1ovs-fields(7)                 Open vSwitch Manual                ovs-fields(7)
2
3
4

NAME

6       ovs-fields - protocol header fields in OpenFlow and Open vSwitch
7

INTRODUCTION

9       This  document aims to comprehensively document all of the fields, both
10       standard and non-standard, supported by OpenFlow or Open  vSwitch,  re‐
11       gardless of origin.
12
13   Fields
14       A  field  is  a  property of a packet. Most familiarly, data fields are
15       fields that can be extracted from a packet. Most data fields are copied
16       directly  from  protocol  headers, e.g. at layer 2, the Ethernet source
17       and destination addresses, or the VLAN ID; at layer 3, the IPv4 or IPv6
18       source  and  destination;  and  at layer 4, the TCP or UDP ports. Other
19       data fields are computed, e.g. ip_frag describes whether a packet is  a
20       fragment but it is not copied directly from the IP header.
21
22       Data  fields that are always present as a consequence of the basic net‐
23       working technology in use are called called root fields.  Open  vSwitch
24       2.7  and earlier considered Ethernet fields to be root fields, and this
25       remains the default mode of operation for Open vSwitch bridges. When  a
26       packet  is  received  from a non-Ethernet interfaces, such as a layer-3
27       LISP tunnel, Open vSwitch 2.7 and earlier force-fit the packet to  this
28       Ethernet-centric point of view by pretending that an Ethernet header is
29       present whose Ethernet type that indicates  the  packet’s  actual  type
30       (and whose source and destination addresses are all-zero).
31
32       Open vSwitch 2.8 and later implement the ``packet type-aware pipeline’’
33       concept introduced in OpenFlow 1.5. Such a pipeline does not  have  any
34       root  fields. Instead, a new metadata field, packet_type, indicates the
35       basic type of the packet, which can be Ethernet, IPv4, IPv6, or another
36       type.  For backward compatibility, by default Open vSwitch 2.8 imitates
37       the behavior of Open vSwitch 2.7 and earlier. Later  versions  of  Open
38       vSwitch  may  change  the  default, and in the meantime controllers can
39       turn off this legacy behavior, on a port-by-port basis, by setting  op‐
40       tions:packet_type  to  ptap in the Interface table. This is significant
41       only for ports that can handle non-Ethernet packets, which is currently
42       just  LISP, VXLAN-GPE, and GRE tunnel ports. See ovs-vwitchd.conf.db(5)
43       for more information.
44
45       Non-root data fields are not always  present.  A  packet  contains  ARP
46       fields,  for example, only when its packet type is ARP or when it is an
47       Ethernet packet whose Ethernet header indicates the Ethertype for  ARP,
48       0x0806.  In  this documentation, we say that a field is applicable when
49       it is present in a packet, and inapplicable when it is not. (These  are
50       not  standard terms.) We refer to the conditions that determine whether
51       a field is applicable as prerequisites. Some VLAN-related fields are  a
52       special  case: these fields are always applicable for Ethernet packets,
53       but have a designated value or bit that indicates whether a VLAN header
54       is  present,  with  the  remaining  values  or bits indicating the VLAN
55       header’s content (if it is present).
56
57       An inapplicable field does  not  have  a  value,  not  even  a  nominal
58       ``value’’  such  as  all-zero-bits. In many circumstances, OpenFlow and
59       Open vSwitch allow references only to applicable fields.  For  example,
60       one may match (see Matching, below) a given field only if the match in‐
61       cludes the field’s prerequisite, e.g. matching an ARP field is only al‐
62       lowed  if  one  also matches on Ethertype 0x0806 or the packet_type for
63       ARP in a packet type-aware bridge.
64
65       Sometimes a packet may contain multiple instances of a header. For  ex‐
66       ample,  a packet may contain multiple VLAN or MPLS headers, and tunnels
67       can cause any data field to recur. OpenFlow and Open vSwitch do not ad‐
68       dress these cases uniformly. For VLAN and MPLS headers, only the outer‐
69       most header is accessible, so that inner headers may be  accessed  only
70       by ``popping’’ (removing) the outer header. (Open vSwitch supports only
71       a single VLAN header in any case.) For tunnels, e.g. GRE or VXLAN,  the
72       outer header and inner headers are treated as different data fields.
73
74       Many  network  protocols are built in layers as a stack of concatenated
75       headers. Each header typically contains a ``next type’’ field that  in‐
76       dicates  the  type  of  the protocol header that follows, e.g. Ethernet
77       contains an Ethertype and IPv4 contains a IP protocol type. The  excep‐
78       tional  cases,  where protocols are layered but an outer layer does not
79       indicate the protocol type for the inner layer, or gives  only  an  am‐
80       biguous  indication, are troublesome. An MPLS header, for example, only
81       indicates whether another MPLS header or some other  protocol  follows,
82       and  in  the latter case the inner protocol must be known from the con‐
83       text. In these exceptional cases, OpenFlow and Open vSwitch cannot pro‐
84       vide  insight  into  the  inner protocol data fields without additional
85       context, and thus they treat all later data fields as inapplicable  un‐
86       til  an  OpenFlow action explicitly specifies what protocol follows. In
87       the case of MPLS, the OpenFlow ``pop MPLS’’  action  that  removes  the
88       last  MPLS header from a packet provides this context, as the Ethertype
89       of the payload. See Layer 2.5: MPLS for more information.
90
91       OpenFlow and Open vSwitch support some fields other than  data  fields.
92       Metadata fields relate to the origin or treatment of a packet, but they
93       are not extracted from the packet data itself. One example is the phys‐
94       ical  port on which a packet arrived at the switch. Register fields act
95       like variables: they give an OpenFlow switch space for temporary  stor‐
96       age  while  processing  a packet. Existing metadata and register fields
97       have no prerequisites.
98
99       A field’s value consists of an  integral  number  of  bytes.  For  data
100       fields, sometimes those bytes are taken directly from the packet. Other
101       data fields are copied from a packet with padding (usually  with  zeros
102       and  in  the most significant positions). The remaining data fields are
103       transformed in other ways as they are copied from the packets, to  make
104       them more useful for matching.
105
106   Matching
107       The  most important use of fields in OpenFlow is matching, to determine
108       whether particular field values agree with a set of constraints  called
109       a  match.  A  match  consists of zero or more constraints on individual
110       fields, all of which must be met to satisfy the match.  (A  match  that
111       contains no constraints is always satisfied.) OpenFlow and Open vSwitch
112       support a number of forms of matching on individual fields:
113
114              Exact match, e.g. nw_src=10.1.2.3
115                     Only a particular value of the field is matched; for  ex‐
116                     ample,  only  one  particular  source  IP  address. Exact
117                     matches are written as field=value.  The  forms  accepted
118                     for value depend on the field.
119
120                     All fields support exact matches.
121
122              Bitwise match, e.g. nw_src=10.1.0.0/255.255.0.0
123                     Specific  bits  in  the field must have specified values;
124                     for example, only source IP  addresses  in  a  particular
125                     subnet.  Bitwise matches are written as field=value/mask,
126                     where value and mask take one of the forms  accepted  for
127                     an  exact  match on field. Some fields accept other forms
128                     for       bitwise       matches;       for       example,
129                     nw_src=10.1.0.0/255.255.0.0    may    also   be   written
130                     nw_src=10.1.0.0/16.
131
132                     Most OpenFlow switches do not allow every bitwise  match‐
133                     ing on every field (and before OpenFlow 1.2, the protocol
134                     did  not  even  provide  for  the  possibility  for  most
135                     fields).  Even switches that do allow bitwise matching on
136                     a given field may restrict the masks  that  are  allowed,
137                     e.g.  by allowing matches only on contiguous sets of bits
138                     starting from the most significant bit, that is, ``CIDR’’
139                     masks  [RFC  4632].  Open vSwitch does not allows bitwise
140                     matching on every field, but it allows arbitrary  bitwise
141                     masks  on  any  field that does support bitwise matching.
142                     (Older versions had some restrictions, as  documented  in
143                     the descriptions of individual fields.)
144
145              Wildcard, e.g. ``any nw_src’’
146                     The  value  of  the  field is not constrained. Wildcarded
147                     fields may be written as field=*, although it is  unusual
148                     to  mention  them at all. (When specifying a wildcard ex‐
149                     plicitly in a command invocation, be sure to using  quot‐
150                     ing to protect against shell expansion.)
151
152                     There  is  a  tiny difference between wildcarding a field
153                     and not specifying any match on a  field:  wildcarding  a
154                     field requires satisfying the field’s prerequisites.
155
156       Some types of matches on individual fields cannot be expressed directly
157       with OpenFlow and Open vSwitch. These can be expressed indirectly:
158
159              Set match, e.g. ``tcp_dst ∈ {80, 443, 8080}’’
160                     The value of a field is one of a specified set of values;
161                     for  example,  the  TCP  destination  port is 80, 443, or
162                     8080.
163
164                     For matches used in flows (see  Flows,  below),  multiple
165                     flows can simulate set matches.
166
167              Range match, e.g. ``1000 ≤ tcp_dst ≤ 1999’’
168                     The value of the field must lie within a numerical range,
169                     for example, TCP destination ports between 1000 and 1999.
170
171                     Range matches can be expressed as a collection of bitwise
172                     matches.  For  example, suppose that the goal is to match
173                     TCP source ports 1000 to 1999, inclusive. The binary rep‐
174                     resentations of 1000 and 1999 are:
175
176                     01111101000
177                     11111001111
178
179
180                     The  following  series of bitwise matches will match 1000
181                     and 1999 and all the values in between:
182
183                     01111101xxx
184                     0111111xxxx
185                     10xxxxxxxxx
186                     110xxxxxxxx
187                     1110xxxxxxx
188                     11110xxxxxx
189                     1111100xxxx
190
191
192                     which can be written as the following matches:
193
194                     tcp,tp_src=0x03e8/0xfff8
195                     tcp,tp_src=0x03f0/0xfff0
196                     tcp,tp_src=0x0400/0xfe00
197                     tcp,tp_src=0x0600/0xff00
198                     tcp,tp_src=0x0700/0xff80
199                     tcp,tp_src=0x0780/0xffc0
200                     tcp,tp_src=0x07c0/0xfff0
201
202
203              Inequality match, e.g. ``tcp_dst ≠ 80’’
204                     The value of the field differs from  a  specified  value,
205                     for example, all TCP destination ports except 80.
206
207                     An inequality match on an n-bit field can be expressed as
208                     a disjunction of n 1-bit matches. For  example,  the  in‐
209                     equality  match  ``vlan_pcp  ≠  5’’  can  be expressed as
210                     ``vlan_pcp = 0/4 or vlan_pcp = 2/2 or vlan_pcp  =  0/1.’’
211                     For  matches  used in flows (see Flows, below), sometimes
212                     one can more compactly express inequality  as  a  higher-
213                     priority  flow  that  matches the exceptional case paired
214                     with a lower-priority flow that matches the general case.
215
216                     Alternatively, an inequality match may be converted to  a
217                     pair of range matches, e.g. tcp_src ≠ 80 may be expressed
218                     as ``0 ≤ tcp_src < 80 or 80 < tcp_src ≤ 65535’’, and then
219                     each  range  match  may in turn be converted to a bitwise
220                     match.
221
222              Conjunctive match, e.g. ``tcp_src ∈ {80, 443, 8080} and  tcp_dst
223              ∈ {80, 443, 8080}’’
224                     As  an OpenFlow extension, Open vSwitch supports matching
225                     on conditions on conjunctions of the previously mentioned
226                     forms  of matching. See the documentation for conj_id for
227                     more information.
228
229       All of these supported forms of matching are special cases  of  bitwise
230       matching.  In  some  cases  this influences the design of field values.
231       ip_frag is the most prominent example: it is designed to  make  all  of
232       the practically useful checks for IP fragmentation possible as a single
233       bitwise match.
234
235     Shorthands
236
237       Some matches are very commonly used, so Open vSwitch accepts  shorthand
238       notations.  In  some  cases, Open vSwitch also uses shorthand notations
239       when it displays matches. The following shorthands  are  defined,  with
240       their long forms shown on the right side:
241
242              eth    packet_type=(0,0) (Open vSwitch 2.8 and later)
243
244              ip     eth_type=0x0800
245
246              ipv6   eth_type=0x86dd
247
248              icmp   eth_type=0x0800,ip_proto=1
249
250              icmp6  eth_type=0x86dd,ip_proto=58
251
252              tcp    eth_type=0x0800,ip_proto=6
253
254              tcp6   eth_type=0x86dd,ip_proto=6
255
256              udp    eth_type=0x0800,ip_proto=17
257
258              udp6   eth_type=0x86dd,ip_proto=17
259
260              sctp   eth_type=0x0800,ip_proto=132
261
262              sctp6  eth_type=0x86dd,ip_proto=132
263
264              arp    eth_type=0x0806
265
266              rarp   eth_type=0x8035
267
268              mpls   eth_type=0x8847
269
270              mplsm  eth_type=0x8848
271
272   Evolution of OpenFlow Fields
273       The  discussion  so  far  applies to all OpenFlow and Open vSwitch ver‐
274       sions. This section starts to draw in specific information by  explain‐
275       ing,  in broad terms, the treatment of fields and matches in each Open‐
276       Flow version.
277
278     OpenFlow 1.0
279
280       OpenFlow 1.0 defined the OpenFlow protocol  format  of  a  match  as  a
281       fixed-length data structure that could match on the following fields:
282
283              •      Ingress port.
284
285              •      Ethernet source and destination MAC.
286
287              •      Ethertype (with a special value to match frames that lack
288                     an Ethertype).
289
290              •      VLAN ID and priority.
291
292              •      IPv4 source, destination, protocol, and DSCP.
293
294              •      TCP source and destination port.
295
296              •      UDP source and destination port.
297
298              •      ICMPv4 type and code.
299
300              •      ARP IPv4 addresses (SPA and TPA) and opcode.
301
302       Each supported field corresponded to some member of the data structure.
303       Some  members represented multiple fields, in the case of the TCP, UDP,
304       ICMPv4, and ARP fields whose presence is mutually exclusive. This  also
305       meant that some members were poor fits for their fields: only the low 8
306       bits of the 16-bit ARP opcode could be represented, and the ICMPv4 type
307       and  code were padded with 8 bits of zeros to fit in the 16-bit members
308       primarily meant for TCP and UDP ports. An additional bitmap member  in‐
309       dicated,  for  each member, whether its field should be an ``exact’’ or
310       ``wildcarded’’ match (see Matching), with additional support  for  CIDR
311       prefix matching on the IPv4 source and destination fields.
