Re: [ovs-discuss] Can you match on packet length?
On Mon, Jun 19, 2017 at 03:11:23PM -0700, Joe Stringer wrote: > On 19 June 2017 at 14:08, Keith Holleman via discuss > wrote: > > > > Went to add a match rule based on packet length and couldn't find the right > > term or syntax. Then I searched the ovs-ofctl man page and couldn't find > > anything. Even more surprising was that I couldn't find an example of this > > previously being asked on any OVS discussion groups. Couldn't find it in > > the FAQ either. I know in stating so many places looked I will inevitably > > get proven wrong but I did try. > > > > So.can you add a rule via ovs-ofctl to match on a packet's length? > > Probably tricky because it would have to have greater-than and less-than > > semantics and that doesn't play well with the fixed-length matches of > > OpenFlow. Are there any extensions that enable this? Or any pointers to > > previous discussions about it? > > I don't think there's any such support. The matching in the datapath > is based on unique bit patterns and masks, so if you wanted to render > range semantics into that then you would practically end up generating > several matches, one for each bitpattern within the range. I could > imagine that if the packet length were matchable then worst case we > could end up generating a different datapath flow for each possible > packet length (or at least one per power-of-two bit up to the argument > for lt/gt). A arbitrary integer range over an N-bit field requires no more than 2N bitwise matches. The OpenFlow working group declined to define this kind of match on the basis, among others, that the length of a packet is rather difficult to define. Also, no one seemed to have a really good use case for it. The main one raised was some kind of vague "security" justification. ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] Can you match on packet length?
On 19 June 2017 at 14:08, Keith Holleman via discuss wrote: > > Went to add a match rule based on packet length and couldn't find the right > term or syntax. Then I searched the ovs-ofctl man page and couldn't find > anything. Even more surprising was that I couldn't find an example of this > previously being asked on any OVS discussion groups. Couldn't find it in > the FAQ either. I know in stating so many places looked I will inevitably > get proven wrong but I did try. > > So.can you add a rule via ovs-ofctl to match on a packet's length? > Probably tricky because it would have to have greater-than and less-than > semantics and that doesn't play well with the fixed-length matches of > OpenFlow. Are there any extensions that enable this? Or any pointers to > previous discussions about it? I don't think there's any such support. The matching in the datapath is based on unique bit patterns and masks, so if you wanted to render range semantics into that then you would practically end up generating several matches, one for each bitpattern within the range. I could imagine that if the packet length were matchable then worst case we could end up generating a different datapath flow for each possible packet length (or at least one per power-of-two bit up to the argument for lt/gt). Perhaps in more limited situations, you could avoid massive microflow explosion, for example if you only wanted to match packets of size 1024-2043: pkt_size=0x0400/0xfc00 That is to say, match the packet size bit 2^10 (ie, 1024), match zero-value for bits 2^11 and up, and mask out (ignore) bits for 2^0 up to 2^9. To also match anything from 512 upwards, you would also need a match like this: pkt_size=0x0200/0xfe00 But if the match didn't align with power-of-two boundaries then the matching would get quite complicated. Cheers, Joe ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
[ovs-discuss] Can you match on packet length?
Went to add a match rule based on packet length and couldn't find the right term or syntax. Then I searched the ovs-ofctl man page and couldn't find anything. Even more surprising was that I couldn't find an example of this previously being asked on any OVS discussion groups. Couldn't find it in the FAQ either. I know in stating so many places looked I will inevitably get proven wrong but I did try. So.can you add a rule via ovs-ofctl to match on a packet's length? Probably tricky because it would have to have greater-than and less-than semantics and that doesn't play well with the fixed-length matches of OpenFlow. Are there any extensions that enable this? Or any pointers to previous discussions about it? -K ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss