文档章节

openvswitch--OpenFlow 流表设置

wangxuwei
 wangxuwei
发布于 2017/05/21 01:57
字数 2093
阅读 471
收藏 0

流规则组成

每条流规则由一系列字段组成,分为基本字段条件字段动作字段三部分:

  • 基本字段包括生效时间duration_sec、所属表项table_id、优先级priority、处理的数据包数n_packets,空闲超时时间idle_timeout等,空闲超时时间idle_timeout以秒为单位,超过设置的空闲超时时间后该流规则将被自动删除,空闲超时时间设置为0表示该流规则永不过期,idle_timeout将不包含于ovs-ofctl dump-flows brname的输出中。

  • 条件字段包括输入端口号in_port、源目的mac地址dl_src/dl_dst、源目的ip地址nw_src/nw_dst、数据包类型dl_type、网络层协议类型nw_proto等,可以为这些字段的任意组合,但在网络分层结构中底层的字段未给出确定值时上层的字段不允许给确定值,即一条流规则中允许底层协议字段指定为确定值,高层协议字段指定为通配符(不指定即为匹配任何值),而不允许高层协议字段指定为确定值,而底层协议字段却为通配符(不指定即为匹配任何值),否则,ovs-vswitchd 中的流规则将全部丢失,网络无法连接。

  • 动作字段包括正常转发normal、定向到某交换机端口output:port、丢弃drop、更改源目的mac地址mod_dl_src/mod_dl_dst等,一条流规则可有多个动作,动作执行按指定的先后顺序依次完成。

条件字段介绍

in_port=port 
Matches OpenFlow port port 
dl_vlan=vlan 
Matches IEEE 802.1q Virtual LAN tag vlan. 
dl_vlan_pcp=priority 
Matches IEEE 802.1q Priority Code Point (PCP) priority, which is specified as a value between 0 and 7, inclusive. A higher value indicates a higher frame priority level. 
dl_src=xx:xx:xx:xx:xx:xx 
dl_dst=xx:xx:xx:xx:xx:xx 
Matches an Ethernet source (or destination) address specified as 6 pairs of hexadecimal digits delimited by colons (e.g. 00:0A:E4:25:6B:B0). 
dl_src=xx:xx:xx:xx:xx:xx/xx:xx:xx:xx:xx:xx 
dl_dst=xx:xx:xx:xx:xx:xx/xx:xx:xx:xx:xx:xx 
Matches an Ethernet destination address specified as 6 pairs of hexadecimal digits delimited by colons (e.g. 00:0A:E4:25:6B:B0), with a wildcard mask following the slash. 
01:00:00:00:00:00 Match only the multicast bit. Thus, dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 matches all multicast (including broadcast) Ethernet packets, and dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 matches all unicast Ethernet packets. 
ff:ff:ff:ff:ff:ff Exact match (equivalent to omitting the mask). 
00:00:00:00:00:00 Wildcard all bits (equivalent to dl_dst=*.) 
dl_type=ethertype 
Matches Ethernet protocol type ethertype, which is specified as an integer between 0 and 65535 
nw_src=ip[/netmask] 
nw_dst=ip[/netmask] 
When dl_type is 0x0800 (possibly via shorthand, e.g. ip or tcp), matches IPv4 source (or destination) address ip, which may be specified as an IP address or host name 
When dl_type=0x0806 or arp is specified, matches the ar_spa or ar_tpa field, respectively, in 
ARP packets for IPv4 and Ethernet. 
When dl_type=0x8035 or rarp is specified, matches the ar_spa or ar_tpa field, respectively, in 
RARP packets for IPv4 and Ethernet. 
