OVS-ACTIONS(7) Open vSwitch OVS-ACTIONS(7) NAME ovs-actions - OpenFlow actions and instructions with Open vSwitch ex‐ tensions INTRODUCTION This document aims to comprehensively document all of the OpenFlow ac‐ tions and instructions, both standard and non-standard, supported by Open vSwitch, regardless of origin. The document includes information of interest to Open vSwitch users, such as the semantics of each sup‐ ported action and the syntax used by Open vSwitch tools, and to devel‐ opers seeking to build controllers and switches compatible with Open vSwitch, such as the wire format for each supported message. Actions In this document, we define an action as an OpenFlow action, which is a kind of command that specifies what to do with a packet. Actions are used in OpenFlow flows to describe what to do when the flow matches a packet, and in a few other places in OpenFlow. Each version of the OpenFlow specification defines standard actions, and beyond that many OpenFlow switches, including Open vSwitch, implement extensions to the standard. OpenFlow groups actions in two ways: as an action list or an action set, described below. Action Lists An action list, a concept present in every version of OpenFlow, is sim‐ ply an ordered sequence of actions. The OpenFlow specifications re‐ quire a switch to execute actions within an action list in the order specified, and to refuse to execute an action list entirely if it can‐ not implement the actions in that order [OpenFlow 1.0, section 3.3], with one exception: when an action list outputs multiple packets, the switch may output the packets in an order different from that speci‐ fied. Usually, this exception is not important, especially in the com‐ mon case when the packets are output to different ports. Action Sets OpenFlow 1.1 introduced the concept of an action set. An action set is also a sequence of actions, but the switch reorders the actions and drops duplicates according to rules specified in the OpenFlow specifi‐ cations. Because of these semantics, some standard OpenFlow actions cannot usefully be included in an action set. For some, but not all, Open vSwitch extension actions, Open vSwitch defines its own action set semantics and ordering. The OpenFlow pipeline has an action set associated with it as a packet is processed. After pipeline processing is otherwise complete, the switch executes the actions in the action set. Open vSwitch applies actions in an action set in the following order: Except as noted otherwise below, the action set only executes at most a single action of each type, and when more than one action of a given type is present, the one added to the set later replaces the earlier action: 1. strip_vlan 2. pop_mpls 3. decap 4. encap 5. push_mpls 6. push_vlan 7. dec_ttl 8. dec_mpls_ttl 9. dec_nsh_ttl 10. All of the following actions are executed in the order added to the action set, with cumulative effect. That is, when multiple actions modify the same part of a field, the later modification takes effect, and when they modify different parts of a field (or different fields), then both modifications are applied: • load • move • mod_dl_dst • mod_dl_src • mod_nw_dst • mod_nw_src • mod_nw_tos • mod_nw_ecn • mod_nw_ttl • mod_tp_dst • mod_tp_src • mod_vlan_pcp • mod_vlan_vid • set_field • set_tunnel • set_tunnel64 11. set_queue 12. group, output, resubmit, ct_clear, or ct. If more than one of these actions is present, then the one listed earliest above is executed and the others are ignored, regardless of the order in which they were added to the action set. (If none of these ac‐ tions is present, the action set has no real effect, because the modified packet is not sent anywhere and thus the modifications are not visible.) An action set may only contain the actions listed above. Error Handling Packet processing can encounter a variety of errors: Bridge not found Open vSwitch supports an extension to the standard OpenFlow con‐ troller action called a continuation, which allows the con‐ troller to interrupt and later resume the processing of a packet through the switch pipeline. This error occurs when such a packet’s processing cannot be resumed, e.g. because the bridge processing it has been destroyed. Open vSwitch reports this er‐ ror to the controller as Open vSwitch extension error NXR_STALE. This error prevents packet processing entirely. Recursion too deep While processing a given packet, Open vSwitch limits the flow table recursion depth to 64, to ensure that packet processing uses a finite amount of time and space. Actions that count against the recursion limit include resubmit from a given Open‐ Flow table to the same or an earlier table, group, and output to patch ports. A resubmit from one table to a later one (or, equivalently, a goto_table instruction) does not count against the depth limit because resubmits to strictly monotonically increasing tables will eventually terminate. OpenFlow tables are most commonly traversed in numerically increasing order, so this limit has little effect on conventionally designed OpenFlow pipelines. This error terminates packet processing. Any previous side ef‐ fects (e.g. output actions) are retained. Usually this error indicates a loop or other bug in the OpenFlow flow tables. To assist debugging, when this error occurs, Open vSwitch 2.10 and later logs a trace of the packet execution, as if by ovs-appctl ofproto/trace, rate-limited to one per minute to reduce the log volume. Too many resubmits Open vSwitch limits the total number of resubmit actions that a given packet can execute to 4,096. For this purpose, goto_table instructions and output to the table port are treated like re‐ submit. This limits the amount of time to process a single packet. Unlike the limit on recursion depth, the limit on resubmits counts all resubmits, regardless of direction. This error has the same effect, including logging, as exceeding the recursion depth limit. Stack too deep Open vSwitch limits the amount of data that the push action can put onto the stack at one time to 64 kB of data. This error terminates packet processing. Any previous side ef‐ fects (e.g. output actions) are retained. No recirculation context / Recirculation conflict These errors indicate internal errors inside Open vSwitch and should generally not occur. If you notice recurring log mes‐ sages about these errors, please report a bug. Too many MPLS labels Open vSwitch can process packets with any number of MPLS labels, but its ability to push and pop MPLS labels is limited, cur‐ rently to 3 labels. Attempting to push more than the supported number of labels onto a packet, or to pop any number of labels from a packet with more than the supported number, raises this error. This error terminates packet processing, retaining any previous side effects (e.g. output actions). When this error arises within the execution of a group bucket, it only terminates that bucket’s execution, not packet processing overall. Invalid tunnel metadata Open vSwitch raises this error when it processes a Geneve packet that has TLV options with an invalid form, e.g. where the length in a TLV would extend past the end of the options. This error prevents packet processing entirely. Unsupported packet type When a encap action encapsulates a packet, Open vSwitch raises this error if it does not support the combination of the new en‐ capsulation with the current packet. encap(ethernet) raises this error if the current packet is not an L3 packet, and en‐ cap(nsh) raises this error if the current packet is not Ether‐ net, IPv4, IPv6, or NSH. The decap action is supported only for packet types ethernet, NSH and MPLS. Openvswitch raises this error for other packet types. When a decap action decapsulates a packet, Open vSwitch raises this error if it does not support the type of inner packet. decap of an Ethernet header raises this error if a VLAN header is present, decap of a NSH packet raises this error if the NSH inner packet is not Ethernet, IPv4, IPv6, or NSH. This error terminates packet processing, retaining any previous side effects (e.g. output actions). When this error arises within the execution of a group bucket, it only terminates that bucket’s execution, not packet processing overall. Inconsistencies OpenFlow 1.0 allows any action to be part of any flow, regardless of the flow’s match. Some combinations do not make sense, e.g. an set_nw_tos action in a flow that matches only ARP packets or strip_vlan in a flow that matches packets without VLAN tags. Other combinations have varying results depending on the kind of packet that the flow processes, e.g. a set_nw_src action in a flow that does not match on Ethertype will be treated as a no-op when it processes a non-IPv4 packet. Nevertheless OVS allows all of the above in conformance with OpenFlow 1.0, that is, the following will succeed: $ ovs-ofctl -O OpenFlow10 add-flow br0 arp,actions=mod_nw_tos:12 $ ovs-ofctl -O OpenFlow10 add-flow br0 dl_vlan=0xffff,actions=strip_vlan $ ovs-ofctl -O OpenFlow10 add-flow br0 actions=mod_nw_src:1.2.3.4 Open vSwitch calls these kinds of combinations inconsistencies between match and actions. OpenFlow 1.1 and later forbid inconsistencies, and disallow the examples described above by preventing such flows from be‐ ing added. All of the above, for example, will fail with an error mes‐ sage if one replaces OpenFlow10 by OpenFlow11. OpenFlow 1.1 and later cannot detect and disallow all inconsistencies. For example, the write_actions instruction arbitrarily delays execution of the actions inside it, which can even be canceled with clear_ac‐ tions, so that there is no way to ensure that its actions are consis‐ tent with the packet at the time they execute. Thus, actions with write_actions and some other contexts are exempt from consistency re‐ quirements. When OVS executes an action inconsistent with the packet, it treats it as a no-op. Inter-Version Compatibility Open vSwitch supports multiple OpenFlow versions simultaneously on a single switch. When actions are added with one OpenFlow version and then retrieved with another, Open vSwitch does its best to translate between them. Inter-version compatibility issues can still arise when different con‐ nections use different OpenFlow versions. Backward compatibility is the most obvious case. Suppose, for example, that an OpenFlow 1.1 ses‐ sion adds a flow with a push_vlan action, for which there is no equiva‐ lent in OpenFlow 1.0. If an OpenFlow 1.0 session retrieves this flow, Open vSwitch must somehow represent the action. Forward compatibility can also be an issue, because later OpenFlow ver‐ sions sometimes remove functionality. The best example is the enqueue action from OpenFlow 1.0, which OpenFlow 1.1 removed. In practice, Open vSwitch uses a variety of strategies for inter-ver‐ sion compatibility: • Most standard OpenFlow actions, such as output actions, translate without compatibility issues. • Open vSwitch supports its extension actions in every OpenFlow ver‐ sion, so they do not pose inter-version compatibility problems. • Open vSwitch sometimes adds extension actions to ensure backward or forward compatibility. For example, for backward compatibility with the group action added in OpenFlow 1.1, Open vSwitch includes an OpenFlow 1.0 extension group action. Perfect inter-version compatibility is not possible, so best results require OpenFlow connections to use a consistent version. One may en‐ force use of a particular version by setting the protocols column for a bridge, e.g. to force br0 to use only OpenFlow 1.3: ovs-vsctl set bridge br0 protocols=OpenFlow13 Field Specifications Many Open vSwitch actions refer to fields. In such cases, fields may usually be referred to by their common names, such as eth_dst for the Ethernet destination field, or by their full OXM or NXM names, such as NXM_OF_ETH_DST or OXM_OF_ETH_DST. Before Open vSwitch 2.7, only OXM or NXM field names were accepted. Many actions that act on fields can also act on subfields, that is, parts of fields, written as field[start..end], where start is the first bit and end is the last bit to use in field, e.g. vlan_tci[13..15] for the VLAN PCP. A single-bit subfield may also be written as field[off‐ set], e.g. vlan_tci[13] for the least-significant bit of the VLAN PCP. Empty brackets may be used to explicitly designate an entire field, e.g. vlan_tci[] for the entire 16-bit VLAN TCI header. Before Open vSwitch 2.7, brackets were required in field specifications. See ovs-fields(7) for a list of fields and their names. Port Specifications Many Open vSwitch actions refer to OpenFlow ports. In such cases, the port may be specified as a numeric port number in the range 0 to 65,535, although Open vSwitch only assigns port numbers in the range 1 through 62,279 to ports. OpenFlow 1.1 and later use 32-bit port num‐ bers, but Open vSwitch never assigns a port number that requires more than 16 bits. In most contexts, the name of a port may also be used. (The most obvi‐ ous context where a port name may not be used is in an ovs-ofctl com‐ mand along with the --no-names option.) When a port’s name contains punctuation or could be ambiguous with other actions, the name may be enclosed in double quotes, with JSON-like string escapes supported (see [RFC 8259]). Open vSwitch also supports the following standard OpenFlow port names (even in contexts where port names are not otherwise supported). The corresponding OpenFlow 1.0 and 1.1+ port numbers are listed alongside them but should not be used in flow syntax: • in_port (65528 or 0xfff8; 0xfffffff8) • table (65529 or 0xfff9; 0xfffffff9) • normal (65530 or 0xfffa; 0xfffffffa) • flood (65531 or 0xfffb; 0xfffffffb) • all (65532 or 0xfffc; 0xfffffffc) • controller (65533 or 0xfffd; 0xfffffffd) • local (65534 or 0xfffe; 0xfffffffe) • any or none (65535 or 0xffff; 0xffffffff) • unset (not in OpenFlow 1.0; 0xfffffff7) OUTPUT ACTIONS These actions send a packet to a physical port or a controller. A packet that never encounters an output action on its trip through the Open vSwitch pipeline is effectively dropped. Because actions are exe‐ cuted in order, a packet modification action that is not eventually followed by an output action will not have an externally visible ef‐ fect. The output action Syntax: port output:port output:field output(port=port, max_len=nbytes) Outputs the packet to an OpenFlow port most commonly specified as port. Alternatively, the output port may be read from field, a field or sub‐ field in the syntax described under Field Specifications above. Either way, if the port is the packet’s input port, the packet is not output. The port may be one of the following standard OpenFlow ports: local Outputs the packet on the local port that corresponds to the network device that has the same name as the bridge, unless the packet was received on the local port. OpenFlow switch implementations are not required to have a local port, but Open vSwitch bridges always do. in_port Outputs the packet on the port on which it was received. This is the only standard way to output the packet to the in‐ put port (but see Output to the Input port, below). The port may also be one of the following additional OpenFlow ports, unless max_len is specified: normal Subjects the packet to the device’s normal L2/L3 processing. This action is not implemented by all OpenFlow switches, and each switch implements it differently. The section The OVS Normal Pipeline below documents the OVS implementation. flood Outputs the packet on all switch physical ports, except the port on which it was received and any ports on which flooding is disabled. Flooding can be disabled automatically on a port by Open vSwitch when IEEE 802.1D spanning tree (STP) or rapid spanning tree (RSTP) is enabled, or by a controller us‐ ing an OpenFlow OFPT_MOD_PORT request to set the port’s OF‐ PPC_NO_FLOOD flag (ovs-ofctl mod-port provides a command-line interface to set this flag). all Outputs the packet on all switch physical ports except the port on which it was received. controller Sends the packet and its metadata to an OpenFlow controller or controllers encapsulated in an OpenFlow packet-in message. The separate controller action, described below, provides more options for output to a controller. Open vSwitch rejects output to other standard OpenFlow ports, including none, unset, and port numbers reserved for future use as standard ports, with the error OFPBAC_BAD_OUT_PORT. With max_len, the packet is truncated to at most nbytes bytes before being output. In this case, the output port may not be a patch port. Truncation is just for the single output action, so that later actions in the OpenFlow pipeline work with the complete packet. The truncation feature is meant for use in monitoring applications, e.g. for mirroring packets to a collector. When an output action specifies the number of a port that does not cur‐ rently exist (and is not in the range for standard ports), the OpenFlow specification allows but does not require OVS to reject the action. All versions of Open vSwitch treat such an action as a no-op. If a port with the number is created later, then the action will be honored at that point. (OpenFlow requires OVS to reject output to a port num‐ ber that will never be valid, with OFPBAC_BAD_OUT_PORT, but this situa‐ tion does not arise when OVS is a software switch, since the user can add or renumber ports at any time.) A controller can suppress output to a port by setting its OFPPC_NO_FOR‐ WARD flag using an OpenFlow OFPT_MOD_PORT request (ovs-ofctl mod-port provides a command-line interface to set this flag). When output is disabled, output actions (and other actions that output to the port) are allowed but have no effect. Open vSwitch allows output to a port that does not exist, although OpenFlow allows switches to reject such actions. Conformance All versions of OpenFlow and Open vSwitch support output to a literal port. Output to a register is an OpenFlow extension in‐ troduced in Open vSwitch 1.3. Output with truncation is an OpenFlow extension introduced in Open vSwitch 2.6. Output to the Input Port OpenFlow requires a switch to ignore attempts to send a packet out its ingress port in the most straightforward way. For example, output:234 has no effect if the packet has ingress port 234. The rationale is that dropping these packets makes it harder to loop the network. Some‐ times this behavior can even be convenient, e.g. it is often the de‐ sired behavior in a flow that forwards a packet to several ports (floods the packet). Sometimes one really needs to send a packet out its ingress port (hair‐ pin). In this case, use in_port to explicitly output the packet to its input port, e.g.: $ ovs-ofctl add-flow br0 in_port=2,actions=in_port This also works in some circumstances where the flow doesn’t match on the input port. For example, if you know that your switch has five ports numbered 2 through 6, then the following will send every received packet out every port, even its ingress port: $ ovs-ofctl add-flow br0 actions=2,3,4,5,6,in_port or, equivalently: $ ovs-ofctl add-flow br0 actions=all,in_port Sometimes, in complicated flow tables with multiple levels of resubmit actions, a flow needs to output to a particular port that may or may not be the ingress port. It’s difficult to take advantage of output to in_port in this situation. To help, Open vSwitch provides, as an Open‐ Flow extension, the ability to modify the in_port field. Whatever value is currently in the in_port field is both the port to which out‐ put will be dropped and the destination for in_port. This means that the following adds flows that reliably output to port 2 or to ports 2 through 6, respectively: $ ovs-ofctl add-flow br0 "in_port=2,actions=load:0->in_port,2" $ ovs-ofctl add-flow br0 "actions=load:0->in_port,2,3,4,5,6" If in_port is important for matching or other reasons, one may save and restore it on the stack: $ ovs-ofctl add-flow br0 \ actions="push:in_port,load:0->in_port,2,3,4,5,6,pop:in_port" The OVS Normal Pipeline This section documents how Open vSwitch implements output to the normal port. The OpenFlow specification places no requirements on how this port works, so all of this documentation is specific to Open vSwitch. Open vSwitch uses the Open_vSwitch database, detailed in ovs-vswitchd.conf.db(5), to determine the details of the normal pipeline. The normal pipeline executes the following ingress stages for each packet. Each stage either accepts the packet, in which case the packet goes on to the next stage, or drops the packet, which terminates the pipeline. The result of the ingress stages is a set of output ports, which is the empty set if some ingress stage drops the packet: 1. Input port lookup: Looks up the OpenFlow in_port field’s value to the corresponding Port and Interface record in the database. The in_port is normally the OpenFlow port that the packet was re‐ ceived on. If set_field or another actions changes the in_port, the updated value is honored. Accept the packet if the lookup suc‐ ceeds, which it normally will. If the lookup fails, for example because in_port was changed to an unknown value, drop the packet. 2. Drop malformed packet: If the packet is malformed enough that it contains only part of an 802.1Q header, then drop the packet with an error. 