unusual uses might require use of sepa‐
1955       rate utilities (e.g. tc). OpenFlow switches  other  than  Open  vSwitch
1956       might  use  OF-CONFIG  or  any  of  the configuration methods mentioned
1957       above. Finally, some OpenFlow switches have a fixed  number  of  fixed-
1958       function  queues  (e.g.  eight queues with strictly defined priorities)
1959       and others do not support any control over queuing.
1960
1961       The only output queue that all OpenFlow implementations must support is
1962       zero, to identify a default queue, whose properties are implementation-
1963       defined. Outputting a packet to a queue that does not exist on the out‐
1964       put  port  yields  unpredictable  behavior: among the possibilities are
1965       that the packet might be dropped or transmitted with  a  very  high  or
1966       very low priority.
1967
1968       OpenFlow  1.0  only allowed output queues to be specified as part of an
1969       enqueue action that specified both a queue and an output port. That is,
1970       OpenFlow  1.0  treats  the  queue as an argument to an action, not as a
1971       field.
1972
1973       To increase flexibility, OpenFlow 1.1 added an action to set the output
1974       queue. This model was carried forward, without change, through OpenFlow
1975       1.5.
1976
1977       Open vSwitch implements the native queuing model of each OpenFlow  ver‐
1978       sion  it  supports. Open vSwitch also includes an extension for setting
1979       the output queue as an action in OpenFlow 1.0.
1980
1981       When a packet ingresses into an OpenFlow switch, the  output  queue  is
1982       ordinarily  set  to  0,  indicating  the  default  queue. However, Open
1983       vSwitch supports various ways to forward a  packet  from  one  OpenFlow
1984       switch  to  another  within a single host. In these cases, Open vSwitch
1985       maintains the output queue across the forwarding step. For example:
1986
1987              ·      A hop across an Open vSwitch ``patch port’’  (which  does
1988                     not actually involve queuing) preserves the output queue.
1989
1990              ·      When  a  flow  sets  the  output queue then outputs to an
1991                     OpenFlow tunnel port,  the  encapsulation  preserves  the
1992                     output  queue.  If  the  kernel  TCP/IP  stack routes the
1993                     encapsulated packet directly  to  a  physical  interface,
1994                     then  that output honors the output queue. Alternatively,
1995                     if the kernel routes the encapsulated packet  to  another
1996                     Open vSwitch bridge, then the output queue set previously
1997                     becomes the initial output queue on ingress to the second
1998                     bridge  and  will thus be used for further output actions
1999                     (unless overridden by a new ``set queue’’ action).
2000
2001                     (This description reflects the current behavior  of  Open
2002                     vSwitch  on Linux. This behavior relies on details of the
2003                     Linux TCP/IP stack. It could be difficult to  make  ports
2004                     to other operating systems behave the same way.)
2005
2006       Packet Mark Field
2007
2008       Name:            pkt_mark
2009       Width:           32 bits
2010       Format:          hexadecimal
2011       Masking:         arbitrary bitwise masks
2012       Prerequisites:   none
2013       Access:          read/write
2014       OpenFlow 1.0:    not supported
2015       OpenFlow 1.1:    not supported
2016       OXM:             none
2017       NXM:             NXM_NX_PKT_MARK (33) since Open vSwitch 2.0
2018
2019       Packet  mark  comes to Open vSwitch from the Linux kernel, in which the
2020       sk_buff data structure that represents a packet contains a 32-bit  mem‐
2021       ber  named  skb_mark.  The  value of skb_mark propagates along with the
2022       packet it accompanies wherever the packet goes in the kernel. It has no
2023       predefined  semantics  but  various  kernel-user interfaces can set and
2024       match on it, which makes it suitable for  ``marking’’  packets  at  one
2025       point  in  their handling and then acting on the mark later. With ipta‐
2026       bles, for example, one can mark some traffic specially at  ingress  and
2027       then  handle  that  traffic  differently  at egress based on the marked
2028       value.
2029
2030       Packet mark is an attempt at a generalization of the  skb_mark  concept
2031       beyond  Linux, at least through more generic naming. Like skb_priority,
2032       packet mark is preserved across  forwarding  steps  within  a  machine.
