the same packet in multiple contexts then you must use the \fBct\fR action
multiple times. Introduced in Open vSwitch 2.5.
.
+.IP \fBct_mark=\fIvalue\fR[\fB/\fImask\fR]
+Matches the given 32-bit connection mark \fIvalue\fR either exactly or with
+optional \fImask\fR. This represents metadata associated with the connection
+that the current packet is part of. Introduced in Open vSwitch 2.5.
+.
+.IP \fBct_label=\fIvalue\fR[\fB/\fImask\fR]
+Matches the given 128-bit connection labels \fIvalue\fR either exactly or with
+optional \fImask\fR. This represents metadata associated with the connection
+that the current packet is part of. Introduced in Open vSwitch 2.5.
+.
.PP
Defining IPv6 flows (those with \fBdl_type\fR equal to 0x86dd) requires
support for NXM. The following shorthand notations are available for
domains, allowing overlapping network addresses in different zones. If a zone
is not provided, then the default is to use zone zero. The \fBzone\fR may be
specified either as an immediate 16-bit \fIvalue\fR, or may be provided from an
-OpenFlow field \fIsrc\fR. The \fIstart\fR and \fIend\fR pair are inclusive, and
-must specify a 16-bit range within the field.
+NXM field \fIsrc\fR. The \fIstart\fR and \fIend\fR pair are inclusive, and must
+specify a 16-bit range within the field.
+.IP \fBexec\fB(\fR[\fIaction\fR][\fB,\fIaction\fR...]\fB)\fR
+Perform actions within the context of connection tracking. These actions
+are in the same format as the actions accepted as part of a flow, however
+there are additional restrictions applied. For instance, only actions which
+modify the ct fields are accepted within the \fBexec\fR action. Furthermore,
+some actions may only be performed in this context, for instance modifying the
+ct_mark field:
+.
+.RS
+.IP \fBset_field:\fIvalue\fR->ct_mark\fR
+Store a 32-bit metadata value with the connection. If the connection is
+committed, then subsequent lookups for packets in this connection will
+populate the \fBct_mark\fR flow field when the packet is sent to the
+connection tracker with the \fBtable\fR specified.
+.IP \fBset_field:\fIvalue\fR->ct_label\fR
+Store a 128-bit metadata value with the connection. If the connection is
+committed, then subsequent lookups for packets in this connection will
+populate the \fBct_label\fR flow field when the packet is sent to the
+connection tracker with the \fBtable\fR specified.
+.RE
+.IP
+The \fBcommit\fR parameter must be specified to use \fBexec(...)\fR.
+.
+.IP \fBalg=\fIalg\fR
+Specify application layer gateway \fIalg\fR to track specific connection
+types. Supported types include:
+.RS
+.IP \fBftp\fR
+Look for negotiation of FTP data connections. If a subsequent FTP data
+connection arrives which is related, the \fBct\fR action will set the
+\fBrel\fR flag in the \fBct_state\fR field for packets sent through \fBct\fR.
+.RE
+.
.RE
.IP
The \fBct\fR action may be used as a primitive to construct stateful firewalls
Currently, connection tracking is only available on Linux kernels with the
nf_conntrack module loaded.
.
+.RE
+.
.IP \fBdec_ttl\fR
.IQ \fBdec_ttl\fB[\fR(\fIid1,id2\fI)\fR]\fR
Decrement TTL of IPv4 packet or hop limit of IPv6 packet. If the
projects / cascardo / ovs.git / blobdiff