312
313       Simplicity was recognized early on as the main virtue of this approach.
314       Obviously, any fixed-length data structure cannot support matching  new
315       protocols that do not fit. There was no room, for example, for matching
316       IPv6 fields, which was not a priority at the time. Lack of room to sup‐
317       port matching the Ethernet addresses inside ARP packets actually caused
318       more of a design problem later, leading to an  Open  vSwitch  extension
319       action  specialized  for  dropping ``spoofed’’ ARP packets in which the
320       frame and ARP Ethernet source addressed differed. (This  extension  was
321       never  standardized. Open vSwitch dropped support for it a few releases
322       after it added support for full ARP matching.)
323
324       The design of the OpenFlow fixed-length matches also  illustrates  com‐
325       promises,  in  both directions, between the strengths and weaknesses of
326       software and hardware that have always influenced the design  of  Open‐
327       Flow. Support for matching ARP fields that do fit in the data structure
328       was only added late in the design process  (and  remained  optional  in
329       OpenFlow 1.0), for example, because common switch ASICs did not support
330       matching these fields.
331
332       The compromises in favor of software occurred for more complicated rea‐
333       sons.  The OpenFlow designers did not know how to implement matching in
334       software that was fast, dynamic, and general. (A way  was  later  found
335       [Srinivasan].)  Thus,  the designers sought to support dynamic, general
336       matching that would be fast in realistic special cases,  in  particular
337       when  all of the matches were microflows, that is, matches that specify
338       every field present in a packet, because such  matches  can  be  imple‐
339       mented  as  a single hash table lookup. Contemporary research supported
340       the feasibility of this approach: the number of microflows in a  campus
341       network  had  been  measured  to  peak at about 10,000 [Casado, section
342       3.2]. (Calculations show that this can only be true in a lightly loaded
343       network [Pepelnjak].)
344
345       As  a result, OpenFlow 1.0 required switches to treat microflow matches
346       as the highest possible priority. This let  software  switches  perform
347       the  microflow  hash table lookup first. Only on failure to match a mi‐
348       croflow did the switch need to fall back to checking the  more  general
349       and presumed slower matches. Also, the OpenFlow 1.0 flow match was min‐
350       imally flexible, with no support for general bitwise  matching,  partly
351       on  the basis that this seemed more likely amenable to relatively effi‐
352       cient software implementation. (CIDR masking  for  IPv4  addresses  was
353       added relatively late in the OpenFlow 1.0 design process.)
354
355       Microflow  matching was later discovered to aid some hardware implemen‐
356       tations. The TCAM chips used for matching in hardware  do  not  support
357       priority in the same way as OpenFlow but instead tie priority to order‐
358       ing [Pagiamtzis]. Thus, adding a new match with a priority between  the
359       priorities of existing matches can require reordering an arbitrary num‐
360       ber of TCAM entries. On the other hand,  when  microflows  are  highest
361       priority,  they  can  be managed as a set-aside portion of the TCAM en‐
362       tries.
363
364       The emphasis on matching microflows also  led  designers  to  carefully
365       consider  the  bandwidth requirements between switch and controller: to
366       maximize the number of microflow setups per second, one  must  minimize
367       the size of each flow’s description. This favored the fixed-length for‐
368       mat in use, because it expressed common TCP and UDP microflows in fewer
369       bytes  than  more  flexible ``type-length-value’’ (TLV) formats. (Early
370       versions of OpenFlow also avoided TLVs in general to head off  protocol
371       fragmentation.)
372
373       Inapplicable Fields
374
375       OpenFlow 1.0 does not clearly specify how to treat inapplicable fields.
376       The members for inapplicable fields are always  present  in  the  match
377       data  structure,  as  are the bits that indicate whether the fields are
378       matched, and the ``correct’’ member and  bit  values  for  inapplicable
379       fields  is unclear. OpenFlow 1.0 implementations changed their behavior
380       over time as priorities shifted. The early OpenFlow reference implemen‐
381       tation,  motivated  to  make  every flow a microflow to enable hashing,
382       treated inapplicable fields as exact matches on  a  value  of  0.  Ini‐
383       tially, this behavior was implemented in the reference controller only.
384
385       Later,  the  reference  switch  was  also changed to actually force any
386       wildcarded inapplicable fields into exact matches on 0. The latter  be‐
387       havior sometimes caused problems, because the modified flow was the one
388       reported back to the controller later when it queried the  flow  table,
389       and  the  modifications  sometimes  meant that the controller could not
390       properly recognize the flow that it had added. In  retrospect,  perhaps
391       this  problem  should have alerted the designers to a design error, but
392       the ability to use a single hash table was held to  be  more  important
393       than almost every other consideration at the time.
394
395       When  more flexible match formats were introduced much later, they dis‐
396       allowed any mention of inapplicable fields as part  of  a  match.  This
397       raised the question of how to translate between this new format and the
398       OpenFlow 1.0 fixed format. It seemed somewhat inconsistent and backward
399       to  treat  fields as exact-match in one format and forbid matching them
400       in the other, so instead the treatment of inapplicable  fields  in  the
401       fixed-length  format  was changed from exact match on 0 to wildcarding.
402       (A better classifier had by now eliminated software  performance  prob‐
403       lems with wildcards.)
404
405       The OpenFlow 1.0.1 errata (released only in 2012) added some additional
406       explanation [OpenFlow 1.0.1, section 3.4], but it did not mandate  spe‐
407       cific behavior because of variation among implementations.
408
409     OpenFlow 1.1
410
411       The   OpenFlow   1.1   protocol   match   format   was  designed  as  a
412       type/length/value (TLV) format to allow  for  future  flexibility.  The
413       specification standardized only a single type OFPMT_STANDARD (0) with a
414       fixed-size payload, described here. The additional fields  and  bitwise
415       masks  in  OpenFlow  1.1 cause this match structure to be over twice as
416       large as in OpenFlow 1.0, 88 bytes versus 40.
417
418       OpenFlow 1.1 added support for the following fields:
419
420              •      SCTP source and destination port.
421
422              •      MPLS label and traffic control (TC) fields.
423
424              •      One 64-bit register (named ``metadata’’).
425
426       OpenFlow 1.1 increased the width of the ingress port number field  (and
427       all other port numbers in the protocol) from 16 bits to 32 bits.
428
429       OpenFlow  1.1  increased  matching flexibility by introducing arbitrary
430       bitwise matching on Ethernet and IPv4 address fields  and  on  the  new
431       ``metadata’’  register field. Switches were not required to support all
432       possible masks [OpenFlow 1.1, section 4.3].
433
434       By a strict reading of the specification, OpenFlow 1.1 removed  support
435       for  matching  ICMPv4  type and code [OpenFlow 1.1, section A.2.3], but
436       this is likely an editing error  because  ICMP  matching  is  described
437       elsewhere [OpenFlow 1.1, Table 3, Table 4, Figure 4]. Open vSwitch does
438       support ICMPv4 type and code matching with OpenFlow 1.1.
439
440       OpenFlow 1.1 avoided the pitfalls of inapplicable fields that  OpenFlow
441       1.0  encountered, by requiring the switch to ignore the specified field
442       values [OpenFlow 1.1, section A.2.3]. It also implied that  the  switch
443       should  ignore  the  bits  that  indicate whether to match inapplicable
444       fields.
445
446       Physical Ingress Port
447
448       OpenFlow 1.1 introduced a new pseudo-field, the physical ingress  port.
449       The  physical  ingress port is only a pseudo-field because it cannot be
450       used for matching. It appears only one place in the  protocol,  in  the
451       ``packet-in’’ message that passes a packet received at the switch to an
452       OpenFlow controller.
453
454       A packet’s ingress port and physical ingress port are identical  except
455       for  packets processed by a switch feature such as bonding or tunneling
456       that makes a packet appear to arrive on a ``virtual’’  port  associated
457       with  the bond or the tunnel. For such packets, the ingress port is the
458       virtual port and the physical ingress port is, naturally, the  physical
459       port. Open vSwitch implements both bonding and tunneling, but its bond‐
460       ing implementation does not use virtual ports and its tunnels are typi‐
461       cally  not  on the same OpenFlow switch as their physical ingress ports
462       (which need not be part of any switch), so the ingress port and  physi‐
463       cal ingress port are always the same in Open vSwitch.
464
465     OpenFlow 1.2
466
467       OpenFlow  1.2 abandoned the fixed-length approach to matching. One rea‐
468       son was size, since adding support for IPv6 address matching (now  seen
469       as  important),  with  bitwise  masks, would have added 64 bytes to the
470       match length, increasing it from 88 bytes in OpenFlow 1.1 to  over  150
471       bytes.  Extensibility  had  also become important as controller writers
472       increasingly wanted support for new fields  without  having  to  change
473       messages  throughout the OpenFlow protocol. The challenges of carefully
474       defining fixed-length  matches  to  avoid  problems  with  inapplicable
475       fields had also become clear over time.
476
477       Therefore,  OpenFlow  1.2  adopted a flow format using a flexible type-
478       length-value (TLV) representation, in which each TLV expresses a  match
479       on one field. These TLVs were in turn encapsulated inside the outer TLV
480       wrapper introduced in OpenFlow 1.1 with the  new  identifier  OFPMT_OXM
481       (1).  (This  wrapper  fulfilled  its  intended  purpose of reducing the
482       amount of churn in the protocol when changing match formats; some  mes‐
483       sages that included matches remained unchanged from OpenFlow 1.1 to 1.2
484       and later versions.)
485
486       OpenFlow 1.2 added support for the following fields:
487
488              •      ARP hardware addresses (SHA and THA).
489
490              •      IPv4 ECN.
491
492              •      IPv6 source and destination addresses, flow label,  DSCP,
493                     ECN, and protocol.
494
495              •      TCP,  UDP, and SCTP port numbers when encapsulated inside
496                     IPv6.
497
498              •      ICMPv6 type and code.
499
500              •      ICMPv6 Neighbor Discovery target address and  source  and
501                     target Ethernet addresses.
502
503       The  OpenFlow  1.2  format, called OXM (OpenFlow Extensible Match), was
504       modeled closely on an extension to  OpenFlow  1.0  introduced  in  Open
505       vSwitch 1.1 called NXM (Nicira Extended Match). Each OXM or NXM TLV has
506       the following format:
507
508               type
509        <---------------->
510             16        7   1    8      length bytes
511       +------------+-----+--+------+ +------------+
512       |vendor/class|field|HM|length| |    body    |
513       +------------+-----+--+------+ +------------+
514
515
516       The most significant 16 bits of the NXM or OXM header, called vendor by
517       NXM  and  class  by OXM, identify an organization permitted to allocate
518       identifiers for fields. NXM allocates  only  two  vendors,  0x0000  for
519       fields  supported  by OpenFlow 1.0 and 0x0001 for fields implemented as
520       an Open vSwitch extension. OXM assigns classes as follows:
521
522              0x0000 (OFPXMC_NXM_0).
523              0x0001 (OFPXMC_NXM_1).
524                   Reserved for NXM compatibility.
525
526              0x0002 to 0x7fff
527                   Reserved for allocation to ONF members, but  none  yet  as‐
528                   signed.
529
530              0x8000 (OFPXMC_OPENFLOW_BASIC)
531                   Used for most standard OpenFlow fields.
532
533              0x8001 (OFPXMC_PACKET_REGS)
534                   Used for packet register fields in OpenFlow 1.5 and later.
535
536              0x8002 to 0xfffe
537                   Reserved for the OpenFlow specification.
538
539              0xffff (OFPXMC_EXPERIMENTER)
540                   Experimental use.
541
542       When  class  is  0xffff, the OXM header is extended to 64 bits by using
543       the first 32 bits of the body as an experimenter field whose most  sig‐
544       nificant byte is zero and whose remaining bytes are an Organizationally
545       Unique Identifier (OUI) assigned by the IEEE [IEEE OUI], as  shown  be‐
546       low.
547
548            type                 experimenter
549        <---------->             <---------->
550          16     7   1    8        8     24     (length - 4) bytes
551       +------+-----+--+------+ +------+-----+ +------------------+
552       |class |field|HM|length| | zero | OUI | |       body       |
553       +------+-----+--+------+ +------+-----+ +------------------+
554        0xffff                    0x00
555
556
557       OpenFlow  says  that  support for experimenter fields is optional. Open
558       vSwitch 2.4 and later does support them, so that  it  can  support  the
559       following experimenter classes:
560
561              0x4f4e4600 (ONFOXM_ET)
562                     Used by official Open Networking Foundation extensions in
563                     OpenFlow 1.3 and later. e.g. [TCP Flags Match  Field  Ex‐
564                     tension].
565
566              0x005ad650 (NXOXM_NSH)
567                     Used  by  Open vSwitch for NSH extensions, in the absence
568                     of an official ONF-assigned class. (This OUI is  randomly
569                     generated.)
570
571       Taken  as  a  unit,  class  (or  vendor), field, and experimenter (when
572       present) uniquely identify a particular field.
573
574       When hasmask (abbreviated HM above) is 0, the OXM is an exact match  on
575       an  entire  field.  In  this case, the body (excluding the experimenter
576       field, if present) is a single value to be matched.
577
578       When hasmask is 1, the OXM is a bitwise match. The body (excluding  the
579       experimenter  field) consists of a value to match, followed by the bit‐
580       wise mask to apply. A 1-bit in the mask indicates that the  correspond‐
581       ing  bit  in  the value should be matched and a 0-bit that it should be
582       ignored. For example, for an IP address field, a value  of  192.168.0.0
583       followed  by  a  mask  of  255.255.0.0  would  match  addresses  in the
584       196.168.0.0/16 subnet.
585
586              •      Some fields might not support masking at  all,  and  some
587                     fields  that do support masking might restrict it to cer‐
588                     tain patterns. For example, fields that have  IP  address
589                     values  might  be  restricted to CIDR masks. The descrip‐
590                     tions of individual fields note these restrictions.
591
592              •      An OXM TLV with a mask that is all zeros  is  not  useful
593                     (although  it  is  not  forbidden), because it is has the
594                     same effect as omitting the TLV entirely.
595
596              •      It is not meaningful to pair a 0-bit in an OXM mask  with
597                     a  1-bit  in  its value, and Open vSwitch rejects such an
598                     OXM with the error OFPBMC_BAD_WILDCARDS, as  required  by
599                     OpenFlow 1.3 and later.
600
601       The  length  identifies  the number of bytes in the body, including the
602       4-byte experimenter header, if it is present. Each OXM TLV has a  fixed
603       length;  that  is,  given  class, field, experimenter (if present), and
604       hasmask, length is a constant. The length is included explicitly to al‐
605       low software to minimally parse OXM TLVs of unknown types.
