Understanding Open vSwitch Flow Tables: Concepts, Match Fields, Actions, and Practical Commands
This article, the second part of the “Open vSwitch Full Analysis” series, explains the structure and operation of OVS flow tables, detailing match fields, actions, priorities, timeouts, and provides practical ovs‑ofctl command examples for configuring flows, VLANs, and tunnels such as VXLAN and GRE.
1. Introduction
In Software‑Defined Networking (SDN) the core concepts are the three‑layer architecture (application, control, forwarding) and two protocols (southbound and northbound). OpenFlow is the most common southbound protocol, allowing a controller to install flow entries in Open vSwitch (OVS). When no controller is present, the ovs-dpctl tool can be used to CRUD flow tables.
2. Understanding Flow Tables
A flow table is an abstraction of the forwarding rules used by an OpenFlow switch. A flow is a set of packets with the same match fields; a flow entry describes how to handle such packets. Flow tables contain entries that match on fields such as in_port , dl_src , dl_dst , dl_type , nw_src , nw_dst , etc.
When a packet arrives, OVS checks the flow entries in order of priority (higher priority first). If a match is found, the associated actions are executed (e.g., output, drop, send to controller). If no entry matches, the packet is processed by the miss flow table or dropped.
Match Fields
Common match fields include:
Field
Description
in_port=portIngress port number
dl_vlan=vlanVLAN tag (0‑4095)
dl_src=<MAC>Source MAC address
dl_dst=<MAC>Destination MAC address
dl_type=ethertypeEthernet type (e.g., 0x0800 for IPv4)
nw_src=ip[/mask]Source IPv4 address
nw_dst=ip[/mask]Destination IPv4 address
nw_proto=protoIP protocol number
tp_src=portTCP/UDP source port
tp_dst=portTCP/UDP destination port
Action Types
Action
Description
output:port
Send packet out of the specified port
drop
Discard the packet
controller(...)
Send packet to the controller as a PACKET_IN message
mod_vlan_vid:vlan_vid
Modify VLAN ID
strip_vlan
Remove VLAN tag
push_vlan:ethertype
Add a VLAN tag
mod_dl_src:mac
Change source MAC address
mod_nw_src:ip
Change source IP address
additional actions omitted for brevity
Priority and Timeout
Priorities range from 0 to 65535; higher numbers are matched first. If two entries have the same priority, the one added earlier wins. Timeouts can be hard (maximum lifetime) or idle (no‑match lifetime). A timeout of zero means the entry is permanent.
3. Flow Table Experiments
OVS provides the ovs-ofctl command‑line tool to manipulate OpenFlow rules.
ovs-ofctl show <br-name>Display bridge information.
ovs-ofctl dump-flows <br-name>Show current flow entries.
ovs-ofctl add-flow <br-name> [match] [actions]Example: match on ingress port and output to another port.
ovs-ofctl add-flow s1 in_port=1,actions=output:2Match on MAC address:
ovs-ofctl add-flow s1 dl_src=00:00:00:00:00:01,actions=output:2Match on IP address and protocol:
ovs-ofctl add-flow s1 dl_type=0x0800,nw_src=10.10.1.80,actions=output:2Delete a specific flow:
ovs-ofctl del-flow <br-name> <condition>Clear all flows on a bridge:
ovs-ofctl del-flows <br-name>Drop matching packets:
ovs-ofctl add-flow s1 priority=12,in_port=2,actions=dropSetting Flow Priorities
Higher priority flows are matched first.
# Clear existing flows
ovs-ofctl del-flows s1
# Add flows with different priorities
ovs-ofctl add-flow s1 "priority=1,in_port=1,actions=output:2"
ovs-ofctl add-flow s1 "priority=1,in_port=2,actions=output:1"
ovs-ofctl add-flow s1 "priority=2,in_port=1,actions=drop"Multi‑Table Configuration
Packets start matching in table 0. To forward to another table, add a flow that uses goto_table .
# Clear flows
ovs-ofctl del-flows s1
# Add flows in table 1
ovs-ofctl add-flow s1 "table=1,priority=1,in_port=1,actions=output:2"
ovs-ofctl add-flow s1 "table=1,priority=1,in_port=2,actions=output:1"
# Forward from table 0 to table 1
ovs-ofctl add-flow s1 "table=0,actions=goto_table=1"VLAN Operations
Add a VLAN tag:
ovs-ofctl add-flow s1 "in_port=1,actions=mod_vlan_vid:10,output:2"Strip a VLAN tag before forwarding:
ovs-ofctl add-flow s1 "priority=1,in_port=1,dl_vlan=10,actions=strip_vlan,output:2"Match on a specific VLAN ID:
ovs-ofctl add-flow s1 "priority=1,in_port=1,dl_vlan=777,actions=output:2"Tunnel Configuration
Create a VXLAN interface:
ovs-vsctl add-port br0 vxlan1 -- set Interface vxlan1 type=vxlan options:remote_ip=10.10.1.10 ofport_request=1Set VXLAN options (TOS, TTL, key, destination port):
ovs-vsctl set Interface vxlan1 options:tos=inherit options:ttl=inherit options:key=123 options:dst_port=8472Forward traffic through the VXLAN tunnel:
ovs-ofctl add-flow br0 ip,in_port=1,nw_dst=10.10.0.0/16,actions=output:1Create a GRE interface with a specific port ID:
ovs-vsctl add-port br0 gre1 -- set Interface gre1 type=gre options:remote_ip=1.1.1.1 ofport_request=1001Set GRE options (inherit TOS/TTL, set key):
ovs-vsctl set Interface gre1 options:tos=inherit options:ttl=inherit options:key=123Forward traffic through the GRE tunnel:
ovs-ofctl add-flow br0 ip,in_port=1,nw_dst=10.10.0.0/16,actions=output:2Cloud Native Technology Community
The Cloud Native Technology Community, part of the CNBPA Cloud Native Technology Practice Alliance, focuses on evangelizing cutting‑edge cloud‑native technologies and practical implementations. It shares in‑depth content, case studies, and event/meetup information on containers, Kubernetes, DevOps, Service Mesh, and other cloud‑native tech, along with updates from the CNBPA alliance.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.