.IP \fBip\fR
Same as \fBdl_type=0x0800\fR.
.
+.IP \fBipv6\fR
+Same as \fBdl_type=0x86dd\fR.
+.
.IP \fBicmp\fR
Same as \fBdl_type=0x0800,nw_proto=1\fR.
.
+.IP \fBicmp6\fR
+Same as \fBdl_type=0x86dd,nw_proto=58\fR.
+.
.IP \fBtcp\fR
Same as \fBdl_type=0x0800,nw_proto=6\fR.
.
+.IP \fBtcp6\fR
+Same as \fBdl_type=0x86dd,nw_proto=6\fR.
+.
.IP \fBudp\fR
Same as \fBdl_type=0x0800,nw_proto=17\fR.
.
+.IP \fBudp6\fR
+Same as \fBdl_type=0x86dd,nw_proto=17\fR.
+.
.IP \fBsctp\fR
Same as \fBdl_type=0x0800,nw_proto=132\fR.
.
+.IP \fBsctp6\fR
+Same as \fBdl_type=0x86dd,nw_proto=132\fR.
+.
.IP \fBarp\fR
Same as \fBdl_type=0x0806\fR.
.
.IP \fBrarp\fR
Same as \fBdl_type=0x8035\fR.
.
+.IP \fBmpls\fR
+Same as \fBdl_type=0x8847\fR.
+.
+.IP \fBmplsm\fR
+Same as \fBdl_type=0x8848\fR.
+.
.PP
The following field assignments require support for the NXM (Nicira
Extended Match) extension to OpenFlow. When one of these is specified,
For more information, please see the corresponding IETF draft:
https://tools.ietf.org/html/draft-smith-vxlan-group-policy
.
-.IP "\fBtun_metadata\fIidx\fB=\fIvalue\fR[\fB/\fImask\fR]"
+.IP "\fBtun_metadata\fIidx\fR[\fB=\fIvalue\fR[\fB/\fImask\fR]]"
Matches \fIvalue\fR either exactly or with optional \fImask\fR in
tunnel metadata field number \fIidx\fR (numbered from 0 to 63).
+The act of specifying a field implies a match on the existence
+of that field in the packet in addition to the masked value. As
+a shorthand, it is possible to specify only the field name to
+simply match on an option being present.
+.IP
Tunnel metadata fields can be dynamically assigned onto the data
contained in the options of Geneve packets using the commands
described in the section \fBOpenFlow Switch Geneve Option Table
.IP
This field was introduced in Open vSwitch 2.4.
.
+.IP \fBct_state=\fIflags\fB/\fImask\fR
+.IQ \fBct_state=\fR[\fB+\fIflag\fR...][\fB-\fIflag\fR...]
+Bitwise match on connection state flags. This is used with the \fBct\fR
+action (see below).
+.IP
+The \fBct_state\fR field provides information from a connection tracking
+module. It describes whether the packet has previously traversed the
+connection tracker (tracked, or trk) and, if it has been tracked, any
+additional information that the connection tracker was able to provide about
+the connection that the current packet belongs to.
+.IP
+Individual packets may be in one of two states: Untracked or tracked. When the
+\fBct\fR action is executed on a packet, it becomes tracked for the the
+remainder of OpenFlow pipeline processing. Once a packet has become tracked,
+the state of its corresponding connection may be determined. Note that the
+\fBct_state\fR is only significant for the current \fBct_zone\fR.
+.IP
+Connections may be in one of two states: uncommitted or committed. Connections
+are uncommitted by default. To determine ongoing information about a
+connection, like whether the connection is established or not, the connection
+must be committed. When the \fBct\fR action is executed on a packet with the
+\fBcommit\fR parameter, the connection will become committed and will remain in
+this state until the end of the connection. Committed connections store state
+beyond the duration of packet processing.
+.IP
+The \fIflags\fR and \fImask\fR are 32-bit numbers written in decimal or
+in hexadecimal prefixed by \fB0x\fR. Each 1-bit in \fImask\fR requires
+that the corresponding bit in \fIflags\fR must match. Each 0-bit in
+\fImask\fR causes the corresponding bit to be ignored.
+.IP
+Alternatively, the flags can be specified by their symbolic names
+(listed below), each preceded by either \fB+\fR for a flag that must
+be set, or \fB\-\fR for a flag that must be unset, without any other
+delimiters between the flags. Flags not mentioned are wildcarded. For
+example, \fBtcp,ct_state=+trk\-new\fR matches TCP packets that
+have been run through the connection tracker and do not establish a new
+flow.