606
607       OXM  TLVs must be ordered so that a field’s prerequisites are satisfied
608       before it is parsed. For example, an OXM TLV that matches on  the  IPv4
609       source  address field is only allowed following an OXM TLV that matches
610       on the Ethertype for IPv4. Similarly, an OXM TLV that  matches  on  the
611       TCP  source port must follow a TLV that matches an Ethertype of IPv4 or
612       IPv6 and one that matches an IP protocol of TCP (in  that  order).  The
613       order of OXM TLVs is not otherwise restricted; no canonical ordering is
614       defined.
615
616       A given field may be matched only once in a series of OXM TLVs.
617
618     OpenFlow 1.3
619
620       OpenFlow 1.3 showed OXM to be largely successful, by adding new  fields
621       without  making  any  changes  to how flow matches otherwise worked. It
622       added OXMs for the following fields supported by Open vSwitch:
623
624              •      Tunnel ID for ports associated with e.g. VXLAN  or  keyed
625                     GRE.
626
627              •      MPLS ``bottom of stack’’ (BOS) bit.
628
629       OpenFlow  1.3  also  added OXMs for the following fields not documented
630       here and not yet implemented by Open vSwitch:
631
632              •      IPv6 extension header handling.
633
634              •      PBB I-SID.
635
636     OpenFlow 1.4
637
638       OpenFlow 1.4 added OXMs for the following fields  not  documented  here
639       and not yet implemented by Open vSwitch:
640
641              •      PBB UCA.
642
643     OpenFlow 1.5
644
645       OpenFlow  1.5  added  OXMs  for  the following fields supported by Open
646       vSwitch:
647
648              •      Packet type.
649
650              •      TCP flags.
651
652              •      Packet registers.
653
654              •      The output port in the OpenFlow action set.
655

FIELDS REFERENCE

657       The following sections document the fields that Open vSwitch  supports.
658       Each  section  provides  introductory  material  on  a group of related
659       fields, followed by information on each individual field.  In  addition
660       to  field-specific information, each field begins with a table with en‐
661       tries for the following important properties:
662
663              Name   The field’s name, used for  parsing  and  formatting  the
664                     field,  e.g.  in  ovs-ofctl commands. For historical rea‐
665                     sons, some fields have an additional  name  that  is  ac‐
666                     cepted  as  an  alternative  in  parsing. This name, when
667                     there is one, is listed as well,  e.g.  ``tun  (aka  tun‐
668                     nel_id).’’
669
670              Width  The  field’s  width,  always  a  multiple of 8 bits. Some
671                     fields don’t use all of the bits, so this may be accompa‐
672                     nied  by an explanation. For example, OpenFlow embeds the
673                     2-bit IP ECN field as as the low bits in an  8-bit  byte,
674                     and  so  its  width  is  expressed  as ``8 bits (only the
675                     least-significant 2 bits may be nonzero).’’
676
677              Format How a value for the field  is  formatted  or  parsed  by,
678                     e.g., ovs-ofctl. Some possibilities are generic:
679
680                     decimal
681                            Formats  as  a  decimal  number. On input, accepts
682                            decimal numbers or hexadecimal numbers prefixed by
683                            0x.
684
685                     hexadecimal
686                            Formats as a hexadecimal number prefixed by 0x. On
687                            input, accepts decimal numbers or hexadecimal num‐
688                            bers  prefixed  by 0x. (The default for parsing is
689                            not hexadecimal: only a 0x prefix causes input  to
690                            be treated as hexadecimal.)
691
692                     Ethernet
693                            Formats  and  accepts  the common Ethernet address
694                            format xx:xx:xx:xx:xx:xx.
695
696                     IPv4   Formats  and  accepts   the   dotted-quad   format
697                            a.b.c.d.  For bitwise matches, formats and accepts
698                            address/length CIDR notation in  addition  to  ad‐
699                            dress/mask.
700
701                     IPv6   Formats  and  accepts the common IPv6 address for‐
702                            mats, plus CIDR notation for bitwise matches.
703
704                     OpenFlow 1.0 port
705                            Accepts 16-bit port numbers in decimal, plus Open‐
706                            Flow  well-known  port names (e.g. IN_PORT) in up‐
707                            percase or lowercase.
708
709                     OpenFlow 1.1+ port
710                            Same syntax as OpenFlow 1.0 ports but  for  32-bit
711                            OpenFlow 1.1+ port number fields.
712
713                     Other,  field-specific  formats  are explained along with
714                     their fields.
715
716              Masking
717                     For most fields, this says ``arbitrary  bitwise  masks,’’
718                     meaning  that a flow may match any combination of bits in
719                     the field. Some fields instead say ``exact match  only,’’
720                     which  means  that a flow that matches on this field must
721                     match on the whole field instead of  just  certain  bits.
722                     Either  way,  this reports masking support for the latest
723                     version of Open vSwitch using OXM or NXM (that is, either
724                     OpenFlow  1.2+  or OpenFlow 1.0 plus Open vSwitch NXM ex‐
725                     tensions). In particular, OpenFlow 1.0 (without NXM)  and
726                     1.1 don’t always support masking even if Open vSwitch it‐
727                     self does; refer to the OpenFlow  1.0  and  OpenFlow  1.1
728                     rows to learn about masking with these protocol versions.
729
730              Prerequisites
731                     Requirements that must be met to match on this field. For
732                     example, ip_src has IPv4 as a prerequisite, meaning  that
733                     a match must include eth_type=0x0800 to match on the IPv4
734                     source address. The following prerequisites,  with  their
735                     requirements, are currently in use:
736
737                     none   (no requirements)
738
739                     VLAN VID
740                            vlan_tci=0x1000/0x1000  (i.e.  a  VLAN  header  is
741                            present)
742
743                     ARP    eth_type=0x0806 (ARP) or eth_type=0x8035 (RARP)
744
745                     IPv4   eth_type=0x0800
746
747                     IPv6   eth_type=0x86dd
748
749                     IPv4/IPv6
750                            IPv4 or IPv6
751
752                     MPLS   eth_type=0x8847 or eth_type=0x8848
753
754                     TCP    IPv4/IPv6 and ip_proto=6
755
756                     UDP    IPv4/IPv6 and ip_proto=17
757
758                     SCTP   IPv4/IPv6 and ip_proto=132
759
760                     ICMPv4 IPv4 and ip_proto=1
761
762                     ICMPv6 IPv6 and ip_proto=58
763
764                     ND solicit
765                            ICMPv6 and icmp_type=135 and icmp_code=0
766
767                     ND advert
768                            ICMPv6 and icmp_type=136 and icmp_code=0
769
770                     ND     ND solicit or ND advert
771
772                     The TCP, UDP, and SCTP prerequisites also have  the  spe‐
773                     cial requirement that nw_frag is not being used to select
774                     ``later fragments.’’ This is because only the first frag‐
775                     ment  of  a fragmented IPv4 or IPv6 datagram contains the
776                     TCP or UDP header.
777
778              Access Most fields are ``read/write,’’ which means  that  common
779                     OpenFlow  actions  like set_field can modify them. Fields
780                     that are ``read-only’’ cannot be modified in  these  gen‐
781                     eral-purpose  ways, although there may be other ways that
782                     actions can modify them.
783
784              OpenFlow 1.0
785              OpenFlow 1.1
786                   These rows report the level of support that OpenFlow 1.0 or
787                   OpenFlow  1.1,  respectively, has for a field. For OpenFlow
788                   1.0, supported fields are reported as either  ``yes  (exact
789                   match  only)’’  for  fields that do not support any bitwise
790                   masking or ``yes (CIDR match only)’’ for fields  that  sup‐
791                   port CIDR masking. OpenFlow 1.1 supported fields report ei‐
792                   ther ``yes (exact  match  only)’’  or  simply  ``yes’’  for
793                   fields that do support arbitrary masks. These OpenFlow ver‐
794                   sions supported a fixed collection of fields that cannot be
795                   extended,  so  many  more fields are reported as ``not sup‐
796                   ported.’’
797
798              OXM
799              NXM  These rows report the OXM and NXM code points  that  corre‐
800                   spond to a given field. Either or both may be ``none.’’
801
802                   A field that has only an OXM code point is usually one that
803                   was standardized before it was added  to  Open  vSwitch.  A
804                   field  that  has only an NXM code point is usually one that
805                   is not yet standardized. When a field has both OXM and  NXM
806                   code points, it usually indicates that it was introduced as
807                   an Open vSwitch extension under the NXM  code  point,  then
808                   later  standardized  under  the OXM code point. A field can
809                   have more than one OXM code point if it was standardized in
810                   OpenFlow 1.4 or later and additionally introduced as an of‐
811                   ficial ONF extension for OpenFlow 1.3. (A  field  that  has
812                   neither  OXM  nor  NXM  code point is typically an obsolete
813                   field that is supported in some other  form  using  OXM  or
814                   NXM.)
815
816                   Each  code  point  in  these  rows is described in the form
817                   ``NAME (number) since OpenFlow spec and Open  vSwitch  ver‐
818                   sion,’’  e.g.  ``OXM_OF_ETH_TYPE (5) since OpenFlow 1.2 and
819                   Open vSwitch 1.7.’’ First, NAME, which specifies a name for
820                   the  code  point,  starts  with  a prefix that designates a
821                   class and, in some cases, a vendor, as listed in  the  fol‐
822                   lowing table:
823
824                   Prefix           Vendor       Class
825                   ───────────────  ───────────  ───────
826                   NXM_OF           (none)       0x0000
827                   NXM_NX           (none)       0x0001
828                   ERICOXM_OF       (none)       0x1000
829                   OXM_OF           (none)       0x8000
830                   OXM_OF_PKT_REG   (none)       0x8001
831                   NXOXM_ET         0x00002320   0xffff
832                   NXOXM_NSH        0x005ad650   0xffff
833                   ONFOXM_ET        0x4f4e4600   0xffff
834
835                   For  more information on OXM/NXM classes and vendors, refer
836                   back to OpenFlow 1.2 under Evolution  of  OpenFlow  Fields.
837                   The number is the field number within the class and vendor.
838                   The OpenFlow spec is the version of OpenFlow that standard‐
839                   ized  the code point. It is omitted for NXM code points be‐
840                   cause they are nonstandard. The version is the  version  of
841                   Open vSwitch that first supported the code point.
842

CONJUNCTIVE MATCH FIELDS

844   Summary:
845       Name      Bytes   Mask   RW?   Prereqs   NXM/OXM Support
846       ────────  ──────  ─────  ────  ────────  ────────────────
847       conj_id   4       no     no    none      OVS 2.4+
848
849       An  individual  OpenFlow  flow  can  match only a single value for each
850       field. However, situations often arise where one wants to match one  of
851       a  set  of values within a field or fields. For matching a single field
852       against a set, it is straightforward  and  efficient  to  add  multiple
853       flows  to  the  flow table, one for each value in the set. For example,
854       one might use the following flows to send packets with  IP  source  ad‐
855       dress a, b, c, or d to the OpenFlow controller:
856
857             ip,ip_src=a actions=controller
858             ip,ip_src=b actions=controller
859             ip,ip_src=c actions=controller
860             ip,ip_src=d actions=controller
861
862
863       Similarly,  these  flows send packets with IP destination address e, f,
864       g, or h to the OpenFlow controller:
865
866             ip,ip_dst=e actions=controller
867             ip,ip_dst=f actions=controller
868             ip,ip_dst=g actions=controller
869             ip,ip_dst=h actions=controller
870
871
872       Installing all of the above flows in a single flow table yields a  dis‐
873       junctive  effect:  a  packet  is  sent  to  the  controller if ip_src ∈
874       {a,b,c,d} or ip_dst ∈ {e,f,g,h} (or both). (Pedantically,  if  both  of
875       the above sets of flows are present in the flow table, they should have
876       different priorities, because OpenFlow says that the results are  unde‐
877       fined  when  two  flows  with  same  priority  can  both match a single
878       packet.)
879
880       Suppose, on the other hand, one wishes to match conjunctively, that is,
881       to  send a packet to the controller only if both ip_src ∈ {a,b,c,d} and
882       ip_dst ∈ {e,f,g,h}. This requires 4 × 4 = 16 flows, one for each possi‐
883       ble  pairing of ip_src and ip_dst. That is acceptable for our small ex‐
884       ample, but it does not gracefully extend to larger sets or greater num‐
885       bers of dimensions.
886
887       The  conjunction  action  is a solution for conjunctive matches that is
888       built into Open vSwitch. A conjunction action ties groups of individual
889       OpenFlow flows into higher-level ``conjunctive flows’’. Each group cor‐
890       responds to one dimension, and each flow within the group  matches  one
891       possible  value  for the dimension. A packet that matches one flow from
892       each group matches the conjunctive flow.
893
894       To implement a conjunctive flow with conjunction, assign  the  conjunc‐
895       tive  flow  a 32-bit id, which must be unique within an OpenFlow table.
896       Assign each of the n ≥ 2 dimensions a unique number from 1  to  n;  the
897       ordering  is  unimportant.  Add one flow to the OpenFlow flow table for
898       each possible value of each dimension with conjunction(id, k/n) as  the
899       flow’s actions, where k is the number assigned to the flow’s dimension.
900       Together, these flows specify the conjunctive flow’s  match  condition.
901       When  the conjunctive match condition is met, Open vSwitch looks up one
902       more flow that specifies the conjunctive flow’s  actions  and  receives
903       its  statistics. This flow is found by setting conj_id to the specified
904       id and then again searching the flow table.
905
906       The following flows provide an example. Whenever the IP source  is  one
907       of  the values in the flows that match on the IP source (dimension 1 of
908       2), and the IP destination is one of the values in the flows that match
909       on  IP destination (dimension 2 of 2), Open vSwitch searches for a flow
910       that matches conj_id against the conjunction  ID  (1234),  finding  the
911       first flow listed below.
912
913             conj_id=1234 actions=controller
914             ip,ip_src=10.0.0.1 actions=conjunction(1234, 1/2)
915             ip,ip_src=10.0.0.4 actions=conjunction(1234, 1/2)
916             ip,ip_src=10.0.0.6 actions=conjunction(1234, 1/2)
917             ip,ip_src=10.0.0.7 actions=conjunction(1234, 1/2)
918             ip,ip_dst=10.0.0.2 actions=conjunction(1234, 2/2)
919             ip,ip_dst=10.0.0.5 actions=conjunction(1234, 2/2)
920             ip,ip_dst=10.0.0.7 actions=conjunction(1234, 2/2)
921             ip,ip_dst=10.0.0.8 actions=conjunction(1234, 2/2)
922
923
924       Many subtleties exist:
925
926              •      In  the  example  above, every flow in a single dimension
927                     has the same form, that is, dimension 1 matches on ip_src
928                     and dimension 2 on ip_dst, but this is not a requirement.
