流规则组成
每条流规则由一系列字段组成,分为基本字段、条件字段和动作字段三部分:
基本字段包括生效时间duration_sec、所属表项table_id、优先级priority、处理的数据包数n_packets,空闲超时时间idle_timeout等,空闲超时时间idle_timeout以秒为单位,超过设置的空闲超时时间后该流规则将被自动删除,空闲超时时间设置为0表示该流规则永不过期,idle_timeout将不包含于ovs-ofctl dump-flows brname的输出中。
条件字段包括输入端口号in_port、源目的mac地址dl_src/dl_dst、源目的ip地址nw_src/nw_dst、数据包类型dl_type、网络层协议类型nw_proto等,可以为这些字段的任意组合,但在网络分层结构中底层的字段未给出确定值时上层的字段不允许给确定值,即一条流规则中允许底层协议字段指定为确定值,高层协议字段指定为通配符(不指定即为匹配任何值),而不允许高层协议字段指定为确定值,而底层协议字段却为通配符(不指定即为匹配任何值),否则,ovs-vswitchd 中的流规则将全部丢失,网络无法连接。
动作字段包括正常转发normal、定向到某交换机端口output:port、丢弃drop、更改源目的mac地址mod_dl_src/mod_dl_dst等,一条流规则可有多个动作,动作执行按指定的先后顺序依次完成。
条件字段介绍
in_port=port
Matches OpenFlow port port
dl_vlan=vlan
Matches IEEE 802.1q Virtual LAN tag vlan.
dl_vlan_pcp=priority
Matches IEEE 802.1q Priority Code Point (PCP) priority, which is specified as a value between 0 and 7, inclusive. A higher value indicates a higher frame priority level.
dl_src=xx:xx:xx:xx:xx:xx
dl_dst=xx:xx:xx:xx:xx:xx
Matches an Ethernet source (or destination) address specified as 6 pairs of hexadecimal digits delimited by colons (e.g. 00:0A:E4:25:6B:B0).
dl_src=xx:xx:xx:xx:xx:xx/xx:xx:xx:xx:xx:xx
dl_dst=xx:xx:xx:xx:xx:xx/xx:xx:xx:xx:xx:xx
Matches an Ethernet destination address specified as 6 pairs of hexadecimal digits delimited by colons (e.g. 00:0A:E4:25:6B:B0), with a wildcard mask following the slash.
01:00:00:00:00:00 Match only the multicast bit. Thus, dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 matches all multicast (including broadcast) Ethernet packets, and dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 matches all unicast Ethernet packets.
ff:ff:ff:ff:ff:ff Exact match (equivalent to omitting the mask).
00:00:00:00:00:00 Wildcard all bits (equivalent to dl_dst=*.)
dl_type=ethertype
Matches Ethernet protocol type ethertype, which is specified as an integer between 0 and 65535
nw_src=ip[/netmask]
nw_dst=ip[/netmask]
When dl_type is 0x0800 (possibly via shorthand, e.g. ip or tcp), matches IPv4 source (or destination) address ip, which may be specified as an IP address or host name
When dl_type=0x0806 or arp is specified, matches the ar_spa or ar_tpa field, respectively, in
ARP packets for IPv4 and Ethernet.
When dl_type=0x8035 or rarp is specified, matches the ar_spa or ar_tpa field, respectively, in
RARP packets for IPv4 and Ethernet.
nw_proto=proto
When ip or dl_type=0x0800 is specified, matches IP protocol type proto, which is specified as a decimal number between 0 and 255, inclusive (e.g. 1 to match ICMP packets or 6 to match TCP packets).
When ipv6 or dl_type=0x86dd is specified, matches IPv6 header type proto, which is specified as a decimal number between 0 and 255, inclusive (e.g. 58 to match ICMPv6 packets or 6 to match TCP).
When arp or dl_type=0x0806 is specified, matches the lower 8 bits of the ARP opcode.
