.\" -*- nroff -*- .\" -*- nroff -*- .\" ovs.tmac .\" .\" Open vSwitch troff macro library . . .\" Continuation line for .IP. .de IQ . br . ns . IP "\\$1" .. . .\" Introduces a sub-subsection .de ST . PP . RS -0.15in . I "\\$1" . RE .. . .\" The content between the lines below is from an-ext.tmac in groff .\" 1.21, with some modifications. .\" ---------------------------------------------------------------------- .\" an-ext.tmac .\" .\" Written by Eric S. Raymond .\" Werner Lemberg .\" .\" Version 2007-Feb-02 .\" .\" Copyright (C) 2007, 2009, 2011 Free Software Foundation, Inc. .\" You may freely use, modify and/or distribute this file. .\" .\" .\" The code below provides extension macros for the `man' macro package. .\" Care has been taken to make the code portable; groff extensions are .\" properly hidden so that all troff implementations can use it without .\" changes. .\" .\" With groff, this file is sourced by the `man' macro package itself. .\" Man page authors who are concerned about portability might add the .\" used macros directly to the prologue of the man page(s). . . .\" Convention: Auxiliary macros and registers start with `m' followed .\" by an uppercase letter or digit. . . .\" Declare start of command synopsis. Sets up hanging indentation. .de SY . ie !\\n(mS \{\ . nh . nr mS 1 . nr mA \\n(.j . ad l . nr mI \\n(.i . \} . el \{\ . br . ns . \} . . HP \w'\fB\\$1\fP\ 'u . B "\\$1" .. . . .\" End of command synopsis. Restores adjustment. .de YS . in \\n(mIu . ad \\n(mA . hy \\n(HY . nr mS 0 .. . . .\" Declare optional option. .de OP . ie \\n(.$-1 \ . RI "[\fB\\$1\fP" "\ \\$2" "]" . el \ . RB "[" "\\$1" "]" .. . . .\" Start URL. .de UR . ds m1 \\$1\" . nh . if \\n(mH \{\ . \" Start diversion in a new environment. . do ev URL-div . do di URL-div . \} .. . . .\" End URL. .de UE . ie \\n(mH \{\ . br . di . ev . . \" Has there been one or more input lines for the link text? . ie \\n(dn \{\ . do HTML-NS "" . \" Yes, strip off final newline of diversion and emit it. . do chop URL-div . do URL-div \c . do HTML-NS . \} . el \ . do HTML-NS "\\*(m1" \&\\$*\" . \} . el \ \\*(la\\*(m1\\*(ra\\$*\" . . hy \\n(HY .. . . .\" Start email address. .de MT . ds m1 \\$1\" . nh . if \\n(mH \{\ . \" Start diversion in a new environment. . do ev URL-div . do di URL-div . \} .. . . .\" End email address. .de ME . ie \\n(mH \{\ . br . di . ev . . \" Has there been one or more input lines for the link text? . ie \\n(dn \{\ . do HTML-NS "" . \" Yes, strip off final newline of diversion and emit it. . do chop URL-div . do URL-div \c . do HTML-NS . \} . el \ . do HTML-NS "\\*(m1" \&\\$*\" . \} . el \ \\*(la\\*(m1\\*(ra\\$*\" . . hy \\n(HY .. . . .\" Continuation line for .TP header. .de TQ . br . ns . TP \\$1\" no doublequotes around argument! .. . . .\" Start example. .de EX . nr mE \\n(.f . nf . nh . ft CW .. . . .\" End example. .de EE . ft \\n(mE . fi . hy \\n(HY .. . .\" EOF .\" ---------------------------------------------------------------------- .TH ovs\-ofctl 8 "2.15.0" "Open vSwitch" "Open vSwitch Manual" .ds PN ovs\-ofctl . .SH NAME ovs\-ofctl \- administer OpenFlow switches . .SH SYNOPSIS .B ovs\-ofctl [\fIoptions\fR] \fIcommand \fR[\fIswitch\fR] [\fIargs\fR\&...] . .SH DESCRIPTION The .B ovs\-ofctl program is a command line tool for monitoring and administering OpenFlow switches. It can also show the current state of an OpenFlow switch, including features, configuration, and table entries. It should work with any OpenFlow switch, not just Open vSwitch. . .SS "OpenFlow Switch Management Commands" .PP These commands allow \fBovs\-ofctl\fR to monitor and administer an OpenFlow switch. It is able to show the current state of a switch, including features, configuration, and table entries. .PP Most of these commands take an argument that specifies the method for connecting to an OpenFlow switch. The following connection methods are supported: . .RS .IP "\fBssl:\fIhost\fR[\fB:\fIport\fR]" .IQ "\fBtcp:\fIhost\fR[\fB:\fIport\fR]" The specified \fIport\fR on the given \fIhost\fR, which can be expressed either as a DNS name (if built with unbound library) or an IP address in IPv4 or IPv6 address format. Wrap IPv6 addresses in square brackets, e.g. \fBtcp:[::1]:6653\fR. On Linux, use \fB%\fIdevice\fR to designate a scope for IPv6 link-level addresses, e.g. \fBtcp:[fe80::1234%eth0]:6653\fR. For \fBssl\fR, the \fB\-\-private\-key\fR, \fB\-\-certificate\fR, and \fB\-\-ca\-cert\fR options are mandatory. .IP If \fIport\fR is not specified, it defaults to 6653. .TP \fBunix:\fIfile\fR On POSIX, a Unix domain server socket named \fIfile\fR. .IP On Windows, connect to a local named pipe that is represented by a file created in the path \fIfile\fR to mimic the behavior of a Unix domain socket. . .IP "\fIfile\fR" This is short for \fBunix:\fIfile\fR, as long as \fIfile\fR does not contain a colon. . .IP \fIbridge\fR This is short for \fBunix:/var/run/openvswitch/\fIbridge\fB.mgmt\fR, as long as \fIbridge\fR does not contain a colon. . .IP [\fItype\fB@\fR]\fIdp\fR Attempts to look up the bridge associated with \fIdp\fR and open as above. If \fItype\fR is given, it specifies the datapath provider of \fIdp\fR, otherwise the default provider \fBsystem\fR is assumed. .RE . .TP \fBshow \fIswitch\fR Prints to the console information on \fIswitch\fR, including information on its flow tables and ports. . .TP \fBdump\-tables \fIswitch\fR Prints to the console statistics for each of the flow tables used by \fIswitch\fR. .TP \fBdump\-table\-features \fIswitch\fR Prints to the console features for each of the flow tables used by \fIswitch\fR. .TP \fBdump\-table\-desc \fIswitch\fR Prints to the console configuration for each of the flow tables used by \fIswitch\fR for OpenFlow 1.4+. .IP "\fBmod\-table \fIswitch\fR \fItable\fR \fIsetting\fR" This command configures flow table settings in \fIswitch\fR for OpenFlow table \fItable\fR, which may be expressed as a number or (unless \fB\-\-no\-names\fR is specified) a name. .IP The available settings depend on the OpenFlow version in use. In OpenFlow 1.1 and 1.2 (which must be enabled with the \fB\-O\fR option) only, \fBmod\-table\fR configures behavior when no flow is found when a packet is looked up in a flow table. The following \fIsetting\fR values are available: .RS .IP \fBdrop\fR Drop the packet. .IP \fBcontinue\fR Continue to the next table in the pipeline. (This is how an OpenFlow 1.0 switch always handles packets that do not match any flow, in tables other than the last one.) .IP \fBcontroller\fR Send to controller. (This is how an OpenFlow 1.0 switch always handles packets that do not match any flow in the last table.) .RE .IP In OpenFlow 1.3 and later (which must be enabled with the \fB\-O\fR option) and Open vSwitch 2.11 and later only, \fBmod\-table\fR can change the name of a table: .RS .IP \fBname:\fInew-name\fR Changes the name of the table to \fInew-name\fR. Use an empty \fInew-name\fR to clear the name. (This will be ineffective if the name is set via the \fBname\fR column in the \fBFlow_Table\fR table in the \fBOpen_vSwitch\fR database as described in \fBovs\-vswitchd.conf.db\fR(5).) .RE .IP In OpenFlow 1.4 and later (which must be enabled with the \fB\-O\fR option) only, \fBmod\-table\fR configures the behavior when a controller attempts to add a flow to a flow table that is full. The following \fIsetting\fR values are available: .RS .IP \fBevict\fR Delete some existing flow from the flow table, according to the algorithm described for the \fBFlow_Table\fR table in \fBovs-vswitchd.conf.db\fR(5). .IP \fBnoevict\fR Refuse to add the new flow. (Eviction might still be enabled through the \fBoverflow_policy\fR column in the \fBFlow_Table\fR table documented in \fBovs-vswitchd.conf.db\fR(5).) .IP \fBvacancy:\fIlow\fB,\fIhigh\fR Enables sending vacancy events to controllers using \fBTABLE_STATUS\fR messages, based on percentage thresholds \fIlow\fR and \fIhigh\fR. .IP \fBnovacancy\fR Disables vacancy events. .RE . .TP \fBdump\-ports \fIswitch\fR [\fInetdev\fR] Prints to the console statistics for network devices associated with \fIswitch\fR. If \fInetdev\fR is specified, only the statistics associated with that device will be printed. \fInetdev\fR can be an OpenFlow assigned port number or device name, e.g. \fBeth0\fR. . .IP "\fBdump\-ports\-desc \fIswitch\fR [\fIport\fR]" Prints to the console detailed information about network devices associated with \fIswitch\fR. To dump only a specific port, specify its number as \fIport\fR. Otherwise, if \fIport\fR is omitted, or if it is specified as \fBANY\fR, then all ports are printed. This is a subset of the information provided by the \fBshow\fR command. .IP If the connection to \fIswitch\fR negotiates OpenFlow 1.0, 1.2, or 1.2, this command uses an OpenFlow extension only implemented in Open vSwitch (version 1.7 and later). .IP Only OpenFlow 1.5 and later support dumping a specific port. Earlier versions of OpenFlow always dump all ports. . .IP "\fBmod\-port \fIswitch\fR \fIport\fR \fIaction\fR" Modify characteristics of port \fBport\fR in \fIswitch\fR. \fIport\fR may be an OpenFlow port number or name (unless \fB\-\-no\-names\fR is specified) or the keyword \fBLOCAL\fR (the preferred way to refer to the OpenFlow local port). The \fIaction\fR may be any one of the following: . .RS .IQ \fBup\fR .IQ \fBdown\fR Enable or disable the interface. This is equivalent to \fBip link set up\fR or \fBip link set down\fR on a Unix system. . .IP \fBstp\fR .IQ \fBno\-stp\fR Enable or disable 802.1D spanning tree protocol (STP) on the interface. OpenFlow implementations that don't support STP will refuse to enable it. . .IP \fBreceive\fR .IQ \fBno\-receive\fR .IQ \fBreceive\-stp\fR .IQ \fBno\-receive\-stp\fR Enable or disable OpenFlow processing of packets received on this interface. When