[ovs-discuss] Can you match on packet length?
blp at ovn.org
Mon Jun 19 23:15:17 UTC 2017
On Mon, Jun 19, 2017 at 03:11:23PM -0700, Joe Stringer wrote:
> On 19 June 2017 at 14:08, Keith Holleman via discuss
> <ovs-discuss at openvswitch.org> wrote:
> > Went to add a match rule based on packet length and couldn't find the right
> > term or syntax. Then I searched the ovs-ofctl man page and couldn't find
> > anything. Even more surprising was that I couldn't find an example of this
> > previously being asked on any OVS discussion groups. Couldn't find it in
> > the FAQ either. I know in stating so many places looked I will inevitably
> > get proven wrong but I did try.
> > So.....can you add a rule via ovs-ofctl to match on a packet's length?
> > Probably tricky because it would have to have greater-than and less-than
> > semantics and that doesn't play well with the fixed-length matches of
> > OpenFlow. Are there any extensions that enable this? Or any pointers to
> > previous discussions about it?
> I don't think there's any such support. The matching in the datapath
> is based on unique bit patterns and masks, so if you wanted to render
> range semantics into that then you would practically end up generating
> several matches, one for each bitpattern within the range. I could
> imagine that if the packet length were matchable then worst case we
> could end up generating a different datapath flow for each possible
> packet length (or at least one per power-of-two bit up to the argument
> for lt/gt).
A arbitrary integer range over an N-bit field requires no more than 2N
The OpenFlow working group declined to define this kind of match on the
basis, among others, that the length of a packet is rather difficult to
define. Also, no one seemed to have a really good use case for it. The
main one raised was some kind of vague "security" justification.
More information about the discuss