2033       Unlike  skb_priority,  packet  mark has no direct effect on packet for‐
2034       warding: the value set in packet mark does not matter unless some later
2035       OpenFlow  table  or switch matches on packet mark, or unless the packet
2036       passes through some other kernel subsystem that has been configured  to
2037       interpret  packet mark in specific ways, e.g. through iptables configu‐
2038       ration mentioned above.
2039
2040       Preserving packet mark across kernel forwarding steps relies heavily on
2041       kernel  support,  which  ports  to  non-Linux operating systems may not
2042       have. Regardless of operating system  support,  Open  vSwitch  supports
2043       packet mark within a single bridge and across patch ports.
2044
2045       The  value  of  packet mark when a packet ingresses into the first Open
2046       vSwich bridge is typically zero, but it could be nonzero if  its  value
2047       was previously set by some kernel subsystem.
2048
2049       Action Set Output Port Field
2050
2051       Name:            actset_output
2052       Width:           32 bits
2053       Format:          OpenFlow 1.1+ port
2054       Masking:         not maskable
2055       Prerequisites:   none
2056       Access:          read-only
2057       OpenFlow 1.0:    not supported
2058       OpenFlow 1.1:    not supported
2059
2060       OXM:             ONFOXM_ET_ACTSET_OUTPUT  (43)  since  OpenFlow 1.3 and
2061                        Open  vSwitch  2.4;  OXM_OF_ACTSET_OUTPUT  (43)  since
2062                        OpenFlow 1.5 and Open vSwitch 2.4
2063       NXM:             none
2064
2065       Holds  the  output port currently in the OpenFlow action set (i.e. from
2066       an output action within a write_actions instruction). Its value  is  an
2067       OpenFlow port number. If there is no output port in the OpenFlow action
2068       set, or if the output port will be ignored (e.g. because  there  is  an
2069       output  group  in  the  OpenFlow  action  set),  then the value will be
2070       OFPP_UNSET.
2071
2072       Open vSwitch allows any table to match this field.  OpenFlow,  however,
2073       only requires this field to be matchable from within an OpenFlow egress
2074       table (a feature that Open vSwitch does not yet implement).
2075
2076       Packet Type Field
2077
2078       Name:            packet_type
2079       Width:           32 bits
2080       Format:          packet type
2081       Masking:         not maskable
2082       Prerequisites:   none
2083       Access:          read-only
2084       OpenFlow 1.0:    not supported
2085
2086       OpenFlow 1.1:    not supported
2087       OXM:             OXM_OF_PACKET_TYPE (44) since OpenFlow  1.5  and  Open
2088                        vSwitch 2.8
2089       NXM:             none
2090
2091       The type of the packet in the format specified in OpenFlow 1.5:
2092
2093        Packet type
2094        <--------->
2095        16    16
2096       +---+-------+
2097       |ns |ns_type| ...
2098       +---+-------+
2099
2100
2101       The  upper 16 bits, ns, are a namespace. The meaning of ns_type depends
2102       on the namespace. The packet type field is specified and  displayed  in
2103       the format (ns,ns_type).
2104
2105       Open  vSwitch  currently supports the following classes of packet types
2106       for matching:
2107
2108              (0,0)  Ethernet.
2109
2110              (1,ethertype)
2111                     The specified ethertype. Open vSwitch can forward packets
2112                     with  any ethertype, but it can only match on and process
2113                     data fields for the following supported packet types:
2114
2115                     (1,0x800)
2116                            IPv4
2117
2118                     (1,0x806)
2119                            ARP
2120
2121                     (1,0x86dd)
2122                            IPv6
2123
2124                     (1,0x8847)
2125                            MPLS
2126
2127                     (1,0x8848)
2128                            MPLS multicast
2129
2130                     (1,0x8035)
2131                            RARP
2132
2133                     (1,0x894f)
2134                            NSH
2135
2136       Consider the  distinction  between  a  packet  with  packet_type=(0,0),
2137       dl_type=0x800 and one with packet_type=(1,0x800). The former is an Eth‐
2138       ernet frame that contains an IPv4 packet, like this:
2139
2140          Ethernet            IPv4
2141        <----------->   <--------------->
2142        48  48   16           8   32  32
2143       +---+---+-----+ +---+-----+---+---+
2144       |dst|src|type | |...|proto|src|dst| ...
2145       +---+---+-----+ +---+-----+---+---+
2146                0x800
2147
2148
2149       The latter is an IPv4 packet not encapsulated inside any  outer  frame,
2150       like this:
2151
2152              IPv4
2153        <--------------->
2154              8   32  32
2155       +---+-----+---+---+
2156       |...|proto|src|dst| ...