packet processing is disabled, packets will be dropped instead of being processed through the OpenFlow table. The \fBreceive\fR or \fBno\-receive\fR setting applies to all packets except 802.1D spanning tree packets, which are separately controlled by \fBreceive\-stp\fR or \fBno\-receive\-stp\fR. . .IP \fBforward\fR .IQ \fBno\-forward\fR Allow or disallow forwarding of traffic to this interface. By default, forwarding is enabled. . .IP \fBflood\fR .IQ \fBno\-flood\fR Controls whether an OpenFlow \fBflood\fR action will send traffic out this interface. By default, flooding is enabled. Disabling flooding is primarily useful to prevent loops when a spanning tree protocol is not in use. . .IP \fBpacket\-in\fR .IQ \fBno\-packet\-in\fR Controls whether packets received on this interface that do not match a flow table entry generate a ``packet in'' message to the OpenFlow controller. By default, ``packet in'' messages are enabled. .RE .IP The \fBshow\fR command displays (among other information) the configuration that \fBmod\-port\fR changes. . .IP "\fBget\-frags \fIswitch\fR" Prints \fIswitch\fR's fragment handling mode. See \fBset\-frags\fR, below, for a description of each fragment handling mode. .IP The \fBshow\fR command also prints the fragment handling mode among its other output. . .IP "\fBset\-frags \fIswitch frag_mode\fR" Configures \fIswitch\fR's treatment of IPv4 and IPv6 fragments. The choices for \fIfrag_mode\fR are: .RS .IP "\fBnormal\fR" Fragments pass through the flow table like non-fragmented packets. The TCP ports, UDP ports, and ICMP type and code fields are always set to 0, even for fragments where that information would otherwise be available (fragments with offset 0). This is the default fragment handling mode for an OpenFlow switch. .IP "\fBdrop\fR" Fragments are dropped without passing through the flow table. .IP "\fBreassemble\fR" The switch reassembles fragments into full IP packets before passing them through the flow table. Open vSwitch does not implement this fragment handling mode. .IP "\fBnx\-match\fR" Fragments pass through the flow table like non-fragmented packets. The TCP ports, UDP ports, and ICMP type and code fields are available for matching for fragments with offset 0, and set to 0 in fragments with nonzero offset. This mode is a Nicira extension. .RE .IP See the description of \fBip_frag\fR, in \fBovs\-fields\fR(7), for a way to match on whether a packet is a fragment and on its fragment offset. . .TP \fBdump\-flows \fIswitch \fR[\fIflows\fR] Prints to the console all flow entries in \fIswitch\fR's tables that match \fIflows\fR. If \fIflows\fR is omitted, all flows in the switch are retrieved. See \fBFlow Syntax\fR, below, for the syntax of \fIflows\fR. The output format is described in \fBTable Entry Output\fR. . .IP By default, \fBovs\-ofctl\fR prints flow entries in the same order that the switch sends them, which is unlikely to be intuitive or consistent. Use \fB\-\-sort\fR and \fB\-\-rsort\fR to control display order. The \fB\-\-names\fR/\fB\-\-no\-names\fR and \fB\-\-stats\fR/\fB\-\-no\-stats\fR options also affect output formatting. See the descriptions of these options, under \fBOPTIONS\fR below, for more information . .TP \fBdump\-aggregate \fIswitch \fR[\fIflows\fR] Prints to the console aggregate statistics for flows in \fIswitch\fR's tables that match \fIflows\fR. If \fIflows\fR is omitted, the statistics are aggregated across all flows in the switch's flow tables. See \fBFlow Syntax\fR, below, for the syntax of \fIflows\fR. The output format is described in \fBTable Entry Output\fR. . .IP "\fBqueue\-stats \fIswitch \fR[\fIport \fR[\fIqueue\fR]]" Prints to the console statistics for the specified \fIqueue\fR on \fIport\fR within \fIswitch\fR. \fIport\fR can be an OpenFlow port number or name, the keyword \fBLOCAL\fR (the preferred way to refer to the OpenFlow local port), or the keyword \fBALL\fR. Either of \fIport\fR or \fIqueue\fR or both may be omitted (or equivalently the keyword \fBALL\fR). If both are omitted, statistics are printed for all queues on all ports. If only \fIqueue\fR is omitted, then statistics are printed for all queues on \fIport\fR; if only \fIport\fR is omitted, then statistics are printed for \fIqueue\fR on every port where it exists. . .IP "\fBqueue\-get\-config \fIswitch [\fIport \fR[\fIqueue\fR]]" Prints to the console the configuration of \fIqueue\fR on \fIport\fR in \fIswitch\fR. If \fIport\fR is omitted or \fBANY\fR, reports queues for all port. If \fIqueue\fR is omitted or \fBANY\fR, reports all queues. For OpenFlow 1.3 and earlier, the output always includes all queues, ignoring \fIqueue\fR if specified. .IP This command has limited usefulness, because ports often have no configured queues and because the OpenFlow protocol provides only very limited information about the configuration of a queue. . .IP "\fBdump\-ipfix\-bridge \fIswitch\fR" Prints