3. Drop packets sent to a port reserved for mirroring: If the packet was received on a port that is configured as the output port for a mirror (that is, it is the output_port in some Mirror record), then drop the packet. 4. VLAN input processing: This stage determines what VLAN the packet is in. It also verifies that this VLAN is valid for the port; if not, drop the packet. How the VLAN is determined and which ones are valid vary based on the vlan-mode in the input port’s Port record: trunk The packet is in the VLAN specified in its 802.1Q header, or in VLAN 0 if there is no 802.1Q header. The trunks column in the Port record lists the valid VLANs; if it is empty, all VLANs are valid. access The packet is in the VLAN specified in the tag column of its Port record. The packet must not have an 802.1Q header with a nonzero VLAN ID; if it does, drop the packet. native-tagged / native-untagged Same as trunk except that the VLAN of a packet without an 802.1Q header is not necessarily zero; instead, it is taken from the tag column. dot1q-tunnel The packet is in the VLAN specified in the tag column of its Port record, which is a QinQ service VLAN with the Ethertype specified by the Port’s other_con‐ fig:qinq-ethtype. If the packet has an 802.1Q header, then it specifies the customer VLAN. The cvlans column specifies the valid customer VLANs; if it is empty, all customer VLANs are valid. 5. Drop reserved multicast addresses: If the packet is addressed to a reserved Ethernet multicast address and the Bridge record does not have other_config:forward-bpdu set to true, drop the packet. 6. LACP bond admissibility: This step applies only if the input port is a member of a bond (a Port with more than one Interface) and that bond is configured to use LACP. Otherwise, skip to the next step. The behavior here depends on the state of LACP negotiation: • If LACP has been negotiated with the peer, accept the packet if the bond member is enabled (i.e. carrier is up and it hasn’t been administratively disabled). Otherwise, drop the packet. • If LACP negotiation is incomplete, then drop the packet. There is one exception: if fallback to active-backup mode is enabled, continue with the next step, pretending that the ac‐ tive-backup balancing mode is in use. 7. Non-LACP bond admissibility: This step applies if the input port is a member of a bond without LACP configured, or if a LACP bond falls back to active-backup as described in the previous step. If nei‐ ther of these applies, skip to the next step. If the packet is an Ethernet multicast or broadcast, and not re‐ ceived on the bond’s active member, drop the packet. The remaining behavior depends on the bond’s balancing mode: L4 (aka TCP balancing) Drop the packet (this balancing mode is only supported with LACP). Active-backup Accept the packet only if it was received on the active member. SLB (Source Load Balancing) Drop the packet if the bridge has not learned the packet’s source address (in its VLAN) on the port that received it. Otherwise, accept the packet unless it is a gratuitous ARP. Otherwise, accept the packet if the MAC entry we found is ARP-locked. Otherwise, drop the packet. (See the SLB Bonding section in the OVS bonding document for more information and a rationale.) 8. Learn source MAC: If the source Ethernet address is not a multicast address, then insert a mapping from packet’s source Ethernet ad‐ dress and VLAN to the input port in the bridge’s MAC learning ta‐ ble. (This is skipped if the packet’s VLAN is listed in the switch’s Bridge record in the flood_vlans column, since there is no use for MAC learning when all packets are flooded.) When learning happens on a non-bond port, if the packet is a gratu‐ itous ARP, the entry is marked as ARP-locked. The lock expires af‐ ter 5 seconds. (See the SLB Bonding section in the OVS bonding document for more information and a rationale.) 9. IP multicast path: If multicast snooping is enabled on the bridge, and the packet is an Ethernet multicast but not an Ethernet broad‐ cast, and the packet is an IP packet, then the packet takes a spe‐ cial processing path. This path is not yet documented here. 10. Output port set: Search the MAC learning table for the port corre‐ sponding to the packet’s Ethernet destination and VLAN. If the search finds an entry, the output port set is just the learned port. Otherwise (including the case where the packet is an Ether‐ net multicast or in flood_vlans), the output port set is all of the ports in the bridge that belong to the packet’s VLAN, except for any ports that were disabled for flooding via OpenFlow or that are configured in a Mirror record as a mirror destination port. The following egress stages execute once for each element in the set of output ports. They execute (conceptually) in parallel, so that a deci‐ sion or action taken for a given output port has no effect on those for another one: 1. Drop loopback: If the output port is the same as the input port, drop the packet. 2. VLAN output processing: This stage adjusts the packet to represent the VLAN in the correct way for the output port. Its behavior varies based on the vlan-mode in the output port’s Port record: trunk / native-tagged / native-untagged If the packet is in VLAN 0 (for native-untagged, if the packet is in the native VLAN) drops any 802.1Q header. Otherwise, ensures that there is an 802.1Q header desig‐ nating the VLAN. access Remove any 802.1Q header that was present. dot1q-tunnel Ensures that the packet has an outer 802.1Q header with the QinQ Ethertype and the specified configured tag, and an inner 802.1Q header with the packet’s VLAN. 3. VLAN priority tag processing: If VLAN output processing discarded the 802.1Q headers, but priority tags are enabled with other_con‐ fig:priority-tags in the output port’s Port record, then a prior‐ ity-only tag is added (perhaps only if the priority would be nonzero, depending on the configuration). 4. Bond member choice: If the output port is a bond, the code chooses a particular member. This step is skipped for non-bonded ports. If the bond is configured to use LACP, but LACP negotiation is in‐ complete, then normally the packet is dropped. The exception is that if fallback to active-backup mode is enabled, the egress pipeline continues choosing a bond member as if active-backup mode was in use. For active-backup mode, the output member is the active member. Other modes hash appropriate header fields and use the hash value to choose one of the enabled members. 5. Output: The pipeline sends the packet to the output port. The controller action Syntax: controller controller:max_len controller(key[=value], ...) Sends the packet and its metadata to an OpenFlow controller or con‐ trollers encapsulated in an OpenFlow packet-in message. The supported options are: max_len=max_len Limit to max_len the number of bytes of the packet to send in the packet-in. A max_len of 0 prevents any of the packet from being sent (thus, only metadata is included). By de‐ fault, the entire packet is sent, equivalent to a max_len of 65535. This option has no effect in Open vSwith 2.7 and later: the entire packet will always be sent. reason=reason Specify reason as the reason for sending the message in the packet-in. The supported reasons are no_match, action, in‐ valid_ttl, action_set, group, and packet_out. The default reason is action. id=controller_id Specify controller_id, a 16-bit integer, as the connection ID of the OpenFlow controller or controllers to which the packet-in message should be sent. The default is zero. Zero is also the default connection ID for each controller connec‐ tion, and a given controller connection will only have a nonzero connection ID if its controller uses the NXT_SET_CON‐ TROLLER_ID Open vSwitch extension to OpenFlow. userdata=hh... Supplies the bytes represented as hex digits hh as additional data to the controller in the packet-in message. Pairs of hex digits may be separated by periods for readability. pause Causes the switch to freeze the packet’s trip through Open vSwitch flow tables and serializes that state into the packet-in message as a continuation, an additional property in the NXT_PACKET_IN2 message. The controller can later send the continuation back to the switch in an NXT_RESUME message, which will restart the packet’s traversal from the point where it was interrupted. This permits an OpenFlow con‐ troller to interpose on a packet midway through processing in Open vSwitch. Conformance All versions of OpenFlow and Open vSwitch support controller ac‐ tion and its max_len option. The userdata and pause options re‐ quire the Open vSwitch NXAST_CONTROLLER2 extension action added in Open vSwitch 2.6. In the absence of these options, the reason (other than reason=action) and controller_id (option than con‐ troller_id=0) options require the Open vSwitch NXAST_CONTROLLER extension action added in Open vSwitch 1.6. Open vSwitch 2.7 and later is configured to not buffer packets for the packet-in event. As a result, the full packet is always sent to controllers. This means that the max_len option has no effect on the controller action, and all values (even 0) are equivalent to the default value of 65535. The enqueue action Syntax: enqueue(port,queue) enqueue:port:queue Enqueues the packet on the specified queue within port port. port must be an OpenFlow port number or name as described under Port Specifications above. port may be in_port or local but the other stan‐ dard OpenFlow ports are not allowed. queue must be a number between 0 and 4294967294 (0xfffffffe), inclu‐ sive. The number of actually supported queues depends on the switch. Some OpenFlow implementations do not support queuing at all. In Open vSwitch, the supported queues vary depending on the operating system, datapath, and hardware in use. Use the QoS and Queue tables in the Open vSwitch database to configure queuing on individual OpenFlow ports (see ovs-vswitchd.conf.db(5) for more information). Conformance Only OpenFlow 1.0 supports enqueue. OpenFlow 1.1 added the set_queue action to use in its place along with output. Open vSwitch translates enqueue to a sequence of three actions in OpenFlow 1.1 or later: set_queue:queue,output:port,pop_queue. This is equivalent in behavior as long as the flow table does not otherwise use set_queue, but it relies on the pop_queue Open vSwitch extension action. The bundle and bundle_load actions Syntax: bundle(fields,basis,algorithm,ofport,members:port...) bundle_load(fields,basis,algorithm,ofport,dst,members:port...) These actions choose a port (a member) from a comma-separated OpenFlow port list. After selecting the port, bundle outputs to it, whereas bundle_load