nw_proto=proto 
When ip or dl_type=0x0800 is specified, matches IP protocol type proto, which is specified as a decimal number between 0 and 255, inclusive (e.g. 1 to match ICMP packets or 6 to match TCP packets). 
When ipv6 or dl_type=0x86dd is specified, matches IPv6 header type proto, which is specified as a decimal number between 0 and 255, inclusive (e.g. 58 to match ICMPv6 packets or 6 to match TCP). 
When arp or dl_type=0x0806 is specified, matches the lower 8 bits of the ARP opcode. 
When rarp or dl_type=0x8035 is specified, matches the lower 8 bits of the ARP opcode. 
nw_tos=tos 
Matches IP ToS/DSCP or IPv6 traffic class field tos, which is specified as a decimal number between 0 and 255, inclusive. 
nw_ecn=ecn 
Matches ecn bits in IP ToS or IPv6 traffic class fields, which is specified as a decimal number between 0 and 3, inclusive. 
nw_ttl=ttl 
Matches IP TTL or IPv6 hop limit value ttl, which is specified as a decimal number between 0 and 255, inclusive. 
tp_src=port 
tp_dst=port 
When dl_type and nw_proto specify TCP or UDP, tp_src and tp_dst match the UDP or TCP source or destination port port 
icmp_type=type 
icmp_code=code 
When dl_type and nw_proto specify ICMP or ICMPv6, type matches the ICMP type and code matches the ICMP code. 
table=number 
If specified, limits the flow manipulation and flow dump commands to only apply to the table with the given number between 0 and 254. 
vlan_tci=tci[/mask] 
Matches modified VLAN TCI tci. If mask is omitted, tci is the exact VLAN TCI to match; if mask is specified, then a 1-bit in mask indicates that the corresponding bit in tci must match exactly, and a 0-bit wildcards that bit. 
ip_frag=frag_type 
When dl_type specifies IP or IPv6, frag_type specifies what kind of IP fragments or non-fragments to match. 
The following values of frag_type are supported: 
no Matches only non-fragmented packets. 
yes Matches all fragments. 
first Matches only fragments with offset 0. 
later Matches only fragments with nonzero offset. 
not_later Matches non-fragmented packets and fragments with zero offset. 
arp_sha=xx:xx:xx:xx:xx:xx 
arp_tha=xx:xx:xx:xx:xx:xx 
When dl_type specifies either ARP or RARP, arp_sha and arp_tha match the source and target hardware address, respectively. 
tun_id=tunnel-id[/mask] 
Matches tunnel identifier tunnel-id. Only packets that arrive over a tunnel that carries a key (e.g. GRE with the RFC 2890 key extension and a nonzero key value) will have a nonzero tunnel ID.