to the console the statistics of bridge IPFIX for \fIswitch\fR. If bridge IPFIX is configured on the \fIswitch\fR, IPFIX statistics can be retrieved. Otherwise, error message will be printed. .IP This command uses an Open vSwitch extension that is only in Open vSwitch 2.6 and later. . .IP "\fBdump\-ipfix\-flow \fIswitch\fR" Prints to the console the statistics of flow-based IPFIX for \fIswitch\fR. If flow-based IPFIX is configured on the \fIswitch\fR, statistics of all the collector set ids on the \fIswitch\fR will be printed. Otherwise, print error message. .IP Refer to \fBovs\-vswitchd.conf.db\fR(5) for more details on configuring flow based IPFIX and collector set ids. .IP This command uses an Open vSwitch extension that is only in Open vSwitch 2.6 and later. . .IP "\fBct\-flush\-zone \fIswitch zone\fR Flushes the connection tracking entries in \fIzone\fR on \fIswitch\fR. .IP This command uses an Open vSwitch extension that is only in Open vSwitch 2.6 and later. . .SS "OpenFlow Switch Flow Table Commands" . These commands manage the flow table in an OpenFlow switch. In each case, \fIflow\fR specifies a flow entry in the format described in \fBFlow Syntax\fR, below, \fIfile\fR is a text file that contains zero or more flows in the same syntax, one per line, and the optional \fB\-\-bundle\fR option operates the command as a single atomic transation, see option \fB\-\-bundle\fR, below. . .IP "[\fB\-\-bundle\fR] \fBadd\-flow \fIswitch flow\fR" .IQ "[\fB\-\-bundle\fR] \fBadd\-flow \fIswitch \fB\- < \fIfile\fR" .IQ "[\fB\-\-bundle\fR] \fBadd\-flows \fIswitch file\fR" Add each flow entry to \fIswitch\fR's tables. . Each flow specification (e.g., each line in \fIfile\fR) may start with \fBadd\fR, \fBmodify\fR, \fBdelete\fR, \fBmodify_strict\fR, or \fBdelete_strict\fR keyword to specify whether a flow is to be added, modified, or deleted, and whether the modify or delete is strict or not. For backwards compatibility a flow specification without one of these keywords is treated as a flow add. All flow mods are executed in the order specified. . .IP "[\fB\-\-bundle\fR] [\fB\-\-strict\fR] \fBmod\-flows \fIswitch flow\fR" .IQ "[\fB\-\-bundle\fR] [\fB\-\-strict\fR] \fBmod\-flows \fIswitch \fB\- < \fIfile\fR" Modify the actions in entries from \fIswitch\fR's tables that match the specified flows. With \fB\-\-strict\fR, wildcards are not treated as active for matching purposes. . .IP "[\fB\-\-bundle\fR] \fBdel\-flows \fIswitch\fR" .IQ "[\fB\-\-bundle\fR] [\fB\-\-strict\fR] \fBdel\-flows \fIswitch \fR[\fIflow\fR]" .IQ "[\fB\-\-bundle\fR] [\fB\-\-strict\fR] \fBdel\-flows \fIswitch \fB\- < \fIfile\fR" Deletes entries from \fIswitch\fR's flow table. With only a \fIswitch\fR argument, deletes all flows. Otherwise, deletes flow entries that match the specified flows. With \fB\-\-strict\fR, wildcards are not treated as active for matching purposes. . .IP "[\fB\-\-bundle\fR] [\fB\-\-readd\fR] \fBreplace\-flows \fIswitch file\fR" Reads flow entries from \fIfile\fR (or \fBstdin\fR if \fIfile\fR is \fB\-\fR) and queries the flow table from \fIswitch\fR. Then it fixes up any differences, adding flows from \fIflow\fR that are missing on \fIswitch\fR, deleting flows from \fIswitch\fR that are not in \fIfile\fR, and updating flows in \fIswitch\fR whose actions, cookie, or timeouts differ in \fIfile\fR. . .IP With \fB\-\-readd\fR, \fBovs\-ofctl\fR adds all the flows from \fIfile\fR, even those that exist with the same actions, cookie, and timeout in \fIswitch\fR. In OpenFlow 1.0 and 1.1, re-adding a flow always resets the flow's packet and byte counters to 0, and in OpenFlow 1.2 and later, it does so only if the \fBreset_counts\fR flag is set. . .IP "\fBdiff\-flows \fIsource1 source2\fR" Reads flow entries from \fIsource1\fR and \fIsource2\fR and prints the differences. A flow that is in \fIsource1\fR but not in \fIsource2\fR is printed preceded by a \fB\-\fR, and a flow that is in \fIsource2\fR but not in \fIsource1\fR is printed preceded by a \fB+\fR. If a flow exists in both \fIsource1\fR and \fIsource2\fR with different actions, cookie, or timeouts, then both versions are printed preceded by \fB\-\fR and \fB+\fR, respectively. .IP \fIsource1\fR and \fIsource2\fR may each name a file or a switch. If a name begins with \fB/\fR or \fB.