writes its port number to dst, which must be a 16-bit or wider field or subfield in the syntax described under Field Specifica‐ tions above. These actions hash a set of fields using basis as a universal hash pa‐ rameter, then apply the bundle link selection algorithm to choose a port. fields must be one of the following. For the options with symmetric in the name, reversing source and destination addresses yields the same hash: eth_src Ethernet source address. nw_src IPv4 or IPv6 source address. nw_dst IPv4 or IPv6 destination address. symmetric_l4 Ethernet source and destination, Ethernet type, VLAN ID or IDs (if any), IPv4 or IPv6 source and destination, IP proto‐ col, TCP or SCTP (but not UDP) source and destination. symmetric_l3l4 IPv4 or IPv6 source and destination, IP protocol, TCP or SCTP (but not UDP) source and destination. symmetric_l3l4+udp Like symmetric_l3l4 but include UDP ports. algorithm must be one of the following: active_backup Chooses the first live port listed in members. hrw (Highest Random Weight) Computes the following, considering only the live ports in members: for i in [1, n_members]: weights[i] = hash(flow, i) member = { i such that weights[i] >= weights[j] for all j != i } This algorithm is specified by RFC 2992. The algorithms take port liveness into account when selecting members. The definition of whether a port is live is subject to change. It cur‐ rently takes into account carrier status and link monitoring protocols such as BFD and CFM. If none of the members is live, bundle does not output the packet and bundle_load stores OFPP_NONE (65535) in the out‐ put field. Example: bundle(eth_src,0,hrw,ofport,members:4,8) uses an Ethernet source hash with basis 0, to select between OpenFlow ports 4 and 8 us‐ ing the Highest Random Weight algorithm. Conformance Open vSwitch 1.2 introduced the bundle and bundle_load OpenFlow extension actions. The group action Syntax: group:group Outputs the packet to the OpenFlow group group, which must be a number in the range 0 to 4294967040 (0xffffff00). The group must exist or Open vSwitch will refuse to add the flow. When a group is deleted, Open vSwitch also deletes all of the flows that output to it. Groups contain action sets, whose semantics are described above in the section Action Sets. The semantics of action sets can be surprising to users who expect action list semantics, since action sets reorder and sometimes ignore actions. A group action usually executes the action set or sets in one or more group buckets. Open vSwitch saves the packet and metadata before it executes each bucket, and then restores it afterward. Thus, when a group executes more than one bucket, this means that each bucket exe‐ cutes on the same packet and metadata. Moreover, regardless of the number of buckets executed, the packet and metadata are the same before and after executing the group. Sometimes saving and restoring the packet and metadata can be undesir‐ able. In these situations, workarounds are possible. For example, consider a pipeline design in which a select group bucket is to commu‐ nicate to a later stage of processing a value based on which bucket was selected. An obvious design would be for the bucket to communicate the value via set_field on a register. This does not work because regis‐ ters are part of the metadata that group saves and restores. The fol‐ lowing alternative bucket designs do work: • Recursively invoke the rest of the pipeline with resubmit. • Use resubmit into a table that uses push to put the value on the stack for the caller to pop off. This works because group pre‐ serves only packet data and metadata, not the stack. (This design requires indirection through resubmit because actions sets may not contain push or pop actions.) An exit action within a group bucket terminates only execution of that bucket, not other buckets or the overall pipeline. Conformance OpenFlow 1.1 introduced group. Open vSwitch 2.6 and later also supports group as an extension to OpenFlow 1.0. ENCAPSULATION AND DECAPSULATION ACTIONS The strip_vlan and pop actions Syntax: strip_vlan pop_vlan Removes the outermost VLAN tag, if any, from the packet. The two names for this action are synonyms with no semantic difference. The OpenFlow 1.0 specification uses the name strip_vlan and later ver‐ sions use pop_vlan, but OVS accepts either name regardless of version. In OpenFlow 1.1 and later, consistency rules allow strip_vlan only in a flow that matches only packets with a VLAN tag (or following an action that pushes a VLAN tag, such as push_vlan). See Inconsistencies, above, for more information. Conformance All versions of OpenFlow and Open vSwitch support this action. The push_vlan action Syntax: push_vlan:ethertype Pushes a new outermost VLAN onto the packet. Uses TPID ethertype, which must be 0x8100 for an 802.1Q C-tag or 0x88a8 for a 802.1ad S-tag. Conformance OpenFlow 1.1 and later supports this action. Open vSwitch 2.8 added support for multiple VLAN tags (with a limit of 2) and 802.1ad S-tags. The push_mpls action Syntax: push_mpls:ethertype Pushes a new outermost MPLS label stack entry (LSE) onto the packet and changes the packet’s Ethertype to ethertype, which must be either B0x8847 or 0x8848. If the packet did not already contain any MPLS la‐ bels, initializes the new LSE as: Label 2, if the packet contains IPv6, 0 otherwise. TC The low 3 bits of the packet’s DSCP value, or 0 if the packet is not IP. TTL Copied from the IP TTL, or 64 if the packet is not IP. If the packet did already contain an MPLS label, initializes the new outermost label as a copy of the existing outermost label. OVS currently supports at most 3 MPLS labels. This action applies only to Ethernet packets. Conformance Open vSwitch 1.11 introduced support for MPLS. OpenFlow 1.1 and later support push_mpls. Open vSwitch implements push_mpls as an extension to OpenFlow 1.0. The pop_mpls action Syntax: pop_mpls:ethertype Strips the outermost MPLS label stack entry and changes the packet’s Ethertype to ethertype. This action applies only to Ethernet packets with at least one MPLS label. If there is more than one MPLS label, then ethertype should be an MPLS Ethertype (B0x8847 or 0x8848). Conformance Open vSwitch 1.11 introduced support for MPLS. OpenFlow 1.1 and later support pop_mpls. Open vSwitch implements pop_mpls as an extension to OpenFlow 1.0. The encap action Syntax: encap(nsh([md_type=md_type], [tlv(class,type,value)]...)) encap(ethernet) encap(mpls) encap(mpls_mc) The encap action encapsulates a packet with a specified header. It has variants for different kinds of encapsulation. The encap(nsh(...)) variant encapsulates an Ethernet frame with NSH. The md_type may be 1 or 2 for metadata type 1 or 2, defaulting to 1. For metadata type 2, TLVs may be specified with class as a 16-bit hexa‐ decimal integer beginning with 0x, type as an 8-bit decimal integer, and value a sequence of pairs of hex digits beginning with 0x. For ex‐ ample: encap(nsh(md_type=1)) Encapsulates the packet with an NSH header with metadata type 1. encap(nsh(md_type=2,tlv(0x1000,10,0x12345678))) Encapsulates the packet with an NSH header, NSH metadata type 2, and an NSH TLV with class 0x1000, type 10, and the 4-byte value 0x12345678. The encap(ethernet) variant encapsulate a bare L3 packet in an Ethernet frame. The Ethernet type is initialized to the L3 packet’s type, e.g. 0x0800 if the L3 packet is IPv4. The Ethernet source and destination are initially zeroed. The encap(mpls) variant adds a MPLS header at the start of the packet. When encap(ethernet) is applied after this action, the ethertype of ethernet header will be populated with MPLS unicast ethertype (0x8847). The encap(mpls_mc) variant adds a MPLS header at the start of the packet. When encap(ethernet) is applied after this action, the ether‐ type of ethernet header will be populated with MPLS multicast ethertype (0x8848). Conformance This action is an Open vSwitch extension to OpenFlow 1.3 and later, introduced in Open vSwitch 2.8. The MPLS support for this action is added in Open vSwitch 2.17. The decap action Syntax: decap decap(packet_type(ns=namespace,type=type)) Removes an outermost encapsulation from the packet: • If the packet is an Ethernet packet, removes the Ethernet header, which changes the packet into a bare L3 packet. If the packet has VLAN tags, raises an unsupported packet type error (see Error Han‐ dling, above). • Otherwise, if the packet is an NSH packet, removes the NSH header, revealing the inner packet. Open vSwitch supports Ethernet, IPv4, IPv6, and NSH inner packet types. Other types raise unsupported packet type errors. • Otherwise, if the packet is encapsulated inside a MPLS header, re‐ moves the MPLS header and classifies the inner packet as mentioned in the packet type argument of the decap. The packet_type field specifies the type of the packet in the format specified in Open‐ Flow 1.5 chapter 7.2.3.11 Packet Type Match Field. The inner packet will be incorrectly classified, if the inner packet is dif‐ ferent from mentioned in the packet_type field. • Otherwise, raises an unsupported packet type error. Conformance This action is an Open vSwitch extension to OpenFlow 1.3 and later, introduced in Open vSwitch 2.8. The MPLS support for this action is added in Open vSwitch 2.17. FIELD MODIFICATION ACTIONS These actions modify packet data and metadata fields. The set_field and load actions Syntax: set_field:value[/mask]->dst load:value->dst These actions loads a literal value into a field or part of a field. The set_field action takes value in the customary syntax for field dst, e.g. 00:11:22:33:44:55 for an Ethernet address, and dst as the field’s name. The optional mask allows part of a field to be set. The load action takes value as an integer value (in decimal or prefixed by 0x for hexadecimal) and dst as a field or subfield in the syntax de‐ scribed under Field Specifications above. The following all set the Ethernet source address to 00:11:22:33:44:55: • set_field:00:11:22:33:44:55->eth_src • load:0x001122334455->eth_src • load:0x001122334455->OXM_OF_ETH_SRC[] The following all set the multicast bit in the Ethernet destination ad‐ dress: • set_field:01:00:00:00:00:00/01:00:00:00:00:00->eth_dst • load:1->eth_dst[40] Open vSwitch prohibits a set_field or load action whose dst is not guaranteed to be part of the packet; for example, set_field of nw_dst is only allowed in a flow that matches on Ethernet type 0x800. In some cases, such as in an action set, Open vSwitch can’t statically check that dst is part of the packet, and in that case if it is not then Open vSwitch treats the action as a no-op. Conformance Open