+.IP
+The following flags describe the state of the tracking:
+.RS
+.IP "\fB0x80: trk\fR"
+This packet is tracked, meaning that it has previously traversed the connection
+tracker. If this flag is not set, then no other flags will be set. If this flag
+is set, then the packet is tracked and other flags may also be set.
+.IP "\fB0x40: rpl\fR"
+The flow is in the reply direction, meaning it did not initiate the
+connection. This flag may only be present for committed connections.
+.IP "\fB0x20: inv\fR"
+The state is invalid, meaning that the connection tracker couldn't identify the
+connection. This flag is a catch-all for any problems that the connection
+tracker may have, for example:
+.RS
+.PP
+- L3/L4 protocol handler is not loaded/unavailable. With the Linux kernel
+datapath, this may mean that the "nf_conntrack_ipv4" or "nf_conntrack_ipv6"
+modules are not loaded.
+.PP
+- L3/L4 protocol handler determines that the packet is malformed.
+.PP
+- Packets are unexpected length for protocol.
+.RE
+.IP "\fB0x01: new\fR"
+This is the beginning of a new connection. This flag may only be present for
+uncommitted connections.
+.IP "\fB0x02: est\fR"
+This is part of an already existing connection. This flag may only be present
+for committed connections.
+.IP "\fB0x04: rel\fR"
+This is a connection that is related to an existing connection, for
+instance ICMP "destination unreachable" messages or FTP data connections. This
+flag may only be present for committed connections.
+.PP
+This field was introduced in Open vSwitch 2.5.
+.RE
+.
+.PP
+The following fields are associated with the connection tracker and will only
+be populated for tracked packets. The \fBct\fR action will populate these
+fields, and allows modification of some of the below fields.
+.IP \fBct_zone=\fIzone
+Matches the given 16-bit connection \fIzone\fR exactly. This represents the
+most recent connection tracking context that \fBct\fR was executed in. Each
+zone is an independent connection tracking context, so if you wish to track
+the same packet in multiple contexts then you must use the \fBct\fR action
+multiple times. Introduced in Open vSwitch 2.5.
+.
+.IP \fBct_mark=\fIvalue\fR[\fB/\fImask\fR]
+Matches the given 32-bit connection mark \fIvalue\fR either exactly or with
+optional \fImask\fR. This represents metadata associated with the connection
+that the current packet is part of. Introduced in Open vSwitch 2.5.
+.
+.IP \fBct_label=\fIvalue\fR[\fB/\fImask\fR]
+Matches the given 128-bit connection labels \fIvalue\fR either exactly or with
+optional \fImask\fR. This represents metadata associated with the connection
+that the current packet is part of. Introduced in Open vSwitch 2.5.
+.
.PP
Defining IPv6 flows (those with \fBdl_type\fR equal to 0x86dd) requires
support for NXM. The following shorthand notations are available for
Strips the VLAN tag from a packet if it is present.
.
.IP \fBpush_vlan\fR:\fIethertype\fR
-Push a new VLAN tag onto the packet. Ethertype is used as the the Ethertype
+Push a new VLAN tag onto the packet. Ethertype is used as the Ethertype
for the tag. Only ethertype 0x8100 should be used. (0x88a8 which the spec
allows isn't supported at the moment.)
A priority of zero and the tag of zero are used for the new tag.
Restores the queue to the value it was before any \fBset_queue\fR
actions were applied.
.
+.IP \fBct\fR
+.IQ \fBct\fB(\fR[\fIargument\fR][\fB,\fIargument\fR...]\fB)
+Send the packet through the connection tracker. Refer to the \fBct_state\fR
+documentation above for possible packet and connection states. The following
+arguments are supported:
+
+.RS
+.IP \fBcommit\fR
+.RS
+Commit the connection to the connection tracking module. Information about the
+connection will be stored beyond the lifetime of the packet in the pipeline.
+Some \fBct_state\fR flags are only available for committed connections.
+.RE
+.IP \fBtable=\fInumber\fR
+Fork pipeline processing in two. The original instance of the packet will
+continue processing the current actions list as an untracked packet. An
+additional instance of the packet will be sent to the connection tracker, which
+will be re-injected into the OpenFlow pipeline to resume processing in table
+\fInumber\fR, with the \fBct_state\fR and other ct match fields set. If the
+\fBtable\fR is not specified, then the packet is submitted to the connection
+tracker, but the pipeline does not fork and the ct match fields are not
+populated. It is strongly recommended to specify a table later than the current
+table to prevent loops.