\fR, then it is considered to be a file name. A name that contains \fB:\fR is considered to be a switch. Otherwise, it is a file if a file by that name exists, a switch if not. .IP For this command, an exit status of 0 means that no differences were found, 1 means that an error occurred, and 2 means that some differences were found. . .IP "\fBpacket\-out \fIswitch\fR \fIpacket-out\fR" Connects to \fIswitch\fR and instructs it to execute the \fIpacket-out\fR OpenFlow message, specified as defined in \fBPacket\-Out Syntax\fR section. . .SS "Group Table Commands" . These commands manage the group table in an OpenFlow switch. In each case, \fIgroup\fR specifies a group entry in the format described in \fBGroup Syntax\fR, below, and \fIfile\fR is a text file that contains zero or more groups in the same syntax, one per line, and the optional \fB\-\-bundle\fR option operates the command as a single atomic transation, see option \fB\-\-bundle\fR, below. .PP The group commands work only with switches that support OpenFlow 1.1 or later or the Open vSwitch group extensions to OpenFlow 1.0 (added in Open vSwitch 2.9.90). For OpenFlow 1.1 or later, it is necessary to explicitly enable these protocol versions in \fBovs\-ofctl\fR (using \fB\-O\fR). For more information, see ``Q: What versions of OpenFlow does Open vSwitch support?'' in the Open vSwitch FAQ. . .IP "[\fB\-\-bundle\fR] \fBadd\-group \fIswitch group\fR" .IQ "[\fB\-\-bundle\fR] \fBadd\-group \fIswitch \fB\- < \fIfile\fR" .IQ "[\fB\-\-bundle\fR] \fBadd\-groups \fIswitch file\fR" Add each group entry to \fIswitch\fR's tables. . Each group specification (e.g., each line in \fIfile\fR) may start with \fBadd\fR, \fBmodify\fR, \fBadd_or_mod\fR, \fBdelete\fR, \fBinsert_bucket\fR, or \fBremove_bucket\fR keyword to specify whether a flow is to be added, modified, or deleted, or whether a group bucket is to be added or removed. For backwards compatibility a group specification without one of these keywords is treated as a group add. All group mods are executed in the order specified. . .IP "[\fB\-\-bundle\fR] [\fB\-\-may\-create\fR] \fBmod\-group \fIswitch group\fR" .IQ "[\fB\-\-bundle\fR] [\fB\-\-may\-create\fR] \fBmod\-group \fIswitch \fB\- < \fIfile\fR" Modify the action buckets in entries from \fIswitch\fR's tables for each group entry. If a specified group does not already exist, then without \fB\-\-may\-create\fR, this command has no effect; with \fB\-\-may\-create\fR, it creates a new group. The \fB\-\-may\-create\fR option uses an Open vSwitch extension to OpenFlow only implemented in Open vSwitch 2.6 and later. . .IP "[\fB\-\-bundle\fR] \fBdel\-groups \fIswitch\fR" .IQ "[\fB\-\-bundle\fR] \fBdel\-groups \fIswitch \fR[\fIgroup\fR]" .IQ "[\fB\-\-bundle\fR] \fBdel\-groups \fIswitch \fB\- < \fIfile\fR" Deletes entries from \fIswitch\fR's group table. With only a \fIswitch\fR argument, deletes all groups. Otherwise, deletes the group for each group entry. . .IP "[\fB\-\-bundle\fR] \fBinsert\-buckets \fIswitch group\fR" .IQ "[\fB\-\-bundle\fR] \fBinsert\-buckets \fIswitch \fB\- < \fIfile\fR" Add buckets to an existing group present in the \fIswitch\fR's group table. If no \fIcommand_bucket_id\fR is present in the group specification then all buckets of the group are removed. . .IP "[\fB\-\-bundle\fR] \fBremove\-buckets \fIswitch group\fR" .IQ "[\fB\-\-bundle\fR] \fBremove\-buckets \fIswitch \fB\- < \fIfile\fR" Remove buckets to an existing group present in the \fIswitch\fR's group table. If no \fIcommand_bucket_id\fR is present in the group specification then all buckets of the group are removed. . .IP "\fBdump\-groups \fIswitch\fR [\fIgroup\fR]" Prints group entries in \fIswitch\fR's tables to console. To dump only a specific group, specify its number as \fIgroup\fR. Otherwise, if \fIgroup\fR is omitted, or if it is specified as \fBALL\fR, then all groups are printed. .IP Only OpenFlow 1.5 and later support dumping a specific group. Earlier versions of OpenFlow always dump all groups. . .IP "\fBdump\-group\-features \fIswitch" Prints to the console the group features of the \fIswitch\fR. . .IP "\fBdump\-group\-stats \fIswitch \fR[\fIgroup\fR]" Prints to the console statistics for the specified \fIgroup\fR in \fIswitch\fR's tables. If \fIgroup\fR is omitted then statistics for all groups are printed. . .SS "OpenFlow 1.3+ Switch Meter Table Commands" . These commands manage the meter table in an OpenFlow switch. In each case, \fImeter\fR specifies a meter entry in the format described in \fBMeter Syntax\fR, below. . .PP OpenFlow 1.3 introduced support for meters, so these commands only work with switches that support OpenFlow 1.3 or later. It is necessary to explicitly enable these protocol versions in \fBovs\-ofctl\fR (using \fB\-O\fR) and in the switch itself (with the \fBprotocols\fR column in the \fBBridge\fR table). For more information, see ``Q: What versions of OpenFlow does Open vSwitch support?'' in the Open vSwitch FAQ. . .IP "\fBadd\-meter \fIswitch meter\fR" Add a meter entry to \fIswitch\fR's tables. The \fImeter\fR syntax is described in section \fBMeter Syntax\fR, below. . .IP "\fBmod\-meter \fIswitch meter\fR" Modify an existing meter. . .IP "\fBdel\-meters \fIswitch\fR [\fImeter\fR]" Delete entries from \fIswitch\fR's meter table. To delete only a specific meter, specify its number as \fImeter\fR. Otherwise, if \fImeter\fR is omitted, or if it is specified as \fBall\fR, then all meters are deleted. . .IP "\fBdump\-meters \fIswitch\fR [\fImeter\fR]" Print entries from \fIswitch\fR's meter table. To print only a specific meter, specify its number as \fImeter\fR. Otherwise, if \fImeter\fR is omitted, or if it is specified as \fBall\fR, then all meters are printed. . .IP "\fBmeter\-stats \fIswitch\fR [\fImeter\fR]" Print meter statistics. \fImeter\fR can specify a single meter with syntax \fBmeter=\fIid\fR, or all meters with syntax \fBmeter=all\fR. . .IP "\fBmeter\-features \fIswitch\fR" Print meter features. . .SS OpenFlow Switch Bundle Command . Transactional updates to both flow and group tables can be made with the \fBbundle\fR command. \fIfile\fR is a text file that contains zero or more flow mods, group mods, or packet-outs in \fBFlow Syntax\fR, \fBGroup Syntax\fR, or \fBPacket\-Out Syntax\fR, each line preceded by \fBflow\fR, \fBgroup\fR, or \fBpacket\-out\fR keyword, correspondingly. The \fBflow\fR keyword may be optionally followed by one of the keywords \fBadd\fR, \fBmodify\fR, \fBmodify_strict\fR, \fBdelete\fR, or \fBdelete_strict\fR, of which the \fBadd\fR is assumed if a bare \fBflow\fR is given. Similarly, the \fBgroup\fR keyword may be optionally followed by one of the keywords \fBadd\fR, \fBmodify\fR, \fBadd_or_mod\fR, \fBdelete\fR, \fBinsert_bucket\fR, or \fBremove_bucket\fR, of which the \fBadd\fR is assumed if a bare \fBgroup\fR is given. . .IP "\fBbundle \fIswitch file\fR" Execute all flow and group mods in \fIfile\fR as a single atomic transaction against \fIswitch\fR's tables. All bundled mods are executed in the order specified. . .SS "OpenFlow Switch Tunnel TLV Table Commands" . Open vSwitch maintains a mapping table between tunnel option TLVs (defined by ) and NXM fields \fBtun_metadata\fIn\fR, where \fIn\fR ranges from 0 to 63, that can be operated on for the purposes of matches, actions, etc. This TLV table can be used for Geneve option TLVs or other protocols with options in same TLV format as Geneve options. This mapping must be explicitly specified by the user through the following commands. A TLV mapping is specified with the syntax \fB{class=\fIclass\fB,type=\fItype\fB,len=\fIlength\fB}->tun_metadata\fIn\fR. When an option mapping exists for a given \fBtun_metadata\fIn\fR, matching on the defined field becomes possible, e.g.: .RS ovs-ofctl add-tlv-map br0 "{class=0xffff,type=0,len=4}->tun_metadata0" .PP ovs-ofctl add-flow br0 tun_metadata0=1234,actions=controller .RE A mapping should not be changed while it is in active use by a flow. The result of doing so is undefined. These commands are Nicira extensions to OpenFlow and require Open vSwitch 2.5 or later. .IP "\fBadd\-tlv\-map \fIswitch option\fR[\fB,\fIoption\fR]..." Add each \fIoption\fR to \fIswitch\fR's tables. Duplicate fields are rejected. . .IP "\fBdel\-tlv\-map \fIswitch \fR[\fIoption\fR[\fB,\fIoption\fR]]..." Delete each \fIoption\fR from \fIswitch\fR's table, or all option TLV mapping if no \fIoption\fR is specified. Fields that aren't mapped are ignored. . .IP "\fBdump\-tlv\-map \fIswitch\fR" Show the currently mapped fields in the switch's option table as well as switch capabilities. . .SS "OpenFlow Switch Monitoring Commands" . .IP "\fBsnoop \fIswitch\fR" Connects to \fIswitch\fR and prints to the console all OpenFlow messages received. Unlike other \fBovs\-ofctl\fR commands, if \fIswitch\fR is the name of a bridge, then the \fBsnoop\fR command connects to a Unix domain socket named \fB/var/run/openvswitch/\fIswitch\fB.snoop\fR. \fBovs\-vswitchd\fR listens on such a socket for each bridge and sends to it all of the OpenFlow messages sent to or received from its configured OpenFlow controller. Thus, this command can be used to view OpenFlow protocol activity between a switch and its controller. .IP When a switch has more than one controller configured, only the traffic to and from a single controller is output. If none of the controllers is configured as a primary or a secondary (using a Nicira extension to OpenFlow 1.0 or 1.1, or a standard request in OpenFlow 1.2 or later), then a controller is chosen arbitrarily among them. If there is a primary controller, it is chosen; otherwise, if there are any controllers that are not primaries or secondaries, one is chosen arbitrarily; otherwise, a secondary controller is chosen arbitrarily. This choice is made once at connection time and does not change as controllers reconfigure their roles. .IP If a switch has no controller configured, or if the configured controller is disconnected, no traffic is sent, so monitoring will not show any traffic. . .IP "\fBmonitor \fIswitch\fR [\fImiss-len\fR] [\fBinvalid_ttl\fR] [\fBwatch:\fR[\fIspec\fR...]]" Connects to \fIswitch\fR and prints to the console all OpenFlow messages received. Usually, \fIswitch\fR should specify the name of a bridge in the \fBovs\-vswitchd\fR database. This is available only in OpenFlow 1.0 as Nicira extension. .IP If \fImiss-len\fR is provided, \fBovs\-ofctl\fR sends an OpenFlow ``set configuration'' message at connection setup time that requests \fImiss-len\fR bytes of each packet that misses the flow table. Open vSwitch does not send these and other asynchronous messages to an \fBovs\-ofctl monitor\fR client connection unless a nonzero value is specified on this argument. (Thus, if \fImiss\-len\fR is not specified, very little traffic will ordinarily be printed.) .IP If \fBinvalid_ttl\fR is passed, \fBovs\-ofctl\fR sends an OpenFlow ``set configuration'' message at connection setup time that requests \fBINVALID_TTL_TO_CONTROLLER\fR, so that \fBovs\-ofctl monitor\fR can receive ``packet-in'' messages when TTL reaches zero on \fBdec_ttl\fR action. Only OpenFlow 1.1 and 1.2 support \fBinvalid_ttl\fR; Open vSwitch also implements it for OpenFlow 1.0 as an extension. .IP \fBwatch:\fR[\fB\fIspec\fR...] causes \fBovs\-ofctl\fR to send a ``monitor request'' Nicira extension message to the switch at connection setup time. This message causes the switch to send information about flow table changes as they occur. The following comma-separated \fIspec\fR syntax is available: .RS .IP "\fB!initial\fR" Do not report the switch's initial flow table contents. .IP "\fB!add\fR" Do not report newly added flows. .IP "\fB!delete\fR" Do not report deleted flows. .IP "\fB!modify\fR" Do not report modifications to existing flows. .IP "\fB!own\fR" Abbreviate changes made to the flow table by \fBovs\-ofctl\fR's own connection to the switch. (These could only occur using the \fBofctl/send\fR command described below under \fBRUNTIME MANAGEMENT COMMANDS\fR.) .IP "\fB!actions\fR" Do not report actions as part of flow updates. .IP "\fBtable=\fItable\fR" Limits the monitoring to the table with the given \fItable\fR, which may be expressed as a number between 0 and 254 or (unless \fB\-\-no\-names\fR is specified) a name. By default, all tables are monitored. .IP "\fBout_port=\fIport\fR" If set, only flows that output to \fIport\fR are monitored. The \fIport\fR may be an OpenFlow port number or keyword (e.g. \fBLOCAL\fR). .IP "\fIfield\fB=\fIvalue\fR" Monitors only flows that have \fIfield\fR specified as the given \fIvalue\fR. Any syntax valid for matching on \fBdump\-flows\fR may be used. .RE .IP This command may be useful for debugging switch or controller implementations. With \fBwatch:\fR, it is particularly useful for observing how a controller updates flow tables. . .SS "OpenFlow Switch and Controller Commands" . The following commands, like those in the previous section, may be applied to OpenFlow switches, using any of the connection methods described in that section. Unlike those commands, these may also be applied to OpenFlow controllers. . .TP \fBprobe \fItarget\fR Sends a single OpenFlow echo-request message to \fItarget\fR and waits for the response. With the \fB\-t\fR or \fB\-\-timeout\fR option, this command can test whether an OpenFlow switch or controller is up and running. . .TP \fBping \fItarget \fR[\fIn\fR] Sends a series of 10 echo request packets to \fItarget\fR and times each reply. The echo request packets consist of an OpenFlow header plus \fIn\fR bytes (default: 64) of randomly generated payload. This measures the latency of individual requests. . .TP \fBbenchmark \fItarget n count\fR Sends \fIcount\fR echo request packets that each consist of an OpenFlow header plus \fIn\fR bytes of payload and waits for each response. Reports the total time required. This is a measure of the maximum bandwidth to \fItarget\fR for round-trips of \fIn\fR-byte messages. . .SS "Other Commands" . .IP "\fBofp\-parse\fR \fIfile\fR" Reads \fIfile\fR (or \fBstdin\fR if \fIfile\fR is \fB\-\fR) as a series of OpenFlow messages in the binary format used on an OpenFlow connection, and prints them to the console. This can be useful for printing OpenFlow messages captured from a TCP stream. . .IP "\fBofp\-parse\-pcap\fR \fIfile\fR [\fIport\fR...]" Reads \fIfile\fR, which must be in the PCAP format used by network capture tools such as \fBtcpdump\fR or \fBwireshark\fR, extracts all the TCP streams for OpenFlow connections, and prints the OpenFlow messages in those connections in human-readable format on \fBstdout\fR. .IP OpenFlow connections are distinguished by TCP port number. Non-OpenFlow packets are ignored. By default, data on TCP ports 6633 and 6653 are considered to be OpenFlow. Specify one or more \fIport\fR arguments to override the default. .IP This command cannot usefully print SSL encrypted traffic. It does not understand IPv6. . .SS "Flow Syntax" .PP Some \fBovs\-ofctl\fR commands accept an argument that describes a flow or flows. Such flow descriptions comprise a series of \fIfield\fB=\fIvalue\fR assignments, separated by commas or white space. (Embedding spaces into a flow description normally requires quoting to prevent the shell from breaking the description into multiple arguments.) .PP Flow descriptions should be