vSwitch 1.1 introduced NXAST_REG_LOAD as a extension to OpenFlow 1.0 and used load to express it. Later, OpenFlow 1.2 introduced a standard OFPAT_SET_FIELD action that was restricted to loading entire fields, so Open vSwitch added the form set_field with this restriction. OpenFlow 1.5 extended OF‐ PAT_SET_FIELD to the point that it became a superset of NX‐ AST_REG_LOAD. Open vSwitch translates either syntax as neces‐ sary for the OpenFlow version in use: in OpenFlow 1.0 and 1.1, NXAST_REG_LOAD; in OpenFlow 1.2, 1.3, and 1.4, NXAST_REG_LOAD for load or for loading a subfield, OFPAT_SET_FIELD otherwise; and OpenFlow 1.5 and later, OFPAT_SET_FIELD. The move action Syntax: move:src->dst Copies the named bits from field or subfield src to field or subfield dst. src and dst should fields or subfields in the syntax described under Field Specifications above. The two fields or subfields must have the same width. Examples: • move:reg0[0..5]->reg1[26..31] copies the six bits numbered 0 through 5 in register 0 into bits 26 through 31 of register 1. • move:reg0[0..15]->vlan_tci copies the least significant 16 bits of register 0 into the VLAN TCI field. Conformance In OpenFlow 1.0 through 1.4, move ordinarily uses an Open vSwitch extension to OpenFlow. In OpenFlow 1.5, move uses the OpenFlow 1.5 standard OFPAT_COPY_FIELD action. The ONF has also made OFPAT_COPY_FIELD available as an extension to OpenFlow 1.3. Open vSwitch 2.4 and later understands this extension and uses it if a controller uses it, but for backward compatibility with older versions of Open vSwitch, ovs-ofctl does not use it. The mod_dl_src and mod_dl_dst actions Syntax: mod_dl_src:mac mod_dl_dst:mac Sets the Ethernet source or destination address, respectively, to mac, which should be expressed in the form xx:xx:xx:xx:xx:xx. For L3-only packets, that is, those that lack an Ethernet header, this action has no effect. Conformance OpenFlow 1.0 and 1.1 have specialized actions for these pur‐ poses. OpenFlow 1.2 and later do not, so Open vSwitch trans‐ lates them to appropriate OFPAT_SET_FIELD actions for those ver‐ sions, The mod_nw_src and mod_nw_dst actions Syntax: mod_nw_src:ip mod_nw_dst:ip Sets the IPv4 source or destination address, respectively, to ip, which should be expressed in the form w.x.y.z. In OpenFlow 1.1 and later, consistency rules allow these actions only in a flow that matches only packets that contain an IPv4 header (or following an action that adds an IPv4 header, e.g. pop_mpls:0x0800). See Inconsistencies, above, for more information. Conformance OpenFlow 1.0 and 1.1 have specialized actions for these pur‐ poses. OpenFlow 1.2 and later do not, so Open vSwitch trans‐ lates them to appropriate OFPAT_SET_FIELD actions for those ver‐ sions, The mod_nw_tos and mod_nw_ecn actions Syntax: mod_nw_tos:tos mod_nw_ecn:ecn The mod_nw_tos action sets the DSCP bits in the IPv4 ToS/DSCP or IPv6 traffic class field to tos, which must be a multiple of 4 between 0 and 255. This action does not modify the two least significant bits of the ToS field (the ECN bits). The mod_nw_ecn action sets the ECN bits in the IPv4 ToS or IPv6 traffic class field to ecn, which must be a value between 0 and 3, inclusive. This action does not modify the six most significant bits of the field (the DSCP bits). In OpenFlow 1.1 and later, consistency rules allow these actions only in a flow that matches only packets that contain an IPv4 or IPv6 header (or following an action that adds such a header). See Inconsistencies, above, for more information. Conformance OpenFlow 1.0 has a mod_nw_tos action but not mod_nw_ecn. Open vSwitch implements the latter in OpenFlow 1.0 as an extension using NXAST_REG_LOAD. OpenFlow 1.1 has specialized actions for these purposes. OpenFlow 1.2 and later do not, so Open vSwitch translates them to appropriate OFPAT_SET_FIELD actions for those versions. The mod_tp_src and mod_tp_dst actions Syntax: mod_tp_src:port mod_tp_dst:port Sets the TCP or UDP or SCTP source or destination port, respectively, to port. Both IPv4 and IPv6 are supported. In OpenFlow 1.1 and later, consistency rules allow these actions only in a flow that matches only packets that contain a TCP or UDP or SCTP header. See Inconsistencies, above, for more information. Conformance OpenFlow 1.0 and 1.1 have specialized actions for these pur‐ poses. OpenFlow 1.2 and later do not, so Open vSwitch trans‐ lates them to appropriate OFPAT_SET_FIELD actions for those ver‐ sions, The dec_ttl action Syntax: dec_ttl dec_ttl(id1[,id2[, ...]]) Decrement TTL of IPv4 packet or hop limit of IPv6 packet. If the TTL or hop limit is initially 0 or 1, no decrement occurs, as packets reaching TTL zero must be rejected. Instead, Open vSwitch sends a packet-in message with reason code OFPR_INVALID_TTL to each connected controller that has enabled receiving such messages, and stops process‐ ing the current set of actions. (However, if the current set of ac‐ tions was reached through resubmit, the remaining actions in outer lev‐ els resume processing.) As an Open vSwitch extension to OpenFlow, this action supports the ability to specify a list of controller IDs. Open vSwitch will only send the message to controllers with the given ID or IDs. Specifying no list is equivalent to specifying a single controller ID of zero. In OpenFlow 1.1 and later, consistency rules allow these actions only in a flow that matches only packets that contain an IPv4 or IPv6 header. See Inconsistencies, above, for more information. Conformance All versions of OpenFlow and Open vSwitch support this action. The set_mpls_label, set_mpls_tc, and set_mpls_ttl actions Syntax: set_mpls_label:label set_mpls_tc:tc set_mpls_ttl:ttl The set_mpls_label action sets the label of the packet’s outer MPLS la‐ bel stack entry. label should be a 20-bit value that is decimal by de‐ fault; use a 0x prefix to specify the value in hexadecimal. The set_mpls_tc action sets the traffic class of the packet’s outer MPLS label stack entry. tc should be in the range 0 to 7, inclusive. The set_mpls_ttl action sets the TTL of the packet’s outer MPLS label stack entry. ttl should be in the range 0 to 255 inclusive. In Open‐ Flow 1.1 and later, consistency rules allow these actions only in a flow that matches only packets that contain an MPLS label (or following an action that adds an MPLS label, e.g. push_mpls:0x8847). See Inconsistencies, above, for more information. Conformance OpenFlow 1.0 does not support MPLS, but Open vSwitch implements these actions as extensions. OpenFlow 1.1 has specialized ac‐ tions for these purposes. OpenFlow 1.2 and later do not, so Open vSwitch translates them to appropriate OFPAT_SET_FIELD ac‐ tions for those versions, The dec_mpls_ttl and dec_nsh_ttl actions Syntax: dec_mpls_ttl dec_nsh_ttl These actions decrement the TTL of the packet’s outer MPLS label stack entry or its NSH header, respectively. If the TTL is initially 0 or 1, no decrement occurs. Instead, Open vSwitch sends a packet-in message with reason code BOFPR_INVALID_TTL to OpenFlow controllers with ID 0, if it has enabled receiving them. Processing the current set of ac‐ tions then stops. (However, if the current set of actions was reached through resubmit, remaining actions in outer levels resume processing.) In OpenFlow 1.1 and later, consistency rules allow this actions only in a flow that matches only packets that contain an MPLS label or an NSH header, respectively. See Inconsistencies, above, for more informa‐ tion. Conformance Open vSwitch 1.11 introduced support for MPLS. OpenFlow 1.1 and later support dec_mpls_ttl. Open vSwitch implements dec_mpls_ttl as an extension to OpenFlow 1.0. Open vSwitch 2.8 introduced support for NSH, although the NSH draft changed after release so that only Open vSwitch 2.9 and later conform to the final protocol specification. The dec_nsh_ttl action and NSH support in general is an Open vSwitch extension not supported by any version of OpenFlow. The check_pkt_larger action Syntax: check_pkt_larger(pkt_len)->dst Checks if the packet is larger than the specified length in pkt_len. If so, stores 1 in dst, which should be a 1-bit field; if not, stores 0. The packet length to check against the argument pkt_len includes the L2 header and L2 payload of the packet, but not the VLAN tag (if present). Examples: • check_pkt_larger(1500)->reg0[0] • check_pkt_larger(8000)->reg9[10] This action was added in Open vSwitch 2.12. The delete_field action Syntax: delete_field:field The delete_field action deletes a field in the syntax described under Field Specifications above. Currently, only the tun_metadata fields are supported. This action was added in Open vSwitch 2.14. METADATA ACTIONS The set_tunnel action Syntax: set_tunnel:id set_tunnel64:id Many kinds of tunnels support a tunnel ID, e.g. VXLAN and Geneve have a 24-bit VNI, and GRE has an optional 32-bit key. This action sets the value used for tunnel ID in such tunneled packets, although whether it is used for a particular tunnel depends on the tunnel’s configuration. See the tunnel ID documentation in ovs-fields(7) for more information. Conformance These actions are OpenFlow extensions. set_tunnel was intro‐ duced in Open vSwitch 1.0. set_tunnel64, which is needed if id is wider than 32 bits, was added in Open vSwitch 1.1. Both ac‐ tions always set the entire tunnel ID field. Open vSwitch sup‐ ports these actions in all versions of OpenFlow, but in OpenFlow 1.2 and later it translates them to an appropriate standardized OFPAT_SET_FIELD action. The set_queue and pop_queue actions Syntax: set_queue:queue pop_queue The set_queue action sets the queue ID to be used for subsequent output actions to queue, which must be a 32-bit integer. The range of mean‐ ingful values of queue, and their meanings, varies greatly from one OpenFlow implementation to another. Even within a single implementa‐ tion, there is no guarantee that all OpenFlow ports have the same queues configured or that all OpenFlow ports in an implementation can be configured the same way queue-wise. For more information, see the documentation for the output queue field in ovs-fields(7). The pop_queue restores the output queue to the default that was set when the packet entered the switch (generally 0). Four billion queues ought to be enough for anyone: https://mailman.stanford.edu/pipermail/openflow-spec/2009-August/000394.html Conformance OpenFlow 1.1 introduced the set_queue action. Open vSwitch also supports it as an extension in OpenFlow 1.0. The pop_queue action is an Open vSwitch extension. FIREWALLING ACTIONS Open vSwitch is often used to implement a firewall. The preferred way to implement a firewall is connection