动作字段介绍

output:port 
Outputs the packet to port 
output:src[start..end] 
Outputs the packet to the OpenFlow port number read from src, which must be an NXM field as described above. For example, output:NXM_NX_REG0[16..31] outputs to the OpenFlow port number written in the upper half of register 0. 
enqueue:port:queue 
Enqueues the packet on the specified queue within port port 
normal 
Subjects the packet to the device’s normal L2/L3 processing. 
flood 
Outputs the packet on all switch physical ports other than the port on which it was received and any ports on which flooding is disabled 
all 
Outputs the packet on all switch physical ports other than the port on which it was received. 
controller(key=value…) 
Sends the packet to the OpenFlow controller as a ‘‘packet in’’ message. The supported key-value pairs are: 
max_len=nbytes : Limit to nbytes the number of bytes of the packet to send to the controller. By default the entire packet is sent. 
reason=reason: Specify reason as the reason for sending the message in the ‘‘packet in’’ message. The supported reasons are action (the default), no_match, and invalid_ttl. 
id=controller-id : Specify controller-id 
in_port 
Outputs the packet on the port from which it was received. 
drop 
Discards the packet, so no further processing or forwarding takes place. 
mod_vlan_vid:vlan_vid 
Modifies the VLAN id on a packet. 
mod_vlan_pcp:vlan_pcp 
Modifies the VLAN priority on a packet. 
strip_vlan 
Strips the VLAN tag from a packet if it is present. 
push_vlan:ethertype 
Push a new VLAN tag onto the packet. 
push_mpls:ethertype 
If the packet does not already contain any MPLS labels, changes the packet’s Ethertype to ethertype, which must be either the MPLS unicast Ethertype 0x8847 or the MPLS multicast Ethertype 0x8848, and then pushes an initial label stack entry. 
pop_mpls:ethertype 
Strips the outermost MPLS label stack entry. 
mod_dl_src:mac 
Sets the source Ethernet address to mac. 
mod_dl_dst:mac 
Sets the destination Ethernet address to mac. 
mod_nw_src:ip 
Sets the IPv4 source address to ip. 
mod_nw_dst:ip 
Sets the IPv4 destination address to ip. 
mod_tp_src:port 
Sets the TCP or UDP source port to port. 
mod_tp_dst:port 
Sets the TCP or UDP destination port to port. 
mod_nw_tos:tos 
Sets the IPv4 ToS/DSCP field to tos, which must be a multiple of 4 between 0 and 255. 
resubmit([port],[table]) 
Re-searches this OpenFlow flow table (or the table whose number is specified by table) with the in_port field replaced by port (if port is specified) 
set_tunnel:id 
set_tunnel64:id 
If outputting to a port that encapsulates the packet in a tunnel and supports an identifier (such as GRE), sets the identifier to id. 
set_queue:queue 
Sets the queue that should be used to queue when packets are output. 
pop_queue 
Restores the queue to the value it was before any set_queue actions were applied. 
dec_ttl 
dec_ttl[(id1,id2)] 
Decrement TTL of IPv4 packet or hop limit of IPv6 packet. 
set_mpls_ttl:ttl 
Set the TTL of the outer MPLS label stack entry of a packet. ttl should be in the range 0 to 255 inclusive. 
dec_mpls_ttl 
Decrement TTL of the outer MPLS label stack entry of a packet. 
move:src[start..end]−>dst[start..end] 
Copies the named bits from field src to field dst. src and dst must be NXM field names as defined in nicira−ext.h, e.g. NXM_OF_UDP_SRC or NXM_NX_REG0. 
Examples: move:NXM_NX_REG0[0..5]−>NXM_NX_REG1[26..31] copies the six bits numbered 0 through 5, inclusive, in register 0 into bits 26 through 31, inclusive; move:NXM_NX_REG0[0..15]−>NXM_OF_VLAN_TCI[] copies the least significant 16 bits of register 0 into the VLAN TCI field. 
load:value−>dst[start..end] 
Writes value to bits start through end, inclusive, in field dst. 
Example: load:55−>NXM_NX_REG2[0..5] loads value 55 (bit pattern 110111) into bits 0 through 5, inclusive, in register 2. 
push:src[start..end] 
Pushes start to end bits inclusive, in fields on top of the stack. 
Example: push:NXM_NX_REG2[0..5] push the value stored in register 2 bits 0 through 5, inclusive, on to the internal stack. 
pop:dst[start..end] 
Pops from the top of the stack, retrieves the start to end bits inclusive, from the value popped and store them into the corresponding bits in dst. 
Example: pop:NXM_NX_REG2[0..5] pops the value from top of the stack. Set register 2 bits 0 through 5, inclusive, based on bits 0 through 5 from the value just popped. 
set_field:value−>dst 
Writes the literal value into the field dst, which should be specified as a name used for matching. 
Example: set_field:fe80:0123:4567:890a:a6ba:dbff:fefe:59fa−>ipv6_src 
learn(argument[,argument]…) 
This action adds or modifies a flow in an OpenFlow table, similar to ovs−ofctl −−strict mod−flows. The arguments specify the flow’s match fields, actions, and other properties, as follows 
idle_timeout=seconds 
hard_timeout=seconds 
priority=value 
These key-value pairs have the same meaning as in the usual ovs−ofctl flow syntax. 
fin_idle_timeout=seconds 
fin_hard_timeout=seconds 
Adds a fin_timeout action with the specified arguments to the new flow. 
table=number 
The table in which the new flow should be inserted. Specify a decimal number between 0 and 254. The default, if table is unspecified, is table 1. 
field=value 
field[start..end]=src[start..end] 
field[start..end] 
Adds a match criterion to the new flow. 
load:value−>dst[start..end] 
load:src[start..end]−>dst[start..end] 
Adds a load action to the new flow. 
output:field[start..end] 
Add an output action to the new flow’s actions, that outputs to the OpenFlow port taken from field[start..end], which must be an NXM field as described above.

