Flow Hardware offload with Linux TC flower

This document describes how to offload flows with TC flower.

Flow Hardware Offload

The flow hardware offload is disabled by default and can be enabled by:

$ ovs-vsctl set Open_vSwitch . other_config:hw-offload=true

TC flower has one additional configuration option caled tc-policy. For more details see man ovs-vswitchd.conf.db.

TC Meter Offload

Offloading meters to TC does not require any additional configuration and is enabled automatically when possible. Offloading with meters does require the tc-police action to be available in the Linux kernel. For more details on the tc-police action, see man tc-police.


There is no parameter change in ovs-ofctl command, to configure a meter and use it for a flow in the offload way. Usually the commands are like:

$ ovs-ofctl -O OpenFlow13 add-meter br0 "meter=1 pktps bands=type=drop rate=1"
$ ovs-ofctl -O OpenFlow13 add-flow br0 "priority=10,in_port=ovs-p0,udp actions=meter:1,normal"

For more details, see man ovs-ofctl.


Each meter is mapped to one TC police action. To avoid conflicts, the police action indexes 0x10000000-0x1fffffff are reserved for this mapping. You can check the police actions using the command tc action ls action police on Linux systems.

Known TC flow offload limitations


These sections describe limitations to the general TC flow offload implementation.

Flow bytes count

Flows that are offloaded with TC do not include the L2 bytes in the packet byte count. Take the datapath flow dump below as an example. The first one is from the none-offloaded case the second one is from a TC offloaded flow:

in_port(2),eth(macs),eth_type(0x0800),ipv4(proto=17,frag=no), packets:10, bytes:470, used:0.001s, actions:outputmeter(0),3

in_port(2),eth(macs),eth_type(0x0800),ipv4(proto=17,frag=no), packets:10, bytes:330, used:0.001s, actions:outputmeter(0),3

As you can see above the none-offload case reports 140 bytes more, which is 14 bytes per packet. This represents the L2 header, in this case, 2 * Ethernet address + Ethertype.

TC Meter Offload

These sections describe limitations related to the TC meter offload implementation.

Missing byte count drop statistics

The kernel’s TC infrastructure is only counting the number of dropped packet, not their byte size. This results in the meter statistics always showing 0 for byte_count. Here is an example:

$ ovs-ofctl -O OpenFlow13 meter-stats br0
OFPST_METER reply (OF1.3) (xid=0x2):
meter:1 flow_count:1 packet_in_count:11 byte_in_count:377 duration:3.199s bands:
0: packet_count:9 byte_count:0

First flow packet not processed by meter

Packets that are received by ovs-vswitchd through an upcall before the actual meter flow is installed, are not passing TC police action and therefore are not considered for policing.

Conntrack Application Layer Gateways (ALG)

TC does not support conntrack helpers, i.e., ALGs. TC will not offload flows if the ALG keyword is present within the ct() action. However, this will not allow ALGs to work within the datapath, as the return traffic without the ALG keyword might run through a TC rule, which internally will not call the conntrack helper required.

So if ALG support is required, tc offload must be disabled.