tracking, that is, to keep track of the connection state of individual TCP sessions. The ct action de‐ scribed in this section, added in Open vSwitch 2.5, implements connec‐ tion tracking. For new deployments, it is the recommended way to im‐ plement firewalling with Open vSwitch. Before ct was added, Open vSwitch did not have built-in support for connection tracking. Instead, Open vSwitch supported the learn action, which allows a received packet to add a flow to an OpenFlow flow table. This could be used to implement a primitive form of connection track‐ ing: packets passing through the firewall in one direction could create flows that allowed response packets back through the firewall in the other direction. The additional fin_timeout action allowed the learned flows to expire quickly after TCP session termination. The ct action Syntax: ct([argument]...) ct(commit[,argument]...) The action has two modes of operation, distinguished by whether commit is present. The following arguments may be present in either mode: zone=value A zone is a 16-bit id that isolates connections into separate domains, allowing overlapping network addresses in different zones. If a zone is not provided, then the default is 0. The value may be specified either as a 16-bit integer literal or a field or subfield in the syntax described under Field Spec‐ ifications above. Without commit, this action sends the packet through the connection tracker. The connection tracker keeps track of the state of TCP con‐ nections for packets passed through it. For each packet through a con‐ nection, it checks that it satisfies TCP invariants and signals the connection state to later actions using the ct_state metadata field, which is documented in ovs-fields(7). In this form, ct forks the OpenFlow pipeline: • In one fork, ct passes the packet to the connection tracker. Af‐ terward, it reinjects the packet into the OpenFlow pipeline with the connection tracking fields initialized. The ct_state field is initialized with connection state and ct_zone to the connection tracking zone specified on the zone argument. If the connection is one that is already tracked, ct_mark and ct_label to its exist‐ ing mark and label, respectively; otherwise they are zeroed. In addition, ct_nw_proto, ct_nw_src, ct_nw_dst, ct_ipv6_src, ct_ipv6_dst, ct_tp_src, and ct_tp_dst are initialized appropri‐ ately for the original direction connection. See the resubmit ac‐ tion for a way to search the flow table with the connection track‐ ing original direction fields swapped with the packet 5-tuple fields. See ovs-fields(7) for details on the connection tracking fields. • In the other fork, the original instance of the packet continues independent processing following the ct action. The ct_state field and other connection tracking metadata are cleared. Without commit, the ct action accepts the following arguments: table=table Sets the OpenFlow table where the packet is reinjected. The table must be a number between 0 and 254 inclusive, or a ta‐ ble’s name. If table is not specified, then the packet is not reinjected. nat nat(type=addrs[:ports][,flag]...) Specify address and port translation for the connection being tracked. The type must be src, for source address/port translation (SNAT), or dst, for destination address/port translation (DNAT). Setting up address translation for a new connection takes effect only if the connection is later com‐ mitted with ct(commit ...). The src and dst options take the following arguments: addrs The IP address addr or range addr1-addr2 from which the translated address should be selected. If only one address is given, then that address will always be selected, otherwise the address se‐ lection can be informed by the optional persistent flag as described below. Either IPv4 or IPv6 ad‐ dresses can be provided, but both addresses must be of the same type, and the datapath behavior is undefined in case of providing IPv4 address range for an IPv6 packet, or IPv6 address range for an IPv4 packet. IPv6 addresses must be bracketed with [ and ] if a port range is also given. ports The L4 port or range port1-port2 from which the translated port should be selected. When a port range is specified, fallback to ephemeral ports does not happen, else, it will. The port number selection can be informed by the optional random and hash flags described below. The optional flags are: random The selection of the port from the given range should be done using a fresh random number. This flag is mutually exclusive with hash. hash The selection of the port from the given range should be done using a datapath specific hash of the packet’s IP addresses and the other, non-mapped port number. This flag is mutually ex‐ clusive with random. persistent The selection of the IP address from the given range should be done so that the same mapping can be provided after the system restarts. If alg is specified for the committing ct action that also includes nat with a src or dst attribute, then the datapath tries to set up the helper to be NAT-aware. This functional‐ ity is datapath specific and may not be supported by all datapaths. A bare nat argument with no options will only translate the packet being processed in the way the connection has been set up with an earlier, committed ct action. A nat action with src or dst, when applied to a packet belonging to an estab‐ lished (rather than new) connection, will behave the same as a bare nat. For SNAT, there is a special case when the src IP address is configured as all 0’s, i.e., nat(src=0.0.0.0). In this case, when a source port collision is detected during the commit, the source port will be translated to an ephemeral port. If there is no collision, no SNAT is performed. Open vSwitch 2.6 introduced nat. Linux 4.6 was the earliest upstream kernel that implemented ct support for nat. With commit, the connection tracker commits the connection to the con‐ nection tracking module. The commit flag should only be used from the pipeline within the first fork of ct without commit. Information about the connection is stored beyond the lifetime of the packet in the pipeline. Some ct_state flags are only available for committed connec‐ tions. The following options are available only with commit: force A committed connection always has the directionality of the packet that caused the connection to be committed in the first place. This is the original direction of the connec‐ tion, and the opposite direction is the reply direction. If a connection is already committed, but it is in the wrong di‐ rection, force effectively terminates the existing connection and starts a new one in the current direction. This flag has no effect if the original direction of the connection is al‐ ready the same as that of the current packet. exec(action...) Perform each action within the context of connection track‐ ing. Only actions which modify the ct_mark or ct_label fields are accepted within exec action, and these fields may only be modified with this option. For example: set_field:value[/mask]->ct_mark Store a 32-bit metadata value with the connection. Subsequent lookups for packets in this connection will populate ct_mark when the packet is sent to the con‐ nection tracker with the table specified. set_field:value[/mask]->ct_label Store a 128-bit metadata value with the connection. Subsequent lookups for packets in this connection will populate ct_label when the packet is sent to the con‐ nection tracker with the table specified. alg=alg Specify application layer gateway alg to track specific con‐ nection types. If subsequent related connections are sent through the ct action, then the rel flag in the ct_state field will be set. Supported types include: ftp Look for negotiation of FTP data connections. Specify this option for FTP control connections to detect re‐ lated data connections and populate the rel flag for the data connections. tftp Look for negotiation of TFTP data connections. Spec‐ ify this option for TFTP control connections to detect related data connections and populate the rel flag for the data connections. Related connections inherit ct_mark from that stored with the original connection (i.e. the connection created by ct(alg=...). With the Linux datapath, global sysctl options affect ct behavior. In particular, if net.netfilter.nf_conntrack_helper is enabled, which it is by default until Linux 4.7, then application layer gateway helpers may be executed even if alg is not specified. For security reasons, the netfilter team recommends users disable this option. For further details, please see http://www.netfilter.org/news.html#2012-04-03 . The ct action may be used as a primitive to construct stateful fire‐ walls by selectively committing some traffic, then matching ct_state to allow established connections while denying new connections. The fol‐ lowing flows provide an example of how to implement a simple firewall that allows new connections from port 1 to port 2, and only allows es‐ tablished connections to send traffic from port 2 to port 1: table=0,priority=1,action=drop table=0,priority=10,arp,action=normal table=0,priority=100,ip,ct_state=-trk,action=ct(table=1) table=1,in_port=1,ip,ct_state=+trk+new,action=ct(commit),2 table=1,in_port=1,ip,ct_state=+trk+est,action=2 table=1,in_port=2,ip,ct_state=+trk+new,action=drop table=1,in_port=2,ip,ct_state=+trk+est,action=1 If ct is executed on IPv4 (or IPv6) fragments, then the message is im‐ plicitly reassembled before sending to the connection tracker and re‐ fragmented upon output, to the original maximum received fragment size. Reassembly occurs within the context of the zone, meaning that IP frag‐ ments in different zones are not assembled together. Pipeline process‐ ing for the initial fragments is halted. When the final fragment is received, the message is assembled and pipeline processing continues for that flow. Packet ordering is not guaranteed by IP protocols, so it is not possible to determine which IP fragment will cause message reassembly (and therefore continue pipeline processing). As such, it is strongly recommended that multiple flows should not execute ct to re‐ assemble fragments from the same IP message. Conformance The ct action was introduced in Open vSwitch 2.5. Some of its features were introduced later, noted individually above. The ct_clear action Syntax: ct_clear Clears connection tracking state from the flow, zeroing ct_state, ct_zone, ct_mark, and ct_label. This action was introduced in Open vSwitch 2.7. The learn action Syntax: learn(argument...) The learn action adds or modifies a flow in an OpenFlow table, similar to ovs-ofctl --strict mod-flows. The