929                     Different flows within a dimension may match on different
930                     bits  within a field (e.g. IP network prefixes of differ‐
931                     ent lengths, or TCP/UDP port ranges as bitwise  matches),
932                     or even on entirely different fields (e.g. to match pack‐
933                     ets for TCP source port 80 or TCP destination port 80).
934
935              •      The flows within  a  dimension  can  vary  their  matches
936                     across  more  than one field, e.g. to match only specific
937                     pairs of IP source and destination addresses or  L4  port
938                     numbers.
939
940              •      A  flow  may have multiple conjunction actions, with dif‐
941                     ferent id values. This is useful for multiple conjunctive
942                     flows  with  overlapping  sets.  If  one conjunctive flow
943                     matches packets with both ip_src ∈  {a,b}  and  ip_dst  ∈
944                     {d,e}  and  a  second  conjunctive  flow matches ip_src ∈
945                     {b,c} and ip_dst ∈ {f,g}, for example, then the flow that
946                     matches  ip_src=b would have two conjunction actions, one
947                     for each conjunctive flow. The order of  conjunction  ac‐
948                     tions within a list of actions is not significant.
949
950              •      A flow with conjunction actions may also include note ac‐
951                     tions for annotations, but not any other kind of actions.
952                     (They would not be useful because they would never be ex‐
953                     ecuted.)
954
955              •      All of the flows that constitute a conjunctive flow  with
956                     a  given  id must have the same priority. (Flows with the
957                     same id but different priorities are currently treated as
958                     different conjunctive flows, that is, currently id values
959                     need only be unique within an OpenFlow table at  a  given
960                     priority. This behavior isn’t guaranteed to stay the same
961                     in later releases, so please use id values unique  within
962                     an OpenFlow table.)
963
964              •      Conjunctive  flows must not overlap with each other, at a
965                     given priority, that is, any given packet must be able to
966                     match  at  most one conjunctive flow at a given priority.
967                     Overlapping conjunctive  flows  yield  unpredictable  re‐
968                     sults.  (The flows that constitute a conjunctive flow may
969                     overlap with those that constitute the  same  or  another
970                     conjunctive flow.)
971
972              •      Following  a  conjunctive  flow match, the search for the
973                     flow with conj_id=id is done in the same  general-purpose
974                     way  as  other  flow table searches, so one can use flows
975                     with conj_id=id to act differently depending  on  circum‐
976                     stances.  (One  exception  is  that  the  search  for the
977                     conj_id=id flow  itself  ignores  conjunctive  flows,  to
978                     avoid  recursion.)  If  the search with conj_id=id fails,
979                     Open vSwitch acts as if  the  conjunctive  flow  had  not
980                     matched  at  all,  and continues searching the flow table
981                     for other matching flows.
982
983              •      OpenFlow prerequisite checking occurs for the  flow  with
984                     conj_id=id  in the same way as any other flow, e.g. in an
985                     OpenFlow 1.1+ context, putting a mod_nw_src  action  into
986                     the  example above would require adding an ip match, like
987                     this:
988
989                               conj_id=1234,ip actions=mod_nw_src:1.2.3.4,controller
990
991
992              •      OpenFlow prerequisite checking also occurs for the  indi‐
993                     vidual  flows  that  comprise  a conjunctive match in the
994                     same way as any other flow.
995
996              •      The flows that constitute a conjunctive flow do not  have
997                     useful  statistics.  They  are never updated with byte or
998                     packet counts, and so on. (For such  a  flow,  therefore,
999                     the idle and hard timeouts work much the same way.)
1000
1001              •      Sometimes there is a choice of which flows include a par‐
1002                     ticular match. For example, suppose that we added an  ex‐
1003                     tra  constraint  to  our  example,  to  match on ip_src ∈
1004                     {a,b,c,d} and ip_dst ∈ {e,f,g,h} and tcp_dst = i. One way
1005                     to  implement  this  is  to add the new constraint to the
1006                     conj_id flow, like this:
1007
1008                               conj_id=1234,tcp,tcp_dst=i actions=mod_nw_src:1.2.3.4,controller
1009
1010
1011                     but this is not recommended because of the  cost  of  the
1012                     extra  flow  table lookup. Instead, add the constraint to
1013                     the individual flows, either in one of the dimensions  or
1014                     (slightly better) all of them.
1015
1016              •      A conjunctive match must have n ≥ 2 dimensions (otherwise
1017                     a conjunctive match is not necessary). Open  vSwitch  en‐
1018                     forces this.
1019
1020              •      Each dimension within a conjunctive match should ordinar‐
1021                     ily have more than one flow. Open vSwitch  does  not  en‐
1022                     force this.
1023
1024       Conjunction ID Field
1025
1026       Name:            conj_id
1027       Width:           32 bits
1028       Format:          decimal
1029       Masking:         not maskable
1030       Prerequisites:   none
1031       Access:          read-only
1032       OpenFlow 1.0:    not supported
1033       OpenFlow 1.1:    not supported
1034
1035       OXM:             none
1036       NXM:             NXM_NX_CONJ_ID (37) since Open vSwitch 2.4
1037
1038       Used for conjunctive matching. See above for more information.
1039

TUNNEL FIELDS

1041   Summary:
1042       Name                   Bytes             Mask   RW?   Prereqs   NXM/OXM Support
1043
1044       ─────────────────────  ────────────────  ─────  ────  ────────  ─────────────────────
1045       tun_id aka tunnel_id   8                 yes    yes   none      OF 1.3+ and OVS 1.1+
1046       tun_src                4                 yes    yes   none      OVS 2.0+
1047       tun_dst                4                 yes    yes   none      OVS 2.0+
1048
1049       tun_ipv6_src           16                yes    yes   none      OVS 2.5+
1050       tun_ipv6_dst           16                yes    yes   none      OVS 2.5+
1051       tun_gbp_id             2                 yes    yes   none      OVS 2.4+
1052       tun_gbp_flags          1                 yes    yes   none      OVS 2.4+
1053
1054       tun_erspan_ver         1 (low 4 bits)    yes    yes   none      OVS 2.10+
1055       tun_erspan_idx         4 (low 20 bits)   yes    yes   none      OVS 2.10+
1056       tun_erspan_dir         1 (low 1 bits)    yes    yes   none      OVS 2.10+
1057       tun_erspan_hwid        1 (low 6 bits)    yes    yes   none      OVS 2.10+
1058
1059       tun_gtpu_flags         1                 yes    no    none      OVS 2.13+
1060       tun_gtpu_msgtype       1                 yes    no    none      OVS 2.13+
1061       tun_metadata0          124               yes    yes   none      OVS 2.5+
1062       tun_metadata1          124               yes    yes   none      OVS 2.5+
1063
1064       tun_metadata2          124               yes    yes   none      OVS 2.5+
1065       tun_metadata3          124               yes    yes   none      OVS 2.5+
1066       tun_metadata4          124               yes    yes   none      OVS 2.5+
1067       tun_metadata5          124               yes    yes   none      OVS 2.5+
1068
1069       tun_metadata6          124               yes    yes   none      OVS 2.5+
1070       tun_metadata7          124               yes    yes   none      OVS 2.5+
1071       tun_metadata8          124               yes    yes   none      OVS 2.5+
1072       tun_metadata9          124               yes    yes   none      OVS 2.5+
1073
1074       tun_metadata10         124               yes    yes   none      OVS 2.5+
1075       tun_metadata11         124               yes    yes   none      OVS 2.5+
1076       tun_metadata12         124               yes    yes   none      OVS 2.5+
1077       tun_metadata13         124               yes    yes   none      OVS 2.5+
1078
1079       tun_metadata14         124               yes    yes   none      OVS 2.5+
1080       tun_metadata15         124               yes    yes   none      OVS 2.5+
1081       tun_metadata16         124               yes    yes   none      OVS 2.5+
1082       tun_metadata17         124               yes    yes   none      OVS 2.5+
1083
1084       tun_metadata18         124               yes    yes   none      OVS 2.5+
1085       tun_metadata19         124               yes    yes   none      OVS 2.5+
1086       tun_metadata20         124               yes    yes   none      OVS 2.5+
1087       tun_metadata21         124               yes    yes   none      OVS 2.5+
1088
1089       tun_metadata22         124               yes    yes   none      OVS 2.5+
1090       tun_metadata23         124               yes    yes   none      OVS 2.5+
1091       tun_metadata24         124               yes    yes   none      OVS 2.5+
1092       tun_metadata25         124               yes    yes   none      OVS 2.5+
1093
1094       tun_metadata26         124               yes    yes   none      OVS 2.5+
1095       tun_metadata27         124               yes    yes   none      OVS 2.5+
1096       tun_metadata28         124               yes    yes   none      OVS 2.5+
1097       tun_metadata29         124               yes    yes   none      OVS 2.5+
1098
1099       tun_metadata30         124               yes    yes   none      OVS 2.5+
1100       tun_metadata31         124               yes    yes   none      OVS 2.5+
1101       tun_metadata32         124               yes    yes   none      OVS 2.5+
1102       tun_metadata33         124               yes    yes   none      OVS 2.5+
1103
1104       tun_metadata34         124               yes    yes   none      OVS 2.5+
1105       tun_metadata35         124               yes    yes   none      OVS 2.5+
1106       tun_metadata36         124               yes    yes   none      OVS 2.5+
1107       tun_metadata37         124               yes    yes   none      OVS 2.5+
1108
1109       tun_metadata38         124               yes    yes   none      OVS 2.5+
1110       tun_metadata39         124               yes    yes   none      OVS 2.5+
1111       tun_metadata40         124               yes    yes   none      OVS 2.5+
1112       tun_metadata41         124               yes    yes   none      OVS 2.5+
1113
1114       tun_metadata42         124               yes    yes   none      OVS 2.5+
1115       tun_metadata43         124               yes    yes   none      OVS 2.5+
1116       tun_metadata44         124               yes    yes   none      OVS 2.5+
1117       tun_metadata45         124               yes    yes   none      OVS 2.5+
1118
1119       tun_metadata46         124               yes    yes   none      OVS 2.5+
1120       tun_metadata47         124               yes    yes   none      OVS 2.5+
1121       tun_metadata48         124               yes    yes   none      OVS 2.5+
1122       tun_metadata49         124               yes    yes   none      OVS 2.5+
1123
1124       tun_metadata50         124               yes    yes   none      OVS 2.5+
1125       tun_metadata51         124               yes    yes   none      OVS 2.5+
1126       tun_metadata52         124               yes    yes   none      OVS 2.5+
1127       tun_metadata53         124               yes    yes   none      OVS 2.5+
1128
1129       tun_metadata54         124               yes    yes   none      OVS 2.5+
1130       tun_metadata55         124               yes    yes   none      OVS 2.5+
1131       tun_metadata56         124               yes    yes   none      OVS 2.5+
1132       tun_metadata57         124               yes    yes   none      OVS 2.5+
1133
1134       tun_metadata58         124               yes    yes   none      OVS 2.5+
1135       tun_metadata59         124               yes    yes   none      OVS 2.5+
1136       tun_metadata60         124               yes    yes   none      OVS 2.5+
1137       tun_metadata61         124               yes    yes   none      OVS 2.5+
1138
1139       tun_metadata62         124               yes    yes   none      OVS 2.5+
1140       tun_metadata63         124               yes    yes   none      OVS 2.5+
1141       tun_flags              2 (low 1 bits)    yes    yes   none      OVS 2.5+
1142
1143       The fields in this group relate to tunnels, which Open vSwitch supports
1144       in several forms (GRE, VXLAN, and so on). Most of these fields  do  ap‐
1145       pear  in the wire format of a packet, so they are data fields from that
1146       point of view, but they are metadata from an OpenFlow flow table  point
1147       of view because they do not appear in packets that are forwarded to the
1148       controller or to ordinary (non-tunnel) output ports.
1149
1150       Open vSwitch supports a spectrum of usage models for mapping tunnels to
1151       OpenFlow ports:
1152
1153              ``Port-based’’ tunnels
1154                     In this model, an OpenFlow port represents one tunnel: it
1155                     matches a particular type of tunnel traffic  between  two
1156                     IP  endpoints,  with a particular tunnel key (if keys are
1157                     in use). In this situation, in_port suffices  to  distin‐
1158                     guish  one  tunnel  from  another,  so  the tunnel header
1159                     fields have little importance  for  OpenFlow  processing.
1160                     (They are still populated and may be used if it is conve‐
1161                     nient.) The tunnel header fields play no role in  sending
1162                     packets  out  such  an OpenFlow port, either, because the
1163                     OpenFlow port itself fully specifies the tunnel headers.
1164
1165                     The following  Open  vSwitch  commands  create  a  bridge
1166                     br-int,  add  port tap0 to the bridge as OpenFlow port 1,
1167                     establish a port-based GRE tunnel between the local  host
1168                     and  remote IP 192.168.1.1 using GRE key 5001 as OpenFlow
1169                     port 2, and arranges to forward all traffic from tap0  to
1170                     the tunnel and vice versa:
1171
1172                     ovs-vsctl add-br br-int
1173                     ovs-vsctl add-port br-int tap0 -- set interface tap0 ofport_request=1
1174                     ovs-vsctl add-port br-int gre0 -- \
1175                         set interface gre0 ofport_request=2 type=gre \
1176                                            options:remote_ip=192.168.1.1 options:key=5001
1177                     ovs-ofctl add-flow br-int in_port=1,actions=2
1178                     ovs-ofctl add-flow br-int in_port=2,actions=1
1179
1180
1181              ``Flow-based’’ tunnels
1182                     In  this model, one OpenFlow port represents all possible
1183                     tunnels of a given type with an endpoint on  the  current
1184                     host,  for  example,  all GRE tunnels. In this situation,
1185                     in_port only indicates that traffic was received  on  the
1186                     particular  kind  of  tunnel.  This  is  where the tunnel
1187                     header fields are most important: they allow the OpenFlow
1188                     tables  to  discriminate  among tunnels based on their IP
1189                     endpoints or keys. Tunnel header  fields  also  determine
1190                     the IP endpoints and keys of packets sent out such a tun‐
1191                     nel port.
1192
1193                     The following  Open  vSwitch  commands  create  a  bridge
1194                     br-int,  add  port tap0 to the bridge as OpenFlow port 1,
1195                     establish a flow-based GRE tunnel port 3, and arranges to
1196                     forward  all  traffic  from tap0 to remote IP 192.168.1.1
1197                     over a GRE tunnel with key 5001 and vice versa:
1198
1199                     ovs-vsctl add-br br-int
1200                     ovs-vsctl add-port br-int tap0 -- set interface tap0 ofport_request=1
1201                     ovs-vsctl add-port br-int allgre -- \
1202                         set interface allgre ofport_request=3 type=gre \
1203                                              options:remote_ip=flow options:key=flow
1204                     ovs-ofctl add-flow br-int \
1205                         ’in_port=1 actions=set_tunnel:5001,set_field:192.168.1.1->tun_dst,3’
1206                     ovs-ofctl add-flow br-int ’in_port=3,tun_src=192.168.1.1,tun_id=5001 actions=1’
1207
1208
1209              Mixed models.
1210                     One may define both flow-based and port-based tunnels  at
1211                     the same time. For example, it is valid and possibly use‐
1212                     ful to create and configure both gre0 and  allgre  tunnel
1213                     ports described above.