2157       +---+-----+---+---+
2158
2159
2160       Matching  on  packet_type  is  a pre-requisite for matching on any data
2161       field, but for backward compatibility, when a match on a data field  is
2162       present  without  a  packet_type  match,  Open vSwitch acts as though a
2163       match on (0,0) (Ethernet)  had  been  supplied.  Similarly,  when  Open
2164       vSwitch  sends  flow match information to a controller, e.g. in a reply
2165       to a request to dump the flow table, Open  vSwitch  omits  a  match  on
2166       packet type (0,0) if it would be implied by a data field match.
2167

CONNECTION TRACKING FIELDS

2169   Summary:
2170       Name          Bytes   Mask   RW?   Prereqs   NXM/OXM Support
2171       ────────────  ──────  ─────  ────  ────────  ────────────────
2172       ct_state      4       yes    no    none      OVS 2.5+
2173       ct_zone       2       no     no    none      OVS 2.5+
2174       ct_mark       4       yes    yes   none      OVS 2.5+
2175       ct_label      16      yes    yes   none      OVS 2.5+
2176       ct_nw_src     4       yes    no    CT        OVS 2.8+
2177       ct_nw_dst     4       yes    no    CT        OVS 2.8+
2178
2179       ct_ipv6_src   16      yes    no    CT        OVS 2.8+
2180       ct_ipv6_dst   16      yes    no    CT        OVS 2.8+
2181       ct_nw_proto   1       no     no    CT        OVS 2.8+
2182       ct_tp_src     2       yes    no    CT        OVS 2.8+
2183       ct_tp_dst     2       yes    no    CT        OVS 2.8+
2184
2185       Open  vSwitch  supports  ``connection tracking,’’ which allows bidirec‐
2186       tional streams of packets to be statefully  grouped  into  connections.
2187       Open  vSwitch connection tracking, for example, identifies the patterns
2188       of TCP packets that indicates a successfully initiated  connection,  as
2189       well  as those that indicate that a connection has been torn down. Open
2190       vSwitch connection tracking can also identify related connections, such
2191       as FTP data connections spawned from FTP control connections.
2192
2193       An  individual packet passing through the pipeline may be in one of two
2194       states, ``untracked’’ or ``tracked,’’ which may  be  distinguished  via
2195       the ``trk’’ flag in ct_state. A packet is untracked at the beginning of
2196       the Open vSwitch pipeline and continues to be untracked until the pipe‐
2197       line  invokes  the  ct  action.  The connection tracking fields are all
2198       zeroes in an untracked packet. When a flow in the Open vSwitch pipeline
2199       invokes  the  ct action, the action initializes the connection tracking
2200       fields and the packet becomes tracked for the remainder of its process‐
2201       ing.
2202
2203       The  connection  tracker  stores connection state in an internal table,
2204       but it only adds a new entry to this table when a ct action for  a  new
2205       connection  invokes  ct  with the commit parameter. For a given connec‐
2206       tion, when a pipeline has executed ct, but not  yet  with  commit,  the
2207       connection  is said to be uncommitted. State for an uncommitted connec‐
2208       tion is ephemeral and does not persist past the end of the pipeline, so
2209       some features are only available to committed connections. A connection
2210       would typically be left uncommitted as a way to drop its packets.
2211
2212       Connection tracking is an Open  vSwitch  extension  to  OpenFlow.  Open
2213       vSwitch  2.5  added the initial support for connection tracking. Subse‐
2214       quent versions of Open vSwitch added many refinements and extensions to
2215       the  initial  support.  Many  of  these capabilities depend on the Open
2216       vSwitch datapath rather than simply the userspace version. The capabil‐
2217       ities  column  in  the  Datapath  table  (see  ovs-vswitchd.conf.db(5))
2218       reports the detailed capabilities of a particular  Open  vSwitch  data‐
2219       path.
2220
2221       Connection Tracking State Field
2222
2223       Name:            ct_state
2224       Width:           32 bits
2225       Format:          ct state
2226
2227       Masking:         arbitrary bitwise masks
2228       Prerequisites:   none
2229       Access:          read-only
2230       OpenFlow 1.0:    not supported
2231       OpenFlow 1.1:    not supported
2232       OXM:             none
2233       NXM:             NXM_NX_CT_STATE (105) since Open vSwitch 2.5
2234
2235       This  field holds several flags that can be used to determine the state
2236       of the connection to which the packet belongs.