arguments specify the match fields, actions, and other properties of the flow to be added or modi‐ fied. Match fields for the new flow are specified as follows. At least one match field should ordinarily be specified: field=value Specifies that field, in the new flow, must match the literal value, e.g. dl_type=0x800. Shorthand match syntax, such as ip in place of dl_type=0x800, is not supported. field=src Specifies that field in the new flow must match src taken from the packet currently being processed. For example, udp_dst=udp_src, applied to a UDP packet with source port 53, creates a flow which matches udp_dst=53. field and src must have the same width. field Shorthand for the previous form when field and src are the same. For example, udp_dst, applied to a UDP packet with destination port 53, creates a flow which matches udp_dst=53. The field and src arguments above should be fields or subfields in the syntax described under Field Specifications above. Match field specifications must honor prerequisites for both the flow with the learn and the new flow that it creates. Consider the follow‐ ing complete flow, in the syntax accepted by ovs-ofctl. If the flow’s match on udp were omitted, then the flow would not satisfy the prereq‐ uisites for the learn action’s use of udp_src. If dl_type=0x800 or nw_proto were omitted from learn, then the new flow would not satisfy the prerequisite for its match on udp_dst. For more information on prerequisites, please refer to ovs-fields(7): udp, actions=learn(dl_type=0x800, nw_proto=17, udp_dst=udp_src) Actions for the new flow are specified as follows. At least one action should ordinarily be specified: load:value->dst Adds a load action to the new flow that loads the literal value into dst. The syntax is the same as the load action explained in the Field Modification Actions section. load:src->dst Adds a load action to the new flow that loads src, a field or subfield from the packet being processed, into dst. output:field Adds an output action to the new flow’s actions that outputs to the OpenFlow port taken from field, which must be a field as described above. fin_idle_timeout=seconds / fin_hard_timeout=seconds Adds a fin_timeout action with the specified arguments to the new flow. This feature was added in Open vSwitch 1.6. The following additional arguments are optional: idle_timeout=seconds hard_timeout=seconds priority=value cookie=value send_flow_rem These arguments have the same meaning as in the usual flow syntax documented in ovs-ofctl(8). table=table The table in which the new flow should be inserted. Specify a decimal number between 0 and 254 inclusive or the name of a table. The default, if table is unspecified, is table 1 (not 0). delete_learned When this flag is specified, deleting the flow that contains the learn action will also delete the flows created by learn. Specifically, when the last learn action with this flag and particular table and cookie values is removed, the switch deletes all of the flows in the specified table with the specified cookie. This flag was added in Open vSwitch 2.4. limit=number If the number of flows in the new flow’s table with the same cookie exceeds number, the action will not add a new flow. By default, or with limit=0, there is no limit. This flag was added in Open vSwitch 2.8. result_dst=field[bit] If learn fails (because the number of flows exceeds limit), the action sets field[bit] to 0, otherwise it will be set to 1. field[bit] must be a single bit. This flag was added in Open vSwitch 2.8. By itself, the learn action can only put two kinds of actions into the flows that it creates: load and output actions. If learn is used in isolation, these are severe limits. However, learn is not meant to be used in isolation. It is a primitive meant to be used together with other Open vSwitch features to accom‐ plish a task. Its existing features are enough to accomplish most tasks. Here is an outline of a typical pipeline structure that allows for ver‐ satile behavior using learn: • Flows in table A contain a learn action, that populates flows in table L, that use a load action to populate register R with infor‐ mation about what was learned. • Flows in table B contain two sequential resubmit actions: one to table L and another one to table B + 1. • Flows in table B + 1 match on register R and act differently de‐ pending on what the flows in table L loaded into it. This approach can be used to implement many learn-based features. For example: • Resubmit to a table selected based on learned information, e.g. see https://mail.openvswitch.org/pipermail/ovs-discuss/2016-June/021694.html . • MAC learning in the middle of a pipeline, as described in the Open vSwitch Advanced Features Tutorial in the OVS documentation. • TCP state based firewalling, by learning outgoing connections based on SYN packets and matching them up with incoming packets. (This is usually better implemented using the ct action.) • At least some of the features described in T. A. Hoff, Extending Open vSwitch to Facilitate Creation of Stateful SDN Applications. Conformance The learn action is an Open vSwitch extension to OpenFlow added in Open vSwitch 1.3. Some features of learn were added in later versions, as noted individually above. The fin_timeout action Syntax: fin_timeout(key=value...) This action changes the idle timeout or hard timeout, or both, of the OpenFlow flow that contains it, when the flow matches a TCP packet with the FIN or RST flag. When such a packet is observed, the action re‐ duces the rule’s timeouts to those specified on the action. If the rule’s existing timeout is already shorter than the one that the action specifies, then that timeout is unaffected. The timeouts are specified as key-value pairs: idle_timeout=seconds Causes the flow to expire after the given number of seconds of inactivity. hard_timeout=seconds Causes the flow to expire after the given number of seconds, regardless of activity. (seconds specifies time since the flow’s creation, not since the receipt of the FIN or RST.) This action is normally added to a learned flow by the learn action. It is unlikely to be useful otherwise. Conformance This Open vSwitch extension action was added in Open vSwitch 1.6. PROGRAMMING AND CONTROL FLOW ACTIONS The resubmit action Syntax: resubmit:port resubmit([port],[table][,ct])`` Searches an OpenFlow flow table for a matching flow and executes the actions found, if any, before continuing to the following action in the current flow entry. Arguments can customize the search: • If port is given as an OpenFlow port number or name, then it spec‐ ifies a value to use for the input port metadata field as part of the search, in place of the input port currently in the flow. Specifying in_port as port is equivalent to omitting it. • If table is given as an integer between 0 and 254 or a table name, it specifies the OpenFlow table to search. If it is not speci‐ fied, the table from the current flow is used. • If ct is specified, then the search is done with packet 5-tuple fields swapped with the corresponding conntrack original direction tuple fields. See the documentation for ct above, for more infor‐ mation about connection tracking, or ovs-fields(7) for details about the connection tracking fields. This flag requires a valid connection tracking state as a match prerequisite in the flow where this action is placed. Examples of valid connection tracking state matches include ct_state=+new, ct_state=+est, ct_state=+rel, and ct_state=+trk-inv. The changes, if any, to the input port and connection tracking fields are just for searching the flow table. The changes are not visible to actions or to later flow table lookups. The most common use of resubmit is to visit another flow table without port or ct, like this: resubmit(,table). Recursive resubmit actions are permitted. Conformance The resubmit action is an Open vSwitch extension. However, the goto_table instruction in OpenFlow 1.1 and later can be viewed as a kind of restricted resubmit. Open vSwitch 1.3 added table. Open vSwitch 2.7 added ct. Open vSwitch imposes a limit on resubmit recursion that varies among version: • Open vSwitch 1.0.1 and earlier did not support recursion. • Open vSwitch 1.0.2 and 1.0.3 limited recursion to 8 levels. • Open vSwitch 1.1 and 1.2 limited recursion to 16 levels. • Open vSwitch 1.2 through 1.8 limited recursion to 32 lev‐ els. • Open vSwitch 1.9 through 2.0 limited recursion to 64 lev‐ els. • Open vSwitch 2.1 through 2.5 limited recursion to 64 levels and impose a total limit of 4,096 resubmits per flow trans‐ lation (earlier versions did not impose any total limit). • Open vSwitch 2.6 and later imposes the same limits as 2.5, with one exception: resubmit from table x to any table y > x does not count against the recursion depth limit. The clone action Syntax: clone(action...) Executes each nested action, saving much of the packet and pipeline state beforehand and then restoring it afterward. The state that is saved and restored includes all flow data and metadata (including, for example, in_port and ct_state), the stack accessed by push and pop ac‐ tions, and the OpenFlow action set. This action was added in Open vSwitch 2.7. The push and pop actions Syntax: push:src pop:dst The push action pushes src on a general-purpose stack. The pop action pops an entry off the stack into dst. src and dst should be fields or subfields in the syntax described under Field Specifications above. Controllers can use the stack for saving and restoring data or metadata around resubmit actions, for swapping or rearranging data and metadata, or for other purposes. Any data or metadata field, or part of one, may be pushed, and any modifiable field or subfield may be popped. The number of bits pushed in a stack entry do not have to match the number of bits later popped from that entry. If more bits are popped from an entry than were pushed, then the entry is conceptually left-padded with 0-bits as needed. If fewer bits are popped than pushed, then bits are conceptually trimmed from the left side of the entry. The stack’s size is limited. The limit is intended to be high enough that normal use will not pose problems. Stack overflow or underflow is an error that stops action execution (see Stack too deep under Error Handling, above). Examples: • push:reg2[0..5] or push:NXM_NX_REG2[0..5] pushes on the stack the 6 bits in register 2 bits 0 through 5. • pop:reg2[0..5] or pop:NXM_NX_REG2[0..5] pops the value from top of the stack and copy bits 0 through 5 of that value into bits 0 through 5 of register 2. Conformance Open vSwitch 1.2 introduced push and pop as OpenFlow extension