1214
1215                     Traffic  is  attributed  on  ingress to the most specific
1216                     matching tunnel. For example, gre0 is more specific  than
1217                     allgre.  Therefore,  if both exist, then gre0 will be the
1218                     ingress  port  for  any   GRE   traffic   received   from
1219                     192.168.1.1 with key 5001.
1220
1221                     On  egress,  traffic  may  be directed to any appropriate
1222                     tunnel port. If both gre0 and allgre  are  configured  as
1223                     already  described,  then  the  actions  2  and  set_tun‐
1224                     nel:5001,set_field:192.168.1.1->tun_dst,3 send  the  same
1225                     tunnel traffic.
1226
1227              Intermediate models.
1228                     Ports  may be configured as partially flow-based. For ex‐
1229                     ample, one may define an OpenFlow  port  that  represents
1230                     tunnels  between  a pair of endpoints but leaves the flow
1231                     table to discriminate on the flow key.
1232
1233       ovs-vswitchd.conf.db(5) describes all the details of tunnel  configura‐
1234       tion.
1235
1236       These fields do not have any prerequisites, which means that a flow may
1237       match on any or all of them, in any combination.
1238
1239       These fields are zeros for packets that did not arrive on a tunnel.
1240
1241       Tunnel ID Field
1242
1243       Name:            tun_id (aka tunnel_id)
1244       Width:           64 bits
1245       Format:          hexadecimal
1246
1247       Masking:         arbitrary bitwise masks
1248       Prerequisites:   none
1249       Access:          read/write
1250       OpenFlow 1.0:    not supported
1251       OpenFlow 1.1:    not supported
1252
1253
1254       OXM:             OXM_OF_TUNNEL_ID (38)  since  OpenFlow  1.3  and  Open
1255                        vSwitch 1.10
1256       NXM:             NXM_NX_TUN_ID (16) since Open vSwitch 1.1
1257
1258       Many kinds of tunnels support a tunnel ID:
1259
1260              •      VXLAN and Geneve have a 24-bit virtual network identifier
1261                     (VNI).
1262
1263              •      LISP has a 24-bit instance ID.
1264
1265              •      GRE has an optional 32-bit key.
1266
1267              •      STT has a 64-bit key.
1268
1269              •      ERSPAN has a 10-bit key (Session ID).
1270
1271              •      GTPU has a 32-bit key (Tunnel Endpoint ID).
1272
1273       When a packet is received from a tunnel, this field holds the tunnel ID
1274       in its least significant bits, zero-extended to fit. This field is zero
1275       if the tunnel does not support an ID, or if no ID is in use for a  tun‐
1276       nel  type  that has an optional ID, or if an ID of zero received, or if
1277       the packet was not received over a tunnel.
1278
1279       When a packet is output to a tunnel port, the tunnel configuration  de‐
1280       termines  whether  the tunnel ID is taken from this field or bound to a
1281       fixed value. See the earlier description of ``port-based’’ and  ``flow-
1282       based’’ tunnels for more information.
1283
1284       The following diagram shows the origin of this field in a typical keyed
1285       GRE tunnel:
1286
1287          Ethernet            IPv4               GRE           Ethernet
1288        <----------->   <--------------->   <------------>   <---------->
1289        48  48   16           8   32  32    16    16   32    48  48   16
1290       +---+---+-----+ +---+-----+---+---+ +---+------+---+ +---+---+----+
1291       |dst|src|type | |...|proto|src|dst| |...| type |key| |dst|src|type| ...
1292       +---+---+-----+ +---+-----+---+---+ +---+------+---+ +---+---+----+
1293                0x800        47                 0x6558
1294
1295
1296       Tunnel IPv4 Source Field
1297
1298       Name:            tun_src
1299       Width:           32 bits
1300       Format:          IPv4
1301       Masking:         arbitrary bitwise masks
1302       Prerequisites:   none
1303       Access:          read/write
1304       OpenFlow 1.0:    not supported
1305       OpenFlow 1.1:    not supported
1306
1307       OXM:             none
1308       NXM:             NXM_NX_TUN_IPV4_SRC (31) since Open vSwitch 2.0
1309
1310       When a packet is received from a tunnel, this field is the  source  ad‐
1311       dress in the outer IP header of the tunneled packet. This field is zero
1312       if the packet was not received over a tunnel.
1313
1314       When a packet is output to a flow-based tunnel port, this field  influ‐
1315       ences  the  IPv4 source address used to send the packet. If it is zero,
1316       then the kernel chooses an appropriate IP address based using the rout‐
1317       ing table.
1318
1319       The following diagram shows the origin of this field in a typical keyed
1320       GRE tunnel:
1321
1322          Ethernet            IPv4               GRE           Ethernet
1323        <----------->   <--------------->   <------------>   <---------->
1324        48  48   16           8   32  32    16    16   32    48  48   16
1325       +---+---+-----+ +---+-----+---+---+ +---+------+---+ +---+---+----+
1326       |dst|src|type | |...|proto|src|dst| |...| type |key| |dst|src|type| ...
1327       +---+---+-----+ +---+-----+---+---+ +---+------+---+ +---+---+----+
1328                0x800        47                 0x6558
1329
1330
1331       Tunnel IPv4 Destination Field
1332
1333
1334       Name:            tun_dst
1335       Width:           32 bits
1336       Format:          IPv4
1337       Masking:         arbitrary bitwise masks
1338       Prerequisites:   none
1339       Access:          read/write
1340       OpenFlow 1.0:    not supported
1341       OpenFlow 1.1:    not supported
1342
1343       OXM:             none
1344       NXM:             NXM_NX_TUN_IPV4_DST (32) since Open vSwitch 2.0
1345
1346       When a packet is received from a tunnel, this field is the  destination
1347       address  in  the  outer IP header of the tunneled packet. This field is
1348       zero if the packet was not received over a tunnel.
1349
1350       When a packet is output to a flow-based tunnel port, this field  speci‐
1351       fies the destination to which the tunnel packet is sent.
1352
1353       The following diagram shows the origin of this field in a typical keyed
1354       GRE tunnel:
1355
1356          Ethernet            IPv4               GRE           Ethernet
1357        <----------->   <--------------->   <------------>   <---------->
1358        48  48   16           8   32  32    16    16   32    48  48   16
1359       +---+---+-----+ +---+-----+---+---+ +---+------+---+ +---+---+----+
1360       |dst|src|type | |...|proto|src|dst| |...| type |key| |dst|src|type| ...
1361       +---+---+-----+ +---+-----+---+---+ +---+------+---+ +---+---+----+
1362                0x800        47                 0x6558
1363
1364
1365       Tunnel IPv6 Source Field
1366
1367       Name:            tun_ipv6_src
1368       Width:           128 bits
1369
1370       Format:          IPv6
1371       Masking:         arbitrary bitwise masks
1372       Prerequisites:   none
1373       Access:          read/write
1374       OpenFlow 1.0:    not supported
1375       OpenFlow 1.1:    not supported
1376       OXM:             none
1377       NXM:             NXM_NX_TUN_IPV6_SRC (109) since Open vSwitch 2.5
1378
1379       Similar to tun_src, but for tunnels over IPv6.
1380
1381       Tunnel IPv6 Destination Field
1382
1383       Name:            tun_ipv6_dst
1384       Width:           128 bits
1385       Format:          IPv6
1386       Masking:         arbitrary bitwise masks
1387
1388       Prerequisites:   none
1389       Access:          read/write
1390       OpenFlow 1.0:    not supported
1391       OpenFlow 1.1:    not supported
1392       OXM:             none
1393       NXM:             NXM_NX_TUN_IPV6_DST (110) since Open vSwitch 2.5
1394
1395       Similar to tun_dst, but for tunnels over IPv6.
1396
1397   VXLAN Group-Based Policy Fields
1398       The VXLAN header is defined as follows [RFC 7348], where the I bit must
1399       be set to 1, unlabeled bits or those labeled reserved must be set to 0,
1400       and Open vSwitch makes the VNI available via tun_id:
1401
1402          VXLAN flags
1403        <------------->
1404        1 1 1 1 1 1 1 1    24    24     8
1405       +-+-+-+-+-+-+-+-+--------+---+--------+
1406       | | | | |I| | | |reserved|VNI|reserved|
1407       +-+-+-+-+-+-+-+-+--------+---+--------+
1408
1409
1410       VXLAN Group-Based Policy [VXLAN Group Policy Option] adds new interpre‐
1411       tations to existing bits in the VXLAN header, reinterpreting it as fol‐
1412       lows, with changes highlighted:
1413
1414           GBP flags
1415        <------------->
1416        1 1 1 1 1 1 1 1       24        24     8
1417       +-+-+-+-+-+-+-+-+---------------+---+--------+
1418       | |D| | |A| | | |group policy ID|VNI|reserved|
1419       +-+-+-+-+-+-+-+-+---------------+---+--------+
1420
1421
1422       Open vSwitch makes GBP fields and flags available through the following
1423       fields.  Only  packets that arrive over a VXLAN tunnel with the GBP ex‐
1424       tension enabled have these fields set. In other packets they  are  zero
1425       on receive and ignored on transmit.
1426
1427       VXLAN Group-Based Policy ID Field
1428
1429       Name:            tun_gbp_id
1430       Width:           16 bits
1431       Format:          decimal
1432
1433       Masking:         arbitrary bitwise masks
1434       Prerequisites:   none
1435       Access:          read/write
1436       OpenFlow 1.0:    not supported
1437       OpenFlow 1.1:    not supported
1438       OXM:             none
1439       NXM:             NXM_NX_TUN_GBP_ID (38) since Open vSwitch 2.4
1440
1441       For  a packet tunneled over VXLAN with the Group-Based Policy (GBP) ex‐
1442       tension, this field represents the GBP policy ID, as shown above.
1443
1444       VXLAN Group-Based Policy Flags Field
1445
1446       Name:            tun_gbp_flags
1447       Width:           8 bits
1448       Format:          hexadecimal
1449       Masking:         arbitrary bitwise masks
1450
1451       Prerequisites:   none
1452       Access:          read/write
1453       OpenFlow 1.0:    not supported
1454       OpenFlow 1.1:    not supported
1455       OXM:             none
1456       NXM:             NXM_NX_TUN_GBP_FLAGS (39) since Open vSwitch 2.4
1457
1458       For a packet tunneled over VXLAN with the Group-Based Policy (GBP)  ex‐
1459       tension, this field represents the GBP policy flags, as shown above.
1460
1461       The field has the format shown below:
1462
1463           GBP Flags
1464        <------------->
1465        1 1 1 1 1 1 1 1
1466       +-+-+-+-+-+-+-+-+
1467       | |D| | |A| | | |
1468       +-+-+-+-+-+-+-+-+
1469
1470
1471       Unlabeled bits are reserved and must be transmitted as 0. The VXLAN GBP
1472       draft defines the other bits’ meanings as:
1473
1474              D (Don’t Learn)
1475                     When set, this bit indicates that the egress tunnel  end‐
1476                     point  must  not learn the source address of the encapsu‐
1477                     lated frame.
1478
1479              A (Applied)
1480                     When set, indicates that the  group  policy  has  already
1481                     been applied to this packet. Devices must not apply poli‐
1482                     cies when the A bit is set.
1483
1484   ERSPAN Metadata Fields
1485       These fields provide access to features in the ERSPAN tunneling  proto‐
1486       col [ERSPAN], which has two major versions: version 1 (aka type II) and
1487       version 2 (aka type III).
1488
1489       Regardless of version, ERSPAN is encapsulated within a fixed 8-byte GRE
1490       header  that consists of a 4-byte GRE base header and a 4-byte sequence
1491       number. The ERSPAN version 1 header format is:
1492
1493             GRE                ERSPAN v1            Ethernet
1494        <------------>   <--------------------->   <---------->
1495        16    16   32     4  18    10    12  20    48  48   16
1496       +---+------+---+ +---+---+-------+---+---+ +---+---+----+
1497       |...| type |seq| |ver|...|session|...|idx| |dst|src|type| ...
1498       +---+------+---+ +---+---+-------+---+---+ +---+---+----+
1499            0x88be        1      tun_id
1500
1501
1502       The ERSPAN version 2 header format is:
1503
1504             GRE                         ERSPAN v2                      Ethernet
1505        <------------>   <---------------------------------------->   <---------->
1506        16    16   32     4  18    10       32     22   6    1   3    48  48   16
1507       +---+------+---+ +---+---+-------+---------+---+----+---+---+ +---+---+----+
1508       |...| type |seq| |ver|...|session|timestamp|...|hwid|dir|...| |dst|src|type| ...
1509       +---+------+---+ +---+---+-------+---------+---+----+---+---+ +---+---+----+
1510            0x22eb        2      tun_id                     0/1
1511
1512
1513       ERSPAN Version Field
1514
1515       Name:            tun_erspan_ver
1516       Width:           8 bits (only the least-significant 4 bits may be nonzero)
1517       Format:          decimal
1518       Masking:         arbitrary bitwise masks
1519       Prerequisites:   none
1520       Access:          read/write
1521       OpenFlow 1.0:    not supported
1522
1523       OpenFlow 1.1:    not supported
1524       OXM:             none
1525       NXM:             NXOXM_ET_ERSPAN_VER (12) since Open vSwitch 2.10
1526
1527       ERSPAN version number: 1 for version 1, or 2 for version 2.
1528
1529       ERSPAN Index Field
1530
1531
1532       Name:            tun_erspan_idx
1533       Width:           32 bits (only the least-significant 20 bits may be nonzero)
1534       Format:          hexadecimal
1535       Masking:         arbitrary bitwise masks
1536       Prerequisites:   none
1537       Access:          read/write
1538       OpenFlow 1.0:    not supported
1539       OpenFlow 1.1:    not supported
1540
1541       OXM:             none
1542       NXM:             NXOXM_ET_ERSPAN_IDX (11) since Open vSwitch 2.10
1543
1544       This field is a 20-bit index/port number  associated  with  the  ERSPAN
1545       traffic’s  source  port  and  direction (ingress/egress). This field is
1546       platform dependent.