+.IP \fBzone=\fIvalue\fR
+.IQ \fBzone=\fIsrc\fB[\fIstart\fB..\fIend\fB]\fR
+A 16-bit context id that can be used to isolate connections into separate
+domains, allowing overlapping network addresses in different zones. If a zone
+is not provided, then the default is to use zone zero. The \fBzone\fR may be
+specified either as an immediate 16-bit \fIvalue\fR, or may be provided from an
+NXM field \fIsrc\fR. The \fIstart\fR and \fIend\fR pair are inclusive, and must
+specify a 16-bit range within the field.
+.IP \fBexec\fB(\fR[\fIaction\fR][\fB,\fIaction\fR...]\fB)\fR
+Perform actions within the context of connection tracking. These actions
+are in the same format as the actions accepted as part of a flow, however
+there are additional restrictions applied. For instance, only actions which
+modify the ct fields are accepted within the \fBexec\fR action. Furthermore,
+some actions may only be performed in this context, for instance modifying the
+ct_mark field:
+.
+.RS
+.IP \fBset_field:\fIvalue\fR->ct_mark\fR
+Store a 32-bit metadata value with the connection. If the connection is
+committed, then subsequent lookups for packets in this connection will
+populate the \fBct_mark\fR flow field when the packet is sent to the
+connection tracker with the \fBtable\fR specified.
+.IP \fBset_field:\fIvalue\fR->ct_label\fR
+Store a 128-bit metadata value with the connection. If the connection is
+committed, then subsequent lookups for packets in this connection will
+populate the \fBct_label\fR flow field when the packet is sent to the
+connection tracker with the \fBtable\fR specified.
+.RE
+.IP
+The \fBcommit\fR parameter must be specified to use \fBexec(...)\fR.
+.
+.IP \fBalg=\fIalg\fR
+Specify application layer gateway \fIalg\fR to track specific connection
+types. Supported types include:
+.RS
+.IP \fBftp\fR
+Look for negotiation of FTP data connections. If a subsequent FTP data
+connection arrives which is related, the \fBct\fR action will set the
+\fBrel\fR flag in the \fBct_state\fR field for packets sent through \fBct\fR.
+.RE
+.
+.RE
+.IP
+The \fBct\fR action may be used as a primitive to construct stateful firewalls
+by selectively committing some traffic, then matching the \fBct_state\fR to
+allow established connections while denying new connections. The following
+flows provide an example of how to implement a simple firewall that allows new
+connections from port 1 to port 2, and only allows established connections to
+send traffic from port 2 to port 1:
+ \fBtable=0,priority=1,action=drop
+ table=0,priority=10,arp,action=normal
+ table=0,priority=100,ip,ct_state=-trk,action=ct(table=1)
+ table=1,in_port=1,ip,ct_state=+trk+new,action=ct(commit),2
+ table=1,in_port=1,ip,ct_state=+trk+est,action=2
+ table=1,in_port=2,ip,ct_state=+trk+new,action=drop
+ table=1,in_port=2,ip,ct_state=+trk+est,action=1\fR
+.IP
+If \fBct\fR is executed on IP (or IPv6) fragments, then the message is
+implicitly reassembled before sending to the connection tracker and
+refragmented upon \fBoutput\fR, to the original maximum received fragment size.
+Reassembly occurs within the context of the \fBzone\fR. Pipeline processing
+for the initial fragments is halted; When the final fragment is received,
+the message is assembled and pipeline processing will continue for that flow.
+Because packet ordering is not guaranteed by IP protocols, it is not possible
+to determine which IP fragment will cause message reassembly (and therefore
+continue pipeline processing). As such, it is strongly recommended that
+multiple flows should not execute \fBct\fR to reassemble fragments from the
+same IP message.
+.IP
+Currently, connection tracking is only available on Linux kernels with the
+nf_conntrack module loaded.
+.
+.RE
+.
.IP \fBdec_ttl\fR
.IQ \fBdec_ttl\fB[\fR(\fIid1,id2\fI)\fR]\fR
Decrement TTL of IPv4 packet or hop limit of IPv6 packet. If the
projects / cascardo / ovs.git / blobdiff