actions. The exit action Syntax: exit This action causes Open vSwitch to immediately halt execution of fur‐ ther actions. Actions which have already been executed are unaffected. Any further actions, including those which may be in other tables, or different levels of the resubmit call stack, are ignored. However, an exit action within a group bucket terminates only execution of that bucket, not other buckets or the overall pipeline. Actions in the ac‐ tion set are still executed (specify clear_actions before exit to dis‐ card them). The multipath action Syntax: multipath(fields,basis,algorithm,n_links,arg,dst) Hashes fields using basis as a universal hash parameter, then the ap‐ plies multipath link selection algorithm (with parameter arg) to choose one of n_links output links numbered 0 through n_links minus 1, and stores the link into dst, which must be a field or subfield in the syn‐ tax described under Field Specifications above. The bundle or bundle_load actions are usually easier to use than multi‐ path. fields must be one of the following: eth_src Hashes Ethernet source address only. symmetric_l4 Hashes Ethernet source, destination, and type, VLAN ID, IPv4/IPv6 source, destination, and protocol, and TCP or SCTP (but not UDP) ports. The hash is computed so that pairs of corresponding flows in each direction hash to the same value, in environments where L2 paths are the same in each direc‐ tion. UDP ports are not included in the hash to support pro‐ tocols such as VXLAN that use asymmetric ports in each direc‐ tion. symmetric_l3l4 Hashes IPv4/IPv6 source, destination, and protocol, and TCP or SCTP (but not UDP) ports. Like symmetric_l4, this is a symmetric hash, but by excluding L2 headers it is more effec‐ tive in environments with asymmetric L2 paths (e.g. paths in‐ volving VRRP IP addresses on a router). Not an effective hash function for protocols other than IPv4 and IPv6, which hash to a constant zero. symmetric_l3l4+udp Like symmetric_l3l4+udp, but UDP ports are included in the hash. This is a more effective hash when asymmetric UDP pro‐ tocols such as VXLAN are not a consideration. symmetric_l3 Hashes network source address and network destination ad‐ dress. nw_src Hashes network source address only. nw_dst Hashes network destination address only. The algorithm used to compute the final result link must be one of the following: modulo_n Computes link = hash(flow) % n_links. This algorithm redistributes all traffic when n_links changes. It has O(1) performance. Use 65535 for max_link to get a raw hash value. This algorithm is specified by RFC 2992. hash_threshold Computes link = hash(flow) / (MAX_HASH / n_links). Redistributes between one-quarter and one-half of traffic when n_links changes. It has O(1) performance. This algorithm is specified by RFC 2992. hrw (Highest Random Weight) Computes the following: for i in [0, n_links]: weights[i] = hash(flow, i) link = { i such that weights[i] >= weights[j] for all j != i } Redistributes 1 / n_links of traffic when n_links changes. It has O(n_links) performance. If n_links is greater than a threshold (currently 64, but subject to change), Open vSwitch will substitute another algorithm automatically. This algorithm is specified by RFC 2992. iter_hash (Iterative Hash) Computes the following: i = 0 repeat: i = i + 1 link = hash(flow, i) % arg while link > max_link Redistributes 1 / n_links of traffic when n_links changes. O(1) performance when arg / max_link is bounded by a con‐ stant. Redistributes all traffic when arg changes. arg must be greater than max_link and for best performance should be no more than approximately max_link * 2. If arg is outside the acceptable range, Open vSwitch will automatically substitute the least power of 2 greater than max_link. This algorithm is specific to Open vSwitch. Only the iter_hash algorithm uses arg. It is an error if max_link is greater than or equal to 2**n_bits. Conformance This is an OpenFlow extension added in Open vSwitch 1.1. OTHER ACTIONS The conjunction action Syntax: conjunction(id, k/n) This action allows for sophisticated conjunctive match flows. Refer to Conjunctive Match Fields in ovs-fields(7) for details. A flow that has one or more conjunction actions may not have any other actions except for note actions. Conformance Open vSwitch 2.4 introduced the conjunction action and conj_id field. They are Open vSwitch extensions to OpenFlow. The note action Syntax: note:[hh]... This action does nothing at all. OpenFlow controllers may use it to annotate flows with more data than can fit in a flow cookie. The action may include any number of bytes represented as hex digits hh. Periods may separate pairs of hex digits, for readability. The note action’s format doesn’t include an exact length for its payload, so the provided bytes will be padded on the right by enough bytes with value 0 to make the total number 6 more than a multiple of 8. Conformance This action is an extension to OpenFlow introduced in Open vSwitch 1.1. The sample action Syntax: sample(argument...) Samples packets and sends one sample for every sampled packet. The following argument forms are accepted: probability=packets The number of sampled packets out of 65535. Must be greater or equal to 1. collector_set_id=id The unsigned 32-bit integer identifier of the set of sample collectors to send sampled packets to. Defaults to 0. obs_domain_id=value When sending samples to IPFIX collectors, the unsigned 32-bit integer Observation Domain ID sent in every IPFIX flow record. The value may be specified as a 32-bit integer or a field or subfield in the syntax described under Field Speci‐ fications above. Defaults to 0. obs_point_id=value When sending samples to IPFIX collectors, the unsigned 32-bit integer Observation Point ID sent in every IPFIX flow record. The value may be specified as a 32-bit integer or a field or subfield in the syntax described under Field Specifications above. Defaults to 0. sampling_port=port Sample packets on port, which should be the ingress or egress port. This option, which was added in Open vSwitch 2.6, al‐ lows the IPFIX implementation to export egress tunnel infor‐ mation. ingress egress Specifies explicitly that the packet is being sampled on ingress to or egress from the switch. IPFIX reports sent by Open vSwitch before version 2.6 did not include a direction. From 2.6 until 2.7, IPFIX reports inferred a direction from sampling_port: if it was the packet’s output port, then the direction was reported as egress, otherwise as ingress. Open vSwitch 2.7 introduced these options, which allow the in‐ ferred direction to be overridden. This is particularly use‐ ful when the ingress (or egress) port is not a tunnel. Refer to ovs-vswitchd.conf.db(5) for more details on configuring sample collector sets. Conformance This action is an OpenFlow extension added in Open vSwitch 2.4. Support for subfields in obs_domain_id and obs_point_id was added in Open vSwitch 3.4. INSTRUCTIONS Every version of OpenFlow includes actions. OpenFlow 1.1 introduced the higher-level, related concept of instructions. In OpenFlow 1.1 and later, actions within a flow are always encapsulated within an instruc‐ tion. Each flow has at most one instruction of each kind, which are executed in the following fixed order defined in the OpenFlow specifi‐ cation: 1. Meter 2. Apply-Actions 3. Clear-Actions 4. Write-Actions 5. Write-Metadata 6. Stat-Trigger (not supported by Open vSwitch) 7. Goto-Table The most important instruction is Apply-Actions. This instruction en‐ capsulates any number of actions, which the instruction executes. Open vSwitch does not explicitly represent Apply-Actions. Instead, any ac‐ tion by itself is implicitly part of an Apply-Actions instructions. Open vSwitch syntax requires other instructions, if present, to be in the order listed above. Otherwise it will flag an error. The meter action and instruction Syntax: meter:meter_id Apply meter meter_id. If a meter band rate is exceeded, the packet may be dropped, or modified, depending on the meter band type. Conformance OpenFlow 1.3 introduced the meter instruction. OpenFlow 1.5 changes meter from an instruction to an action. OpenFlow 1.5 allows implementations to restrict meter to be the first action in an action list and to exclude meter from action sets, for better compatibility with OpenFlow 1.3 and 1.4. Open vSwitch restricts the meter action both ways. Open vSwitch 2.0 introduced OpenFlow protocol support for me‐ ters, but it did not include a datapath implementation. Open vSwitch 2.7 added meter support to the userspace datapath. Open vSwitch 2.10 added meter support to the kernel datapath. Open vSwitch 2.12 added support for meter as an action in OpenFlow 1.5. The clear_actions instruction Syntax: clear_actions Clears the action set. See Action Sets, above, for more information. Conformance OpenFlow 1.1 introduced clear_actions. Open vSwitch 2.1 added support for clear_actions. The write_actions instruction Syntax: write_actions(action...) Adds each action to the action set. The action set is carried between flow tables and then executed at the end of the pipeline. Only certain actions may be written to the action set. See Action Sets, above, for more information. Conformance OpenFlow 1.1 introduced write_actions. Open vSwitch 2.1 added support for write_actions. The write_metadata instruction Syntax: write_metadata:value[/mask] Updates the flow’s metadata field. If mask is omitted, metadata is set exactly to value; if mask is specified, then a 1-bit in mask indicates that the corresponding bit in metadata will be replaced with the corre‐ sponding bit from value. Both value and mask are 64-bit values that are decimal by default; use a 0x prefix to specify them in hexadecimal. The metadata field can also be matched in the flow table and updated with actions such as set_field and move. Conformance OpenFlow 1.1 introduced write_metadata. Open vSwitch 2.1 added support for write_metadata. The goto_table instruction Syntax: goto_table:table Jumps to table as the next table in the process pipeline. The table may be a number between 0 and 254 or a table name. It is an error if table is less than or equal to the table of the flow that contains it; that is, goto_table must move forward in the OpenFlow pipeline. Since goto_table must be the last instruction in a flow, it never leads to recursion. The resubmit extension action is more flexi‐ ble. Conformance OpenFlow 1.1 introduced goto_table. Open vSwitch 2.1 added sup‐ port for goto_table. AUTHOR The Open vSwitch Development Community COPYRIGHT 2016-2024, The Open vSwitch Development Community 3.4 Nov 16, 2024 OVS-ACTIONS(7)