1547
1548       ERSPAN Direction Field
1549
1550       Name:            tun_erspan_dir
1551       Width:           8 bits (only the least-significant 1 bits may be nonzero)
1552       Format:          decimal
1553       Masking:         arbitrary bitwise masks
1554       Prerequisites:   none
1555       Access:          read/write
1556       OpenFlow 1.0:    not supported
1557       OpenFlow 1.1:    not supported
1558
1559       OXM:             none
1560       NXM:             NXOXM_ET_ERSPAN_DIR (13) since Open vSwitch 2.10
1561
1562       For ERSPAN v2, the mirrored traffic’s direction: 0 for ingress traffic,
1563       1 for egress traffic.
1564
1565       ERSPAN Hardware ID Field
1566
1567
1568       Name:            tun_erspan_hwid
1569       Width:           8 bits (only the least-significant 6 bits may be nonzero)
1570       Format:          hexadecimal
1571       Masking:         arbitrary bitwise masks
1572       Prerequisites:   none
1573       Access:          read/write
1574       OpenFlow 1.0:    not supported
1575       OpenFlow 1.1:    not supported
1576
1577       OXM:             none
1578       NXM:             NXOXM_ET_ERSPAN_HWID (14) since Open vSwitch 2.10
1579
1580       A 6-bit unique identifier of an ERSPAN v2 engine within a system.
1581
1582   GTP-U Metadata Fields
1583       These fields provide access to set-up GPRS Tunnelling Protocol for User
1584       Plane (GTPv1-U), based on 3GPP TS 29.281. A GTP-U header has  the  fol‐
1585       lowing format:
1586
1587          8      8       16    32
1588       +-----+--------+------+----+
1589       |flags|msg type|length|TEID| ...
1590       +-----+--------+------+----+
1591
1592
1593       The  flags and message type have the Open vSwitch GTP-U specific fields
1594       described below. Open vSwitch makes the TEID (Tunnel  Endpoint  Identi‐
1595       fier), which identifies a tunnel endpoint in the receiving GTP-U proto‐
1596       col entity, available via tun_id.
1597
1598       GTP-U Flags Field
1599
1600       Name:            tun_gtpu_flags
1601       Width:           8 bits
1602       Format:          hexadecimal
1603
1604       Masking:         arbitrary bitwise masks
1605       Prerequisites:   none
1606       Access:          read-only
1607       OpenFlow 1.0:    not supported
1608       OpenFlow 1.1:    not supported
1609       OXM:             none
1610       NXM:             NXOXM_ET_GTPU_FLAGS (15) since Open vSwitch 2.13
1611
1612       This field holds the 8-bit GTP-U flags, encoded as:
1613
1614         GTP-U Tunnel Flags
1615        <------------------->
1616           3    1   1  1 1 1
1617       +-------+--+---+-+-+--+
1618       |version|PT|rsv|E|S|PN|
1619       +-------+--+---+-+-+--+
1620           1        0
1621
1622
1623       The flags are:
1624
1625              version
1626                     Used to determine the  version  of  the  GTP-U  protocol,
1627                     which should be set to 1.
1628
1629              PT     Protocol  type,  used as a protocol discriminator between
1630                     GTP (1) and GTP’ (0).
1631
1632              rsv    Reserved. Must be zero.
1633
1634              E      If 1, indicates the presence of a meaningful value of the
1635                     Next Extension Header field.
1636
1637              S      If 1, indicates the presence of a meaningful value of the
1638                     Sequence Number field.
1639
1640              PN     If 1, indicates the presence of a meaningful value of the
1641                     N-PDU Number field.
1642
1643       GTP-U Message Type Field
1644
1645       Name:            tun_gtpu_msgtype
1646       Width:           8 bits
1647       Format:          decimal
1648
1649       Masking:         arbitrary bitwise masks
1650       Prerequisites:   none
1651       Access:          read-only
1652       OpenFlow 1.0:    not supported
1653       OpenFlow 1.1:    not supported
1654       OXM:             none
1655       NXM:             NXOXM_ET_GTPU_MSGTYPE (16) since Open vSwitch 2.13
1656
1657       This  field  indicates  whether it’s a signalling message used for path
1658       management, or a user plane message which carries the original  packet.
1659       The  complete  range  of  message  types  can  be  referred to [3GPP TS
1660       29.281].
1661
1662   Geneve Fields
1663       These fields provide access to additional features in the  Geneve  tun‐
1664       neling  protocol [Geneve]. Their names are somewhat generic in the hope
1665       that the same fields could be reused for other protocols in the future;
1666       for  example, the NSH protocol [NSH] supports TLV options whose form is
1667       identical to that for Geneve options.
1668
1669       Generic Tunnel Option 0 Field
1670
1671       Name:            tun_metadata0
1672       Width:           992 bits (124 bytes)
1673       Format:          hexadecimal
1674       Masking:         arbitrary bitwise masks
1675
1676       Prerequisites:   none
1677       Access:          read/write
1678       OpenFlow 1.0:    not supported
1679       OpenFlow 1.1:    not supported
1680       OXM:             none
1681       NXM:             NXM_NX_TUN_METADATA0 (40) since Open vSwitch 2.5
1682
1683       The above information specifically covers generic tunnel option 0,  but
1684       Open  vSwitch  supports  64  options,  numbered 0 through 63, whose NXM
1685       field numbers are 40 through 103.
1686
1687       These fields provide OpenFlow access to the  generic  type-length-value
1688       options  defined  by  the  Geneve tunneling protocol or other protocols
1689       with options in the same TLV format as Geneve options.  Each  of  these
1690       options has the following wire format:
1691
1692               header                 body
1693        <-------------------> <------------------>
1694         16    8    3    5    4×(length - 1) bytes
1695       +-----+----+---+------+--------------------+
1696       |class|type|res|length|       value        |
1697       +-----+----+---+------+--------------------+
1698                    0
1699
1700
1701       Taken together, the class and type in the option format mean that there
1702       are about 16 million distinct kinds of TLV options, too  many  to  give
1703       individual OXM code points. Thus, Open vSwitch requires the user to de‐
1704       fine the TLV options of interest, by binding up to 64  TLV  options  to
1705       generic  tunnel  option NXM code points. Each option may have up to 124
1706       bytes in its body, the maximum allowed by the TLV format, but bound op‐
1707       tions may total at most 252 bytes of body.
1708
1709       Open  vSwitch  extensions  to the OpenFlow protocol bind TLV options to
1710       NXM code points. The ovs-ofctl(8) program offers one way to  use  these
1711       extensions,  e.g.  to  configure a mapping from a TLV option with class
1712       0xffff, type 0, and a body length of 4 bytes:
1713
1714       ovs-ofctl add-tlv-map br0 "{class=0xffff,type=0,len=4}->tun_metadata0"
1715
1716
1717       Once a TLV option is properly bound, it can be  accessed  and  modified
1718       like any other field, e.g. to send packets that have value 1234 for the
1719       option described above to the controller:
1720
1721       ovs-ofctl add-flow br0 tun_metadata0=1234,actions=controller
1722
1723
1724       An option not received or not bound is matched as all zeros.
1725
1726       Tunnel Flags Field
1727
1728       Name:            tun_flags
1729
1730       Width:           16 bits (only the least-significant 1 bits may be nonzero)
1731       Format:          tunnel flags
1732       Masking:         arbitrary bitwise masks
1733       Prerequisites:   none
1734       Access:          read/write
1735       OpenFlow 1.0:    not supported
1736       OpenFlow 1.1:    not supported
1737       OXM:             none
1738
1739       NXM:             NXM_NX_TUN_FLAGS (104) since Open vSwitch 2.5
1740
1741       Flags indicating various aspects of the tunnel encapsulation.
1742
1743       Matches on this field are most conveniently written in  terms  of  sym‐
1744       bolic names (given in the diagram below), each preceded by either + for
1745       a flag that must be set, or - for a flag that must  be  unset,  without
1746       any  other  delimiters between the flags. Flags not mentioned are wild‐
1747       carded. For example, tun_flags=+oam matches only OAM  packets.  Matches
1748       can also be written as flags/mask, where flags and mask are 16-bit num‐
1749       bers in decimal or in hexadecimal prefixed by 0x.
1750
1751       Currently, only one flag is defined:
1752
1753              oam    The tunnel protocol indicated that this is an OAM (Opera‐
1754                     tions and Management) control packet.
1755
1756       The switch may reject matches against unknown flags.
1757
1758       Newer  versions of Open vSwitch may introduce additional flags with new
1759       meanings. It is therefore not recommended to use an exact match on this
1760       field  since  the  behavior of these new flags is unknown and should be
1761       ignored.
1762
1763       For non-tunneled packets, the value is 0.
1764

METADATA FIELDS

1766   Summary:
1767       Name            Bytes   Mask   RW?   Prereqs   NXM/OXM Support
1768       ──────────────  ──────  ─────  ────  ────────  ─────────────────────
1769       in_port         2       no     yes   none      OVS 1.1+
1770
1771       in_port_oxm     4       no     yes   none      OF 1.2+ and OVS 1.7+
1772       skb_priority    4       no     no    none
1773       pkt_mark        4       yes    yes   none      OVS 2.0+
1774       actset_output   4       no     no    none      OF 1.3+ and OVS 2.4+
1775       packet_type     4       no     no    none      OF 1.5+ and OVS 2.8+
1776
1777       These fields relate to the origin or treatment of a  packet,  but  they
1778       are not extracted from the packet data itself.
1779
1780       Ingress Port Field
1781
1782       Name:            in_port
1783       Width:           16 bits
1784
1785       Format:          OpenFlow 1.0 port
1786       Masking:         not maskable
1787       Prerequisites:   none
1788       Access:          read/write
1789       OpenFlow 1.0:    yes (exact match only)
1790       OpenFlow 1.1:    yes (exact match only)
1791
1792       OXM:             none
1793       NXM:             NXM_OF_IN_PORT (0) since Open vSwitch 1.1
1794
1795       The  OpenFlow port on which the packet being processed arrived. This is
1796       a 16-bit field that holds an OpenFlow 1.0 port number. For receiving  a
1797       packet, the only values that appear in this field are:
1798
1799              1 through 0xfeff (65,279), inclusive.
1800                     Conventional OpenFlow port numbers.
1801
1802              OFPP_LOCAL (0xfffe or 65,534).
1803                     The ``local’’ port, which in Open vSwitch is always named
1804                     the same as the bridge itself. This represents a  connec‐
1805                     tion  between the switch and the local TCP/IP stack. This
1806                     port is where an IP address is most  commonly  configured
1807                     on an Open vSwitch switch.
1808
1809                     OpenFlow  does not require a switch to have a local port,
1810                     but all existing versions of Open vSwitch have always in‐
1811                     cluded  a  local port. Future Directions: Future versions
1812                     of Open vSwitch might be able to optionally omit the  lo‐
1813                     cal  port,  if  someone  submits code to implement such a
1814                     feature.
1815
1816              OFPP_NONE (OpenFlow 1.0) or OFPP_ANY (OpenFlow 1.1+) (0xffff  or
1817              65,535).
1818              OFPP_CONTROLLER (0xfffd or 65,533).
1819                   When  a controller injects a packet into an OpenFlow switch
1820                   with a ``packet-out’’ request, it can specify one of  these
1821                   ingress ports to indicate that the packet was generated in‐
1822                   ternally rather than having been received on some port.
1823
1824                   OpenFlow 1.0 specified OFPP_NONE for this purpose.  Despite
1825                   that,  some  controllers  used  OFPP_CONTROLLER,  and  some
1826                   switches only accepted OFPP_CONTROLLER, so  OpenFlow  1.0.2
1827                   required  support  for  both  ports. OpenFlow 1.1 and later
1828                   were more clearly drafted to  allow  only  OFPP_CONTROLLER.
1829                   For  maximum  compatibility, Open vSwitch allows both ports
1830                   with all OpenFlow versions.
1831
1832       Values not mentioned above will never appear when receiving  a  packet,
1833       including the following notable values:
1834
1835              0      Zero is not a valid OpenFlow port number.
1836
1837              OFPP_MAX (0xff00 or 65,280).
1838                     This  value  has  only  been clearly specified as a valid
1839                     port number as of OpenFlow 1.3.3. Before that, its status
1840                     was  unclear,  and  so  Open  vSwitch  has  never allowed
1841                     OFPP_MAX to be used as a port  number,  so  packets  will
1842                     never be received on this port. (Other OpenFlow switches,
1843                     of course, might use it.)
1844
1845              OFPP_UNSET (0xfff7 or 65,527)
1846              OFPP_IN_PORT (0xfff8 or 65,528)
1847              OFPP_TABLE (0xfff9 or 65,529)
1848              OFPP_NORMAL (0xfffa or 65,530)
1849              OFPP_FLOOD (0xfffb or 65,531)
1850              OFPP_ALL (0xfffc or 65,532)
1851                   These port numbers are used  only  in  output  actions  and
1852                   never appear as ingress ports.
1853
1854                   Most  of  these  port numbers were defined in OpenFlow 1.0,
1855                   but OFPP_UNSET was only introduced in OpenFlow 1.5.
1856
1857       Values that will never appear when receiving  a  packet  may  still  be
1858       matched  against  in  the  flow table. There are still circumstances in
1859       which those flows can be matched:
1860
1861              •      The resubmit Open vSwitch extension action allows a  flow
1862                     table lookup with an arbitrary ingress port.
1863
1864              •      An  action  that modifies the ingress port field (see be‐
1865                     low), such as e.g. load or set_field, followed by an  ac‐
1866                     tion  or  instruction  that  performs  another flow table
1867                     lookup, such as resubmit or goto_table.
1868
1869       This field is heavily used for matching in  OpenFlow  tables,  but  for
1870       packet egress, it has only very limited roles:
1871
1872              •      OpenFlow  requires suppressing output actions to in_port.
1873                     That is, the following two flows both  drop  all  packets
1874                     that arrive on port 1:
1875
1876                     in_port=1,actions=1
1877                     in_port=1,actions=drop
1878
1879
1880                     (This  behavior  is occasionally useful for flooding to a
1881                     subset of ports. Specifying actions=1,2,3,4, for example,
1882                     outputs  to  ports  1,  2, 3, and 4, omitting the ingress
1883                     port.)
1884
1885              •      OpenFlow has a  special  port  OFPP_IN_PORT  (with  value
1886                     0xfff8) that outputs to the ingress port. For example, in
1887                     a switch that has four ports numbered 1  through  4,  ac‐
1888                     tions=1,2,3,4,in_port  outputs  to  ports 1, 2, 3, and 4,
1889                     including the ingress port.