When rarp or dl_type=0x8035 is specified, matches the lower 8 bits of the ARP opcode.
nw_tos=tos
Matches IP ToS/DSCP or IPv6 traffic class field tos, which is specified as a decimal number between 0 and 255, inclusive.
nw_ecn=ecn
Matches ecn bits in IP ToS or IPv6 traffic class fields, which is specified as a decimal number between 0 and 3, inclusive.
nw_ttl=ttl
Matches IP TTL or IPv6 hop limit value ttl, which is specified as a decimal number between 0 and 255, inclusive.
tp_src=port
tp_dst=port
When dl_type and nw_proto specify TCP or UDP, tp_src and tp_dst match the UDP or TCP source or destination port port
icmp_type=type
icmp_code=code
When dl_type and nw_proto specify ICMP or ICMPv6, type matches the ICMP type and code matches the ICMP code.
table=number
If specified, limits the flow manipulation and flow dump commands to only apply to the table with the given number between 0 and 254.
vlan_tci=tci[/mask]
Matches modified VLAN TCI tci. If mask is omitted, tci is the exact VLAN TCI to match; if mask is specified, then a 1-bit in mask indicates that the corresponding bit in tci must match exactly, and a 0-bit wildcards that bit.
ip_frag=frag_type
When dl_type specifies IP or IPv6, frag_type specifies what kind of IP fragments or non-fragments to match.
The following values of frag_type are supported:
no Matches only non-fragmented packets.
yes Matches all fragments.
first Matches only fragments with offset 0.
later Matches only fragments with nonzero offset.
not_later Matches non-fragmented packets and fragments with zero offset.
arp_sha=xx:xx:xx:xx:xx:xx
arp_tha=xx:xx:xx:xx:xx:xx
When dl_type specifies either ARP or RARP, arp_sha and arp_tha match the source and target hardware address, respectively.
tun_id=tunnel-id[/mask]
Matches tunnel identifier tunnel-id. Only packets that arrive over a tunnel that carries a key (e.g. GRE with the RFC 2890 key extension and a nonzero key value) will have a nonzero tunnel ID.
动作字段介绍
output:port
Outputs the packet to port
output:src[start..end]
Outputs the packet to the OpenFlow port number read from src, which must be an NXM field as described above. For example, output:NXM_NX_REG0[16..31] outputs to the OpenFlow port number written in the upper half of register 0.
enqueue:port:queue
Enqueues the packet on the specified queue within port port
normal
Subjects the packet to the device’s normal L2/L3 processing.
flood
Outputs the packet on all switch physical ports other than the port on which it was received and any ports on which flooding is disabled
all
Outputs the packet on all switch physical ports other than the port on which it was received.
controller(key=value…)
Sends the packet to the OpenFlow controller as a ‘‘packet in’’ message. The supported key-value pairs are:
max_len=nbytes : Limit to nbytes the number of bytes of the packet to send to the controller. By default the entire packet is sent.
reason=reason: Specify reason as the reason for sending the message in the ‘‘packet in’’ message. The supported reasons are action (the default), no_match, and invalid_ttl.
id=controller-id : Specify controller-id
in_port
Outputs the packet on the port from which it was received.
drop
Discards the packet, so no further processing or forwarding takes place.
mod_vlan_vid:vlan_vid
Modifies the VLAN id on a packet.
mod_vlan_pcp:vlan_pcp
Modifies the VLAN priority on a packet.
strip_vlan
Strips the VLAN tag from a packet if it is present.
push_vlan:ethertype
Push a new VLAN tag onto the packet.
push_mpls:ethertype
If the packet does not already contain any MPLS labels, changes the packet’s Ethertype to ethertype, which must be either the MPLS unicast Ethertype 0x8847 or the MPLS multicast Ethertype 0x8848, and then pushes an initial label stack entry.
pop_mpls:ethertype
Strips the outermost MPLS label stack entry.
mod_dl_src:mac
Sets the source Ethernet address to mac.