2237
2238       Matches on this field are most conveniently written in  terms  of  sym‐
2239       bolic  names  (listed below), each preceded by either + for a flag that
2240       must be set, or - for a flag that must  be  unset,  without  any  other
2241       delimiters  between  the flags. Flags not mentioned are wildcarded. For
2242       example, tcp,ct_state=+trk-new matches TCP packets that have  been  run
2243       through  the  connection tracker and do not establish a new connection.
2244       Matches can also be written as flags/mask, where  flags  and  mask  are
2245       32-bit numbers in decimal or in hexadecimal prefixed by 0x.
2246
2247       The following flags are defined:
2248
2249              new (0x01)
2250                     A new connection. Set to 1 if this is an uncommitted con‐
2251                     nection.
2252
2253              est (0x02)
2254                     Part of an existing connection. Set to 1 if packets of  a
2255                     committed  connection  have  been  seen by conntrack from
2256                     both directions.
2257
2258              rel (0x04)
2259                     Related to an existing connection, e.g. an ICMP  ``desti‐
2260                     nation  unreachable’’ message or an FTP data connections.
2261                     This flag will only be 1 if the connection to which  this
2262                     one is related is committed.
2263
2264                     Connections identified as rel are separate from the orig‐
2265                     inating connection and must be committed separately.  All
2266                     packets  for  a related connection will have the rel flag
2267                     set, not just the initial packet.
2268
2269              rpl (0x08)
2270                     This packet is in the reply direction, meaning that it is
2271                     in  the opposite direction from the packet that initiated
2272                     the connection. This flag will only be 1 if  the  connec‐
2273                     tion is committed.
2274
2275              inv (0x10)
2276                     The state is invalid, meaning that the connection tracker
2277                     couldn’t identify the connection. This flag is  a  catch-
2278                     all  for  problems  in  the  connection or the connection
2279                     tracker, such as:
2280
2281                     ·      L3/L4 protocol handler is not  loaded/unavailable.
2282                            With the Linux kernel datapath, this may mean that
2283                            the nf_conntrack_ipv4 or nf_conntrack_ipv6 modules
2284                            are not loaded.
2285
2286                     ·      L3/L4  protocol handler determines that the packet
2287                            is malformed.
2288
2289                     ·      Packets are unexpected length for protocol.
2290
2291              trk (0x20)
2292                     This packet is tracked, meaning that  it  has  previously
2293                     traversed  the  connection  tracker.  If this flag is not
2294                     set, then no other flags will be set.  If  this  flag  is
2295                     set,  then the packet is tracked and other flags may also
2296                     be set.
2297
2298              snat (0x40)
2299                     This packet was transformed by source address/port trans‐
2300                     lation  by  a preceding ct action. Open vSwitch 2.6 added
2301                     this flag.
2302
2303              dnat (0x80)
2304                     This packet was transformed by  destination  address/port
2305                     translation  by  a  preceding ct action. Open vSwitch 2.6
2306                     added this flag.
2307
2308       There are additional constraints on these flags, listed  in  decreasing
2309       order of precedence below:
2310
2311              1.  If trk is unset, no other flags are set.
2312
2313              2.  If trk is set, one or more other flags may be set.
2314
2315              3.  If inv is set, only the trk flag is also set.
2316
2317              4.  new and est are mutually exclusive.
2318
2319              5.  new and rpl are mutually exclusive.
2320
2321              6.  rel may be set in conjunction with any other flags.
2322
2323       Future versions of Open vSwitch may define new flags.
2324
2325       Connection Tracking Zone Field
2326
2327       Name:            ct_zone
2328       Width:           16 bits
2329       Format:          hexadecimal
2330       Masking:         not maskable
2331       Prerequisites:   none
2332       Access:          read-only
2333       OpenFlow 1.0:    not supported
2334       OpenFlow 1.1:    not supported
2335       OXM:             none
2336       NXM:             NXM_NX_CT_ZONE (106) since Open vSwitch 2.5
2337
2338       A connection tracking zone, the zone value passed to the most recent ct
2339       action. Each zone is an independent  connection  tracking  context,  so
2340       tracking  the  same  packet  in multiple contexts requires using the ct
2341       action multiple times.