1890
1891       Because the ingress port field has so little influence on  packet  pro‐
1892       cessing,  it  does not ordinarily make sense to modify the ingress port
1893       field. The field is writable only to support the  occasional  use  case
1894       where  the  ingress port’s roles in packet egress, described above, be‐
1895       come troublesome.  For  example,  actions=load:0->NXM_OF_IN_PORT[],out‐
1896       put:123  will  output  to  port  123 regardless of whether it is in the
1897       ingress port. If the ingress port is important, then one may  save  and
1898       restore it on the stack:
1899
1900       actions=push:NXM_OF_IN_PORT[],load:0->NXM_OF_IN_PORT[],output:123,pop:NXM_OF_IN_PORT[]
1901
1902
1903       or,  in Open vSwitch 2.7 or later, use the clone action to save and re‐
1904       store it:
1905
1906       actions=clone(load:0->NXM_OF_IN_PORT[],output:123)
1907
1908
1909       The ability to modify the ingress port is an Open vSwitch extension  to
1910       OpenFlow.
1911
1912       OXM Ingress Port Field
1913
1914       Name:            in_port_oxm
1915       Width:           32 bits
1916       Format:          OpenFlow 1.1+ port
1917       Masking:         not maskable
1918       Prerequisites:   none
1919       Access:          read/write
1920       OpenFlow 1.0:    not supported
1921       OpenFlow 1.1:    yes (exact match only)
1922
1923       OXM:             OXM_OF_IN_PORT (0) since OpenFlow 1.2 and Open vSwitch
1924                        1.7
1925       NXM:             none
1926
1927       OpenFlow 1.1 and later use a 32-bit port number, so this field supplies
1928       a  32-bit  view  of  the ingress port. Current versions of Open vSwitch
1929       support only a 16-bit range of ports:
1930
1931              •      OpenFlow 1.0 ports 0x0000 to 0xfeff,  inclusive,  map  to
1932                     OpenFlow 1.1 port numbers with the same values.
1933
1934              •      OpenFlow  1.0  ports  0xff00 to 0xffff, inclusive, map to
1935                     OpenFlow 1.1 port numbers 0xffffff00 to 0xffffffff.
1936
1937              •      OpenFlow 1.1  ports  0x0000ff00  to  0xfffffeff  are  not
1938                     mapped and not supported.
1939
1940       in_port  and  in_port_oxm are two views of the same information, so all
1941       of the comments on in_port apply to in_port_oxm too. Modifying  in_port
1942       changes in_port_oxm, and vice versa.
1943
1944       Setting  in_port_oxm  to an unsupported value yields unspecified behav‐
1945       ior.
1946
1947       Output Queue Field
1948
1949       Name:            skb_priority
1950       Width:           32 bits
1951       Format:          hexadecimal
1952
1953       Masking:         not maskable
1954       Prerequisites:   none
1955       Access:          read-only
1956       OpenFlow 1.0:    not supported
1957       OpenFlow 1.1:    not supported
1958       OXM:             none
1959       NXM:             none
1960
1961       Future Directions: Open vSwitch implements the output queue as a field,
1962       but  does  not currently expose it through OXM or NXM for matching pur‐
1963       poses. If this turns out to be a useful feature,  it  could  be  imple‐
1964       mented  in  future versions. Only the set_queue, enqueue, and pop_queue
1965       actions currently influence the output queue.
1966
1967       This field influences how packets in the flow will be queued, for qual‐
1968       ity  of  service (QoS) purposes, when they egress the switch. Its range
1969       of meaningful values, and their meanings, varies greatly from one Open‐
1970       Flow  implementation  to  another. Even within a single implementation,
1971       there is no guarantee that all OpenFlow ports have the same queues con‐
1972       figured  or that all OpenFlow ports in an implementation can be config‐
1973       ured the same way queue-wise.
1974
1975       Configuring queues on OpenFlow is not well standardized. On Linux, Open
1976       vSwitch  supports  queue  configuration via OVSDB, specifically the QoS
1977       and Queue tables (see ovs-vswitchd.conf.db(5) for  details).  Ports  of
1978       Open  vSwitch  to  other  platforms  might  require queue configuration
1979       through some separate protocol (such as a CLI).  Even  on  Linux,  Open
1980       vSwitch  exposes  only  a  fraction  of  the  kernel’s queuing features
1981       through OVSDB, so advanced or unusual uses might require use  of  sepa‐
1982       rate  utilities  (e.g.  tc).  OpenFlow switches other than Open vSwitch
1983       might use OF-CONFIG or  any  of  the  configuration  methods  mentioned
1984       above.  Finally,  some  OpenFlow switches have a fixed number of fixed-
1985       function queues (e.g. eight queues with  strictly  defined  priorities)
1986       and others do not support any control over queuing.
1987
1988       The only output queue that all OpenFlow implementations must support is
1989       zero, to identify a default queue, whose properties are implementation-
1990       defined. Outputting a packet to a queue that does not exist on the out‐
1991       put port yields unpredictable behavior:  among  the  possibilities  are
1992       that  the  packet  might  be dropped or transmitted with a very high or
1993       very low priority.
1994
1995       OpenFlow 1.0 only allowed output queues to be specified as part  of  an
1996       enqueue action that specified both a queue and an output port. That is,
1997       OpenFlow 1.0 treats the queue as an argument to an  action,  not  as  a
1998       field.
1999
2000       To increase flexibility, OpenFlow 1.1 added an action to set the output
2001       queue. This model was carried forward, without change, through OpenFlow
2002       1.5.
2003
2004       Open  vSwitch implements the native queuing model of each OpenFlow ver‐
2005       sion it supports. Open vSwitch also includes an extension  for  setting
2006       the output queue as an action in OpenFlow 1.0.
2007
2008       When  a  packet  ingresses into an OpenFlow switch, the output queue is
2009       ordinarily set to  0,  indicating  the  default  queue.  However,  Open
2010       vSwitch  supports  various  ways  to forward a packet from one OpenFlow
2011       switch to another within a single host. In these  cases,  Open  vSwitch
2012       maintains the output queue across the forwarding step. For example:
2013
2014              •      A  hop  across an Open vSwitch ``patch port’’ (which does
2015                     not actually involve queuing) preserves the output queue.
2016
2017              •      When a flow sets the output  queue  then  outputs  to  an
2018                     OpenFlow  tunnel  port,  the  encapsulation preserves the
2019                     output queue. If the kernel TCP/IP stack routes  the  en‐
2020                     capsulated  packet directly to a physical interface, then
2021                     that output honors the output  queue.  Alternatively,  if
2022                     the kernel routes the encapsulated packet to another Open
2023                     vSwitch bridge, then the output queue set previously  be‐
2024                     comes  the  initial output queue on ingress to the second
2025                     bridge and will thus be used for further  output  actions
2026                     (unless overridden by a new ``set queue’’ action).
2027
2028                     (This  description  reflects the current behavior of Open
2029                     vSwitch on Linux. This behavior relies on details of  the
2030                     Linux  TCP/IP  stack. It could be difficult to make ports
2031                     to other operating systems behave the same way.)
2032
2033       Packet Mark Field
2034
2035       Name:            pkt_mark
2036       Width:           32 bits
2037       Format:          hexadecimal
2038       Masking:         arbitrary bitwise masks
2039       Prerequisites:   none
2040       Access:          read/write
2041       OpenFlow 1.0:    not supported
2042
2043       OpenFlow 1.1:    not supported
2044       OXM:             none
2045       NXM:             NXM_NX_PKT_MARK (33) since Open vSwitch 2.0
2046
2047       Packet mark comes to Open vSwitch from the Linux kernel, in  which  the
2048       sk_buff  data structure that represents a packet contains a 32-bit mem‐
2049       ber named skb_mark. The value of skb_mark  propagates  along  with  the
2050       packet it accompanies wherever the packet goes in the kernel. It has no
2051       predefined semantics but various kernel-user  interfaces  can  set  and
2052       match  on  it,  which  makes it suitable for ``marking’’ packets at one
2053       point in their handling and then acting on the mark later.  With  ipta‐
2054       bles,  for  example, one can mark some traffic specially at ingress and
2055       then handle that traffic differently at  egress  based  on  the  marked
2056       value.
2057
2058       Packet  mark  is an attempt at a generalization of the skb_mark concept
2059       beyond Linux, at least through more generic naming. Like  skb_priority,
2060       packet  mark is preserved across forwarding steps within a machine. Un‐
2061       like skb_priority, packet mark has no direct effect on packet  forward‐
2062       ing:  the  value  set  in packet mark does not matter unless some later
2063       OpenFlow table or switch matches on packet mark, or unless  the  packet
2064       passes  through some other kernel subsystem that has been configured to
2065       interpret packet mark in specific ways, e.g. through iptables  configu‐
2066       ration mentioned above.
2067
2068       Preserving packet mark across kernel forwarding steps relies heavily on
2069       kernel support, which ports to  non-Linux  operating  systems  may  not
2070       have.  Regardless  of  operating  system support, Open vSwitch supports
2071       packet mark within a single bridge and across patch ports.
2072
2073       The value of packet mark when a packet ingresses into  the  first  Open
2074       vSwich  bridge  is typically zero, but it could be nonzero if its value
2075       was previously set by some kernel subsystem.
2076
2077       Action Set Output Port Field
2078
2079       Name:            actset_output
2080       Width:           32 bits
2081       Format:          OpenFlow 1.1+ port
2082
2083       Masking:         not maskable
2084       Prerequisites:   none
2085       Access:          read-only
2086       OpenFlow 1.0:    not supported
2087       OpenFlow 1.1:    not supported
2088       OXM:             ONFOXM_ET_ACTSET_OUTPUT (43) since  OpenFlow  1.3  and
2089                        Open  vSwitch  2.4;  OXM_OF_ACTSET_OUTPUT  (43)  since
2090                        OpenFlow 1.5 and Open vSwitch 2.4
2091       NXM:             none
2092
2093       Holds the output port currently in the OpenFlow action set  (i.e.  from
2094       an  output  action within a write_actions instruction). Its value is an
2095       OpenFlow port number. If there is no output port in the OpenFlow action
2096       set,  or  if  the output port will be ignored (e.g. because there is an
2097       output group in the OpenFlow  action  set),  then  the  value  will  be
2098       OFPP_UNSET.
2099
2100       Open  vSwitch  allows any table to match this field. OpenFlow, however,
2101       only requires this field to be matchable from within an OpenFlow egress
2102       table (a feature that Open vSwitch does not yet implement).
2103
2104       Packet Type Field
2105
2106       Name:            packet_type
2107       Width:           32 bits
2108       Format:          packet type
2109       Masking:         not maskable
2110       Prerequisites:   none
2111       Access:          read-only
2112
2113       OpenFlow 1.0:    not supported
2114       OpenFlow 1.1:    not supported
2115       OXM:             OXM_OF_PACKET_TYPE  (44)  since  OpenFlow 1.5 and Open
2116                        vSwitch 2.8
2117       NXM:             none
2118
2119       The type of the packet in the format specified in OpenFlow 1.5:
2120
2121        Packet type
2122        <--------->
2123        16    16
2124       +---+-------+
2125       |ns |ns_type| ...
2126       +---+-------+
2127
2128
2129       The upper 16 bits, ns, are a namespace. The meaning of ns_type  depends
2130       on  the  namespace. The packet type field is specified and displayed in
2131       the format (ns,ns_type).
2132
2133       Open vSwitch currently supports the following classes of  packet  types
2134       for matching:
2135
2136              (0,0)  Ethernet.
2137
2138              (1,ethertype)
2139                     The specified ethertype. Open vSwitch can forward packets
2140                     with any ethertype, but it can only match on and  process
2141                     data fields for the following supported packet types:
2142
2143                     (1,0x800)
2144                            IPv4
2145
2146                     (1,0x806)
2147                            ARP
2148
2149                     (1,0x86dd)
2150                            IPv6
2151
2152                     (1,0x8847)
2153                            MPLS
2154
2155                     (1,0x8848)
2156                            MPLS multicast
2157
2158                     (1,0x8035)
2159                            RARP
2160
2161                     (1,0x894f)
2162                            NSH
2163
2164       Consider  the  distinction  between  a  packet  with packet_type=(0,0),
2165       dl_type=0x800 and one with packet_type=(1,0x800). The former is an Eth‐
2166       ernet frame that contains an IPv4 packet, like this:
2167
2168          Ethernet            IPv4
2169        <----------->   <--------------->
2170        48  48   16           8   32  32
2171       +---+---+-----+ +---+-----+---+---+
2172       |dst|src|type | |...|proto|src|dst| ...
2173       +---+---+-----+ +---+-----+---+---+
2174                0x800
2175
2176
2177       The  latter  is an IPv4 packet not encapsulated inside any outer frame,
2178       like this:
2179
2180              IPv4
2181        <--------------->
2182              8   32  32
2183       +---+-----+---+---+
2184       |...|proto|src|dst| ...
2185       +---+-----+---+---+
2186
2187
2188       Matching on packet_type is a pre-requisite for  matching  on  any  data
2189       field,  but for backward compatibility, when a match on a data field is
2190       present without a packet_type match, Open  vSwitch  acts  as  though  a
2191       match  on  (0,0)  (Ethernet)  had  been  supplied. Similarly, when Open
2192       vSwitch sends flow match information to a controller, e.g. in  a  reply
2193       to  a  request  to  dump  the flow table, Open vSwitch omits a match on
2194       packet type (0,0) if it would be implied by a data field match.
2195

CONNECTION TRACKING FIELDS

2197   Summary:
2198       Name          Bytes   Mask   RW?   Prereqs   NXM/OXM Support
2199
2200       ────────────  ──────  ─────  ────  ────────  ────────────────
2201       ct_state      4       yes    no    none      OVS 2.5+
2202       ct_zone       2       no     no    none      OVS 2.5+
2203       ct_mark       4       yes    yes   none      OVS 2.5+
2204
2205       ct_label      16      yes    yes   none      OVS 2.5+
2206       ct_nw_src     4       yes    no    CT        OVS 2.8+
2207       ct_nw_dst     4       yes    no    CT        OVS 2.8+
2208       ct_ipv6_src   16      yes    no    CT        OVS 2.8+
2209
2210       ct_ipv6_dst   16      yes    no    CT        OVS 2.8+
2211       ct_nw_proto   1       no     no    CT        OVS 2.8+
2212       ct_tp_src     2       yes    no    CT        OVS 2.8+
2213       ct_tp_dst     2       yes    no    CT        OVS 2.8+
2214
2215       Open vSwitch supports ``connection tracking,’’  which  allows  bidirec‐
2216       tional  streams  of  packets to be statefully grouped into connections.
2217       Open vSwitch connection tracking, for example, identifies the  patterns
2218       of  TCP  packets that indicates a successfully initiated connection, as
2219       well as those that indicate that a connection has been torn down.  Open
2220       vSwitch connection tracking can also identify related connections, such
2221       as FTP data connections spawned from FTP control connections.