mod_dl_dst:mac
Sets the destination Ethernet address to mac.
mod_nw_src:ip
Sets the IPv4 source address to ip.
mod_nw_dst:ip
Sets the IPv4 destination address to ip.
mod_tp_src:port
Sets the TCP or UDP source port to port.
mod_tp_dst:port
Sets the TCP or UDP destination port to port.
mod_nw_tos:tos
Sets the IPv4 ToS/DSCP field to tos, which must be a multiple of 4 between 0 and 255.
resubmit([port],[table])
Re-searches this OpenFlow flow table (or the table whose number is specified by table) with the in_port field replaced by port (if port is specified)
set_tunnel:id
set_tunnel64:id
If outputting to a port that encapsulates the packet in a tunnel and supports an identifier (such as GRE), sets the identifier to id.
set_queue:queue
Sets the queue that should be used to queue when packets are output.
pop_queue
Restores the queue to the value it was before any set_queue actions were applied.
dec_ttl
dec_ttl[(id1,id2)]
Decrement TTL of IPv4 packet or hop limit of IPv6 packet.
set_mpls_ttl:ttl
Set the TTL of the outer MPLS label stack entry of a packet. ttl should be in the range 0 to 255 inclusive.
dec_mpls_ttl
Decrement TTL of the outer MPLS label stack entry of a packet.
move:src[start..end]−>dst[start..end]
Copies the named bits from field src to field dst. src and dst must be NXM field names as defined in nicira−ext.h, e.g. NXM_OF_UDP_SRC or NXM_NX_REG0.
Examples: move:NXM_NX_REG0[0..5]−>NXM_NX_REG1[26..31] copies the six bits numbered 0 through 5, inclusive, in register 0 into bits 26 through 31, inclusive; move:NXM_NX_REG0[0..15]−>NXM_OF_VLAN_TCI[] copies the least significant 16 bits of register 0 into the VLAN TCI field.
load:value−>dst[start..end]
Writes value to bits start through end, inclusive, in field dst.
Example: load:55−>NXM_NX_REG2[0..5] loads value 55 (bit pattern 110111) into bits 0 through 5, inclusive, in register 2.
push:src[start..end]
Pushes start to end bits inclusive, in fields on top of the stack.
Example: push:NXM_NX_REG2[0..5] push the value stored in register 2 bits 0 through 5, inclusive, on to the internal stack.
pop:dst[start..end]
Pops from the top of the stack, retrieves the start to end bits inclusive, from the value popped and store them into the corresponding bits in dst.
Example: pop:NXM_NX_REG2[0..5] pops the value from top of the stack. Set register 2 bits 0 through 5, inclusive, based on bits 0 through 5 from the value just popped.
set_field:value−>dst
Writes the literal value into the field dst, which should be specified as a name used for matching.
Example: set_field:fe80:0123:4567:890a:a6ba:dbff:fefe:59fa−>ipv6_src
learn(argument[,argument]…)
This action adds or modifies a flow in an OpenFlow table, similar to ovs−ofctl −−strict mod−flows. The arguments specify the flow’s match fields, actions, and other properties, as follows
idle_timeout=seconds
hard_timeout=seconds
priority=value
These key-value pairs have the same meaning as in the usual ovs−ofctl flow syntax.
fin_idle_timeout=seconds
fin_hard_timeout=seconds
Adds a fin_timeout action with the specified arguments to the new flow.
table=number
The table in which the new flow should be inserted. Specify a decimal number between 0 and 254. The default, if table is unspecified, is table 1.
field=value
field[start..end]=src[start..end]
field[start..end]
Adds a match criterion to the new flow.
load:value−>dst[start..end]
load:src[start..end]−>dst[start..end]
Adds a load action to the new flow.
output:field[start..end]
Add an output action to the new flow’s actions, that outputs to the OpenFlow port taken from field[start..end], which must be an NXM field as described above.
