[ovs-discuss] Can you match on packet length?

Joe Stringer joe at ovn.org
Mon Jun 19 22:11:23 UTC 2017


On 19 June 2017 at 14:08, Keith Holleman via discuss
<ovs-discuss at openvswitch.org> wrote:
>
> Went to add a match rule based on packet length and couldn't find the right
> term or syntax.  Then I searched the ovs-ofctl man page and couldn't find
> anything.  Even more surprising was that I couldn't find an example of this
> previously being asked on any OVS discussion groups.   Couldn't find it in
> the FAQ either.  I know in stating so many places looked I will inevitably
> get proven wrong but I did try.
>
> So.....can you add a rule via ovs-ofctl to match on a packet's length?
> Probably tricky because it would have to have greater-than and less-than
> semantics and that doesn't play well with the fixed-length matches of
> OpenFlow.  Are there any extensions that enable this?  Or any pointers to
> previous discussions about it?

I don't think there's any such support. The matching in the datapath
is based on unique bit patterns and masks, so if you wanted to render
range semantics into that then you would practically end up generating
several matches, one for each bitpattern within the range. I could
imagine that if the packet length were matchable then worst case we
could end up generating a different datapath flow for each possible
packet length (or at least one per power-of-two bit up to the argument
for lt/gt).

Perhaps in more limited situations, you could avoid massive microflow
explosion, for example if you only wanted to match packets of size
1024-2043:

pkt_size=0x0400/0xfc00

That is to say, match the packet size bit 2^10 (ie, 1024), match
zero-value for bits 2^11 and up, and mask out (ignore) bits for 2^0 up
to 2^9.

To also match anything from 512 upwards, you would also need a match like this:

pkt_size=0x0200/0xfe00

But if the match didn't align with power-of-two boundaries then the
matching would get quite complicated.

Cheers,
Joe


More information about the discuss mailing list