2342
2343       Connection Tracking Mark Field
2344
2345       Name:            ct_mark
2346       Width:           32 bits
2347       Format:          hexadecimal
2348       Masking:         arbitrary bitwise masks
2349       Prerequisites:   none
2350       Access:          read/write
2351       OpenFlow 1.0:    not supported
2352
2353       OpenFlow 1.1:    not supported
2354       OXM:             none
2355       NXM:             NXM_NX_CT_MARK (107) since Open vSwitch 2.5
2356
2357       The metadata committed, by an action within the exec parameter  to  the
2358       ct action, to the connection to which the current packet belongs.
2359
2360       Connection Tracking Label Field
2361
2362       Name:            ct_label
2363       Width:           128 bits
2364       Format:          hexadecimal
2365       Masking:         arbitrary bitwise masks
2366       Prerequisites:   none
2367
2368       Access:          read/write
2369       OpenFlow 1.0:    not supported
2370       OpenFlow 1.1:    not supported
2371       OXM:             none
2372       NXM:             NXM_NX_CT_LABEL (108) since Open vSwitch 2.5
2373
2374       The  label  committed, by an action within the exec parameter to the ct
2375       action, to the connection to which the current packet belongs.
2376
2377       Open vSwitch 2.8 introduced the matching support for connection tracker
2378       original direction 5-tuple fields.
2379
2380       For non-committed non-related connections the conntrack original direc‐
2381       tion tuple fields always have the  same  values  as  the  corresponding
2382       headers in the packet itself. For any other packets of a committed con‐
2383       nection the conntrack original direction tuple fields reflect the  val‐
2384       ues from that initial non-committed non-related packet, and thus may be
2385       different from the actual packet headers, as the actual packet  headers
2386       may  be  in  reverse  direction (for reply packets), transformed by NAT
2387       (when nat option was applied to the connection),  or  be  of  different
2388       protocol  (i.e.,  when  an  ICMP response is sent to an UDP packet). In
2389       case of related connections, e.g., an FTP data connection, the original
2390       direction tuple contains the original direction headers from the parent
2391       connection, e.g., an FTP control connection.
2392
2393       The following fields are populated by the  ct  action,  and  require  a
2394       match  to a valid connection tracking state as a prerequisite, in addi‐
2395       tion to the IP or IPv6 ethertype match. Examples  of  valid  connection
2396       tracking    state   matches   include   ct_state=+new,   ct_state=+est,
2397       ct_state=+rel, and ct_state=+trk-inv.
2398
2399       Connection Tracking Original Direction IPv4 Source Address Field
2400
2401       Name:            ct_nw_src
2402       Width:           32 bits
2403       Format:          IPv4
2404       Masking:         arbitrary bitwise masks
2405       Prerequisites:   CT
2406       Access:          read-only
2407       OpenFlow 1.0:    not supported
2408       OpenFlow 1.1:    not supported
2409       OXM:             none
2410       NXM:             NXM_NX_CT_NW_SRC (120) since Open vSwitch 2.8
2411
2412       Matches IPv4 conntrack original direction tuple source address. See the
2413       paragraphs  above  for  general  description  to the conntrack original
2414       direction tuple. Introduced in Open vSwitch 2.8.
2415
2416       Connection Tracking Original Direction IPv4 Destination Address Field
2417
2418       Name:            ct_nw_dst
2419       Width:           32 bits
2420       Format:          IPv4
2421       Masking:         arbitrary bitwise masks
2422       Prerequisites:   CT
2423       Access:          read-only
2424       OpenFlow 1.0:    not supported
2425       OpenFlow 1.1:    not supported
2426       OXM:             none
2427
2428       NXM:             NXM_NX_CT_NW_DST (121) since Open vSwitch 2.8
2429
2430       Matches IPv4 conntrack original direction  tuple  destination  address.
2431       See the paragraphs above for general description to the conntrack orig‐
2432       inal direction tuple. Introduced in Open vSwitch 2.8.
2433
2434       Connection Tracking Original Direction IPv6 Source Address Field
2435
2436       Name:            ct_ipv6_src
2437       Width:           128 bits
2438       Format:          IPv6
2439       Masking:         arbitrary bitwise masks
2440       Prerequisites:   CT
2441       Access:          read-only
2442
2443       OpenFlow 1.0:    not supported
2444       OpenFlow 1.1:    not supported
2445       OXM:             none
2446       NXM:             NXM_NX_CT_IPV6_SRC (122) since Open vSwitch 2.8
2447
2448       Matches IPv6 conntrack original direction tuple source address. See the
2449       paragraphs  above  for  general  description  to the conntrack original
2450       direction tuple. Introduced in Open vSwitch 2.8.
