[ovs-discuss] Can you match on packet length?

Ben Pfaff blp at ovn.org
Mon Jun 19 23:15:17 UTC 2017


On Mon, Jun 19, 2017 at 03:11:23PM -0700, Joe Stringer wrote:
> On 19 June 2017 at 14:08, Keith Holleman via discuss
> <ovs-discuss at openvswitch.org> wrote:
> >
> > Went to add a match rule based on packet length and couldn't find the right
> > term or syntax.  Then I searched the ovs-ofctl man page and couldn't find
> > anything.  Even more surprising was that I couldn't find an example of this
> > previously being asked on any OVS discussion groups.   Couldn't find it in
> > the FAQ either.  I know in stating so many places looked I will inevitably
> > get proven wrong but I did try.
> >
> > So.....can you add a rule via ovs-ofctl to match on a packet's length?
> > Probably tricky because it would have to have greater-than and less-than
> > semantics and that doesn't play well with the fixed-length matches of
> > OpenFlow.  Are there any extensions that enable this?  Or any pointers to
> > previous discussions about it?
> 
> I don't think there's any such support. The matching in the datapath
> is based on unique bit patterns and masks, so if you wanted to render
> range semantics into that then you would practically end up generating
> several matches, one for each bitpattern within the range. I could
> imagine that if the packet length were matchable then worst case we
> could end up generating a different datapath flow for each possible
> packet length (or at least one per power-of-two bit up to the argument
> for lt/gt).

A arbitrary integer range over an N-bit field requires no more than 2N
bitwise matches.

The OpenFlow working group declined to define this kind of match on the
basis, among others, that the length of a packet is rather difficult to
define.  Also, no one seemed to have a really good use case for it.  The
main one raised was some kind of vague "security" justification.


More information about the discuss mailing list