本文转载自:http://blog.csdn.net/a879365197/article/details/36667019

wangxuwei
粉丝 27
博文 343
码字总数 137316
作品 0
杭州
其他
私信 提问
[转]An overview of Openvswitch implementation

This is NOT a tutorial on how to use openvswitch, this is for developers who want to know the implementation details of openvswitch project, thus, I assume you at least know the......

爱养花的码农
03/22
0
0
openvswitch之架构解析

概述 openvswitch,一种支持open flow协议的虚拟交换机,简称为ovs。类似于我们常说的交换机,只不过它通过远端的controller来进行管理(可以预先下发一些流表到ovs,或者根据首包被送到contr...

计算机小强
2018/06/26
0
0
基于openvswitch+Docker构建SDN网络测试环境 (使用ovs-docker进行构建)

这是一篇之前写的笔记,主要记录了使用openvswitch + Docker 等进行一个小型的SDN网络搭建的操作步骤。由于 之前临时有其他任务,耽搁了一下,最近开始重新整理,并计划开发一个简单的Pytho...

NinWoo
2018/09/14
0
0
虚拟化云计算-centos7上安装测试Open vSwitch

在KVM中,可以使用网桥+VLAN实现虚拟交换机,也可以使用Open vSwitch实现。 Open vSwitch即开放的软件虚拟交换机,能够达到产品级的质量,也就是说可以部署一些生产环境使用。它不光支持基本...

羊草
2018/08/23
0
0
Neutron中Linux Bridge与Open vSwitch优劣势对比

目前说到虚拟交换机,通常会想到使用Open vSwitch做虚拟交换机,因为支持Open vSwitch的个人和企业都想要有一个开放的模式把他们的服务集成进OpenStack。 Open vSwitch社区做了大量的工作,希...

技术小能手
2018/07/09
0
0

没有更多内容

加载失败,请刷新页面

加载更多

如何使用soapUI模拟webservice客户端发送请求

参考资料 https://jingyan.baidu.com/article/cbcede0712849a02f40b4d88.html 左边是请求参数,可以自己填写!按着那个绿色三角箭头可以模拟发送请求,右边是返回的报文 soapui如何发送xml格...

故久呵呵
29分钟前
4
0
Java Security 介绍

1.介绍 Java平台设计的重点是安全性。在其核心,java语言本身是类型安全的并且提供了垃圾自动回收,这使其增加了应用程序代码的健壮性。安全的类加载以及验证机制确保了只有合法的代码才能够...

lixiaobao
34分钟前
4
0
Niushop开源商城系统-分销商管理

分销商管理 1.分销员的招募与管理 如何申请成为分销员? 在wap端个人中心满足之前设置的升级条件,可以申请分销员 开启分销商审核,需要在后台分销商管理——》待审核处进行审核通过。 通过完...

niushop-芳
35分钟前
3
0
为什么大公司一定要使用 DevOps?

究竟什么是DevOps? 要想回答这个问题,首先要明确DevOps这个过程参与的人员是谁,即开发团队和IT运维团队。那么,DevOps的意图是什么呢?即在两个团队之间,建立良好的沟通和协作,更快更可靠...

cs平台
37分钟前
5
0
高危预警|RDP漏洞或引发大规模蠕虫爆发,用户可用阿里云免费检测服务自检,建议尽快修复

2019年9月6日,阿里云应急响应中心监测到Metasploit-framework官方在GitHub空间公开了针对Windows远程桌面服务远程命令执行漏洞(CVE-2019-0708)的利用代码。利用该代码,无需用户交互操作,即...

Mr_zebra
42分钟前
3
0

没有更多内容

加载失败,请刷新页面

加载更多

返回顶部
顶部