2451
2452       Connection Tracking Original Direction IPv6 Destination Address Field
2453
2454       Name:            ct_ipv6_dst
2455       Width:           128 bits
2456       Format:          IPv6
2457
2458       Masking:         arbitrary bitwise masks
2459       Prerequisites:   CT
2460       Access:          read-only
2461       OpenFlow 1.0:    not supported
2462       OpenFlow 1.1:    not supported
2463       OXM:             none
2464       NXM:             NXM_NX_CT_IPV6_DST (123) since Open vSwitch 2.8
2465
2466       Matches IPv6 conntrack original direction  tuple  destination  address.
2467       See the paragraphs above for general description to the conntrack orig‐
2468       inal direction tuple. Introduced in Open vSwitch 2.8.
2469
2470       Connection Tracking Original Direction IP Protocol Field
2471
2472
2473       Name:            ct_nw_proto
2474       Width:           8 bits
2475       Format:          decimal
2476       Masking:         not maskable
2477       Prerequisites:   CT
2478       Access:          read-only
2479       OpenFlow 1.0:    not supported
2480       OpenFlow 1.1:    not supported
2481       OXM:             none
2482       NXM:             NXM_NX_CT_NW_PROTO (119) since Open vSwitch 2.8
2483
2484       Matches conntrack original direction tuple IP protocol type,  which  is
2485       specified  as  a decimal number between 0 and 255, inclusive (e.g. 1 to
2486       match ICMP packets or 6 to match TCP packets). In case of, for example,
2487       an  ICMP  response  to an UDP packet, this may be different from the IP
2488       protocol type of the packet itself. See the paragraphs above  for  gen‐
2489       eral  description to the conntrack original direction tuple. Introduced
2490       in Open vSwitch 2.8.
2491
2492       Connection Tracking Original  Direction  Transport  Layer  Source  Port
2493       Field
2494
2495       Name:            ct_tp_src
2496       Width:           16 bits
2497       Format:          decimal
2498       Masking:         arbitrary bitwise masks
2499       Prerequisites:   CT
2500       Access:          read-only
2501       OpenFlow 1.0:    not supported
2502
2503       OpenFlow 1.1:    not supported
2504       OXM:             none
2505       NXM:             NXM_NX_CT_TP_SRC (124) since Open vSwitch 2.8
2506
2507       Bitwise  match  on  the  conntrack  original  direction tuple transport
2508       source, when MFF_CT_NW_PROTO has value 6 for TCP, 17 for  UDP,  or  132
2509       for  SCTP. When MFF_CT_NW_PROTO has value 1 for ICMP, or 58 for ICMPv6,
2510       the lower 8 bits of MFF_CT_TP_SRC matches the conntrack original direc‐
2511       tion ICMP type. See the paragraphs above for general description to the
2512       conntrack original direction tuple. Introduced in Open vSwitch 2.8.
2513
2514       Connection Tracking Original  Direction  Transport  Layer  Source  Port
2515       Field
2516
2517
2518       Name:            ct_tp_dst
2519       Width:           16 bits
2520       Format:          decimal
2521       Masking:         arbitrary bitwise masks
2522       Prerequisites:   CT
2523       Access:          read-only
2524       OpenFlow 1.0:    not supported
2525       OpenFlow 1.1:    not supported
2526       OXM:             none
2527       NXM:             NXM_NX_CT_TP_DST (125) since Open vSwitch 2.8
2528
2529       Bitwise  match on the conntrack original direction tuple transport des‐
2530       tination port, when MFF_CT_NW_PROTO has value 6 for TCP, 17 for UDP, or
2531       132  for  SCTP.  When  MFF_CT_NW_PROTO  has value 1 for ICMP, or 58 for
2532       ICMPv6, the lower 8 bits of MFF_CT_TP_DST matches the conntrack  origi‐
2533       nal  direction ICMP code. See the paragraphs above for general descrip‐
2534       tion to the conntrack original  direction  tuple.  Introduced  in  Open
2535       vSwitch 2.8.
2536