2222
2223       An individual packet passing through the pipeline may be in one of  two
2224       states,  ``untracked’’  or  ``tracked,’’ which may be distinguished via
2225       the ``trk’’ flag in ct_state. A packet is untracked at the beginning of
2226       the Open vSwitch pipeline and continues to be untracked until the pipe‐
2227       line invokes the ct action. The connection tracking fields are all  ze‐
2228       roes  in  an untracked packet. When a flow in the Open vSwitch pipeline
2229       invokes the ct action, the action initializes the  connection  tracking
2230       fields and the packet becomes tracked for the remainder of its process‐
2231       ing.
2232
2233       The connection tracker stores connection state in  an  internal  table,
2234       but  it  only adds a new entry to this table when a ct action for a new
2235       connection invokes ct with the commit parameter. For  a  given  connec‐
2236       tion,  when  a  pipeline  has executed ct, but not yet with commit, the
2237       connection is said to be uncommitted. State for an uncommitted  connec‐
2238       tion is ephemeral and does not persist past the end of the pipeline, so
2239       some features are only available to committed connections. A connection
2240       would typically be left uncommitted as a way to drop its packets.
2241
2242       Connection  tracking  is  an  Open  vSwitch extension to OpenFlow. Open
2243       vSwitch 2.5 added the initial support for connection  tracking.  Subse‐
2244       quent versions of Open vSwitch added many refinements and extensions to
2245       the initial support. Many of these  capabilities  depend  on  the  Open
2246       vSwitch datapath rather than simply the userspace version. The capabil‐
2247       ities column in the Datapath table  (see  ovs-vswitchd.conf.db(5))  re‐
2248       ports the detailed capabilities of a particular Open vSwitch datapath.
2249
2250       Connection Tracking State Field
2251
2252       Name:            ct_state
2253       Width:           32 bits
2254
2255       Format:          ct state
2256       Masking:         arbitrary bitwise masks
2257       Prerequisites:   none
2258       Access:          read-only
2259
2260       OpenFlow 1.0:    not supported
2261       OpenFlow 1.1:    not supported
2262       OXM:             none
2263       NXM:             NXM_NX_CT_STATE (105) since Open vSwitch 2.5
2264
2265       This  field holds several flags that can be used to determine the state
2266       of the connection to which the packet belongs.
2267
2268       Matches on this field are most conveniently written in  terms  of  sym‐
2269       bolic  names  (listed below), each preceded by either + for a flag that
2270       must be set, or - for a flag that must be unset, without any other  de‐
2271       limiters between the flags. Flags not mentioned are wildcarded. For ex‐
2272       ample, tcp,ct_state=+trk-new matches TCP packets  that  have  been  run
2273       through  the  connection tracker and do not establish a new connection.
2274       Matches can also be written as flags/mask, where  flags  and  mask  are
2275       32-bit numbers in decimal or in hexadecimal prefixed by 0x.
2276
2277       The following flags are defined:
2278
2279              new (0x01)
2280                     A new connection. Set to 1 if this is an uncommitted con‐
2281                     nection.
2282
2283              est (0x02)
2284                     Part of an existing connection. Set to 1 if packets of  a
2285                     committed  connection  have  been  seen by conntrack from
2286                     both directions.
2287
2288              rel (0x04)
2289                     Related to an existing connection, e.g. an ICMP  ``desti‐
2290                     nation  unreachable’’ message or an FTP data connections.
2291                     This flag will only be 1 if the connection to which  this
2292                     one is related is committed.
2293
2294                     Connections identified as rel are separate from the orig‐
2295                     inating connection and must be committed separately.  All
2296                     packets  for  a related connection will have the rel flag
2297                     set, not just the initial packet.
2298
2299              rpl (0x08)
2300                     This packet is in the reply direction, meaning that it is
2301                     in  the opposite direction from the packet that initiated
2302                     the connection. This flag will only be 1 if  the  connec‐
2303                     tion is committed.
2304
2305              inv (0x10)
2306                     The state is invalid, meaning that the connection tracker
2307                     couldn’t identify the connection. This flag is  a  catch-
2308                     all  for  problems  in  the  connection or the connection
2309                     tracker, such as:
2310
2311                     •      L3/L4 protocol handler is not  loaded/unavailable.
2312                            With the Linux kernel datapath, this may mean that
2313                            the nf_conntrack_ipv4 or nf_conntrack_ipv6 modules
2314                            are not loaded.
2315
2316                     •      L3/L4  protocol handler determines that the packet
2317                            is malformed.
2318
2319                     •      Packets are unexpected length for protocol.
2320
2321              trk (0x20)
2322                     This packet is tracked, meaning that  it  has  previously
2323                     traversed  the  connection  tracker.  If this flag is not
2324                     set, then no other flags will be set.  If  this  flag  is
2325                     set,  then the packet is tracked and other flags may also
2326                     be set.
2327
2328              snat (0x40)
2329                     This packet was transformed by source address/port trans‐
2330                     lation  by  a preceding ct action. Open vSwitch 2.6 added
2331                     this flag.
2332
2333              dnat (0x80)
2334                     This packet was transformed by  destination  address/port
2335                     translation  by  a  preceding ct action. Open vSwitch 2.6
2336                     added this flag.
2337
2338       There are additional constraints on these flags, listed  in  decreasing
2339       order of precedence below:
2340
2341              1.  If trk is unset, no other flags are set.
2342
2343              2.  If trk is set, one or more other flags may be set.
2344
2345              3.  If inv is set, only the trk flag is also set.
2346
2347              4.  new and est are mutually exclusive.
2348
2349              5.  new and rpl are mutually exclusive.
2350
2351              6.  rel may be set in conjunction with any other flags.
2352
2353       Future versions of Open vSwitch may define new flags.
2354
2355       Connection Tracking Zone Field
2356
2357       Name:            ct_zone
2358       Width:           16 bits
2359       Format:          hexadecimal
2360       Masking:         not maskable
2361
2362       Prerequisites:   none
2363       Access:          read-only
2364       OpenFlow 1.0:    not supported
2365       OpenFlow 1.1:    not supported
2366       OXM:             none
2367       NXM:             NXM_NX_CT_ZONE (106) since Open vSwitch 2.5
2368
2369       A connection tracking zone, the zone value passed to the most recent ct
2370       action. Each zone is an independent  connection  tracking  context,  so
2371       tracking the same packet in multiple contexts requires using the ct ac‐
2372       tion multiple times.
2373
2374       Connection Tracking Mark Field
2375
2376       Name:            ct_mark
2377       Width:           32 bits
2378       Format:          hexadecimal
2379       Masking:         arbitrary bitwise masks
2380       Prerequisites:   none
2381       Access:          read/write
2382       OpenFlow 1.0:    not supported
2383       OpenFlow 1.1:    not supported
2384       OXM:             none
2385       NXM:             NXM_NX_CT_MARK (107) since Open vSwitch 2.5
2386
2387       The metadata committed, by an action within the exec parameter  to  the
2388       ct action, to the connection to which the current packet belongs.
2389
2390       Connection Tracking Label Field
2391
2392       Name:            ct_label
2393       Width:           128 bits
2394       Format:          hexadecimal
2395       Masking:         arbitrary bitwise masks
2396       Prerequisites:   none
2397       Access:          read/write
2398       OpenFlow 1.0:    not supported
2399       OpenFlow 1.1:    not supported
2400
2401       OXM:             none
2402       NXM:             NXM_NX_CT_LABEL (108) since Open vSwitch 2.5
2403
2404       The  label  committed, by an action within the exec parameter to the ct
2405       action, to the connection to which the current packet belongs.
2406
2407       Open vSwitch 2.8 introduced the matching support for connection tracker
2408       original direction 5-tuple fields.
2409
2410       For non-committed non-related connections the conntrack original direc‐
2411       tion tuple fields always have the  same  values  as  the  corresponding
2412       headers in the packet itself. For any other packets of a committed con‐
2413       nection the conntrack original direction tuple fields reflect the  val‐
2414       ues from that initial non-committed non-related packet, and thus may be
2415       different from the actual packet headers, as the actual packet  headers
2416       may  be  in  reverse  direction (for reply packets), transformed by NAT
2417       (when nat option was applied to the connection),  or  be  of  different
2418       protocol  (i.e.,  when  an  ICMP response is sent to an UDP packet). In
2419       case of related connections, e.g., an FTP data connection, the original
2420       direction tuple contains the original direction headers from the parent
2421       connection, e.g., an FTP control connection.
2422
2423       The following fields are populated by the  ct  action,  and  require  a
2424       match  to a valid connection tracking state as a prerequisite, in addi‐
2425       tion to the IP or IPv6 ethertype match. Examples  of  valid  connection
2426       tracking    state   matches   include   ct_state=+new,   ct_state=+est,
2427       ct_state=+rel, and ct_state=+trk-inv.
2428
2429       Connection Tracking Original Direction IPv4 Source Address Field
2430
2431       Name:            ct_nw_src
2432       Width:           32 bits
2433       Format:          IPv4
2434       Masking:         arbitrary bitwise masks
2435       Prerequisites:   CT
2436       Access:          read-only
2437       OpenFlow 1.0:    not supported
2438       OpenFlow 1.1:    not supported
2439
2440       OXM:             none
2441       NXM:             NXM_NX_CT_NW_SRC (120) since Open vSwitch 2.8
2442
2443       Matches IPv4 conntrack original direction tuple source address. See the
2444       paragraphs  above for general description to the conntrack original di‐
2445       rection tuple. Introduced in Open vSwitch 2.8.
2446
2447       Connection Tracking Original Direction IPv4 Destination Address Field
2448
2449       Name:            ct_nw_dst
2450       Width:           32 bits
2451       Format:          IPv4
2452
2453       Masking:         arbitrary bitwise masks
2454       Prerequisites:   CT
2455       Access:          read-only
2456       OpenFlow 1.0:    not supported
2457       OpenFlow 1.1:    not supported
2458       OXM:             none
2459       NXM:             NXM_NX_CT_NW_DST (121) since Open vSwitch 2.8
2460
2461       Matches IPv4 conntrack original direction  tuple  destination  address.
2462       See the paragraphs above for general description to the conntrack orig‐
2463       inal direction tuple. Introduced in Open vSwitch 2.8.
2464
2465       Connection Tracking Original Direction IPv6 Source Address Field
2466
2467       Name:            ct_ipv6_src
2468       Width:           128 bits
2469       Format:          IPv6
2470       Masking:         arbitrary bitwise masks
2471       Prerequisites:   CT
2472       Access:          read-only
2473       OpenFlow 1.0:    not supported
2474       OpenFlow 1.1:    not supported
2475       OXM:             none
2476       NXM:             NXM_NX_CT_IPV6_SRC (122) since Open vSwitch 2.8
2477
2478       Matches IPv6 conntrack original direction tuple source address. See the
2479       paragraphs  above for general description to the conntrack original di‐
2480       rection tuple. Introduced in Open vSwitch 2.8.
2481
2482       Connection Tracking Original Direction IPv6 Destination Address Field
2483
2484       Name:            ct_ipv6_dst
2485       Width:           128 bits
2486       Format:          IPv6
2487       Masking:         arbitrary bitwise masks
2488       Prerequisites:   CT
2489       Access:          read-only
2490       OpenFlow 1.0:    not supported
2491
2492       OpenFlow 1.1:    not supported
2493       OXM:             none
2494       NXM:             NXM_NX_CT_IPV6_DST (123) since Open vSwitch 2.8
2495
2496       Matches IPv6 conntrack original direction  tuple  destination  address.
2497       See the paragraphs above for general description to the conntrack orig‐
2498       inal direction tuple. Introduced in Open vSwitch 2.8.
2499
2500       Connection Tracking Original Direction IP Protocol Field
2501
2502       Name:            ct_nw_proto
2503       Width:           8 bits
2504
2505       Format:          decimal
2506       Masking:         not maskable
2507       Prerequisites:   CT
2508       Access:          read-only
2509       OpenFlow 1.0:    not supported
2510       OpenFlow 1.1:    not supported
2511       OXM:             none
2512       NXM:             NXM_NX_CT_NW_PROTO (119) since Open vSwitch 2.8
2513
2514       Matches conntrack original direction tuple IP protocol type,  which  is
2515       specified  as  a decimal number between 0 and 255, inclusive (e.g. 1 to
2516       match ICMP packets or 6 to match TCP packets). In case of, for example,
2517       an  ICMP  response  to an UDP packet, this may be different from the IP
2518       protocol type of the packet itself. See the paragraphs above  for  gen‐
2519       eral  description to the conntrack original direction tuple. Introduced
2520       in Open vSwitch 2.8.
2521
2522       Connection Tracking Original  Direction  Transport  Layer  Source  Port
2523       Field
2524
2525       Name:            ct_tp_src
2526       Width:           16 bits
2527       Format:          decimal
2528       Masking:         arbitrary bitwise masks
2529       Prerequisites:   CT
2530
2531       Access:          read-only
2532       OpenFlow 1.0:    not supported
2533       OpenFlow 1.1:    not supported
2534       OXM:             none
2535       NXM:             NXM_NX_CT_TP_SRC (124) since Open vSwitch 2.8
2536
2537       Bitwise  match  on  the  conntrack  original  direction tuple transport
2538       source, when MFF_CT_NW_PROTO has value 6 for TCP, 17 for  UDP,  or  132
2539       for  SCTP. When MFF_CT_NW_PROTO has value 1 for ICMP, or 58 for ICMPv6,
2540       the lower 8 bits of MFF_CT_TP_SRC matches the conntrack original direc‐
2541       tion ICMP type. See the paragraphs above for general description to the
2542       conntrack original direction tuple. Introduced in Open vSwitch 2.8.
2543
2544       Connection Tracking Original  Direction  Transport  Layer  Source  Port
2545       Field
2546
2547       Name:            ct_tp_dst
2548       Width:           16 bits
2549       Format:          decimal
2550       Masking:         arbitrary bitwise masks
2551       Prerequisites:   CT
2552       Access:          read-only
2553       OpenFlow 1.0:    not supported
2554       OpenFlow 1.1:    not supported
2555       OXM:             none
2556
2557       NXM:             NXM_NX_CT_TP_DST (125) since Open vSwitch 2.8
2558
2559       Bitwise  match on the conntrack original direction tuple transport des‐
2560       tination port, when MFF_CT_NW_PROTO has value 6 for TCP, 17 for UDP, or
2561       132  for  SCTP.  When  MFF_CT_NW_PROTO  has value 1 for ICMP, or 58 for
2562       ICMPv6, the lower 8 bits of MFF_CT_TP_DST matches the conntrack  origi‐
2563       nal  direction ICMP code. See the paragraphs above for general descrip‐
2564       tion to the conntrack original  direction  tuple.  Introduced  in  Open
2565       vSwitch 2.8.
2566