in \fBnormal form\fR. This means that a flow may only specify a value for an L3 field if it also specifies a particular L2 protocol, and that a flow may only specify an L4 field if it also specifies particular L2 and L3 protocol types. For example, if the L2 protocol type \fBdl_type\fR is wildcarded, then L3 fields \fBnw_src\fR, \fBnw_dst\fR, and \fBnw_proto\fR must also be wildcarded. Similarly, if \fBdl_type\fR or \fBnw_proto\fR (the L3 protocol type) is wildcarded, so must be the L4 fields \fBtcp_dst\fR and \fBtcp_src\fR. \fBovs\-ofctl\fR will warn about flows not in normal form. .PP \fBovs\-fields\fR(7) describes the supported fields and how to match them. In addition to match fields, commands that operate on flows accept a few additional key-value pairs: . .IP \fBtable=\fItable\fR For flow dump commands, limits the flows dumped to those in \fItable\fR, which may be expressed as a number between 0 and 255 or (unless \fB\-\-no\-names\fR is specified) a name. If not specified (or if 255 is specified as \fItable\fR), then flows in all tables are dumped. . .IP For flow table modification commands, behavior varies based on the OpenFlow version used to connect to the switch: . .RS .IP "OpenFlow 1.0" OpenFlow 1.0 does not support \fBtable\fR for modifying flows. \fBovs\-ofctl\fR will exit with an error if \fBtable\fR (other than \fBtable=255\fR) is specified for a switch that only supports OpenFlow 1.0. .IP In OpenFlow 1.0, the switch chooses the table into which to insert a new flow. The Open vSwitch software switch always chooses table 0. Other Open vSwitch datapaths and other OpenFlow implementations may choose different tables. .IP The OpenFlow 1.0 behavior in Open vSwitch for modifying or removing flows depends on whether \fB\-\-strict\fR is used. Without \fB\-\-strict\fR, the command applies to matching flows in all tables. With \fB\-\-strict\fR, the command will operate on any single matching flow in any table; it will do nothing if there are matches in more than one table. (The distinction between these behaviors only matters if non-OpenFlow 1.0 commands were also used, because OpenFlow 1.0 alone cannot add flows with the same matching criteria to multiple tables.) . .IP "OpenFlow 1.0 with table_id extension" Open vSwitch implements an OpenFlow extension that allows the controller to specify the table on which to operate. \fBovs\-ofctl\fR automatically enables the extension when \fBtable\fR is specified and OpenFlow 1.0 is used. \fBovs\-ofctl\fR automatically detects whether the switch supports the extension. As of this writing, this extension is only known to be implemented by Open vSwitch. . .IP With this extension, \fBovs\-ofctl\fR operates on the requested table when \fBtable\fR is specified, and acts as described for OpenFlow 1.0 above when no \fBtable\fR is specified (or for \fBtable=255\fR). . .IP "OpenFlow 1.1" OpenFlow 1.1 requires flow table modification commands to specify a table. When \fBtable\fR is not specified (or \fBtable=255\fR is specified), \fBovs\-ofctl\fR defaults to table 0. . .IP "OpenFlow 1.2 and later" OpenFlow 1.2 and later allow flow deletion commands, but not other flow table modification commands, to operate on all flow tables, with the behavior described above for OpenFlow 1.0. .RE .IP "\fBduration=\fR..." .IQ "\fBn_packet=\fR..." .IQ "\fBn_bytes=\fR..." \fBovs\-ofctl\fR ignores assignments to these ``fields'' to allow output from the \fBdump\-flows\fR command to be used as input for other commands that parse flows. . .PP The \fBadd\-flow\fR, \fBadd\-flows\fR, and \fBmod\-flows\fR commands require an additional field, which must be the final field specified: . .IP \fBactions=\fR[\fIaction\fR][\fB,\fIaction\fR...]\fR Specifies a comma-separated list of actions to take on a packet when the flow entry matches. If no \fIaction\fR is specified, then packets matching the flow are dropped. See \fBovs\-actions\fR(7) for details on the syntax and semantics of actions. K .PP An opaque identifier called a cookie can be used as a handle to identify a set of flows: . .IP \fBcookie=\fIvalue\fR . A cookie can be associated with a flow using the \fBadd\-flow\fR, \fBadd\-flows\fR, and \fBmod\-flows\fR commands. \fIvalue\fR can be any 64-bit number and need not be unique among flows. If this field is omitted, a default cookie value of 0 is used. . .IP \fBcookie=\fIvalue\fR\fB/\fImask\fR . When using NXM, the cookie can be used as a handle for querying, modifying, and deleting flows. \fIvalue\fR and \fImask\fR may be supplied for the \fBdel\-flows\fR, \fBmod\-flows\fR, \fBdump\-flows\fR, and \fBdump\-aggregate\fR commands to limit matching cookies. A 1-bit in \fImask\fR indicates that the corresponding bit in \fIcookie\fR must match exactly, and a 0-bit wildcards that bit. A mask of \-1 may be used to exactly match a cookie. .IP The \fBmod\-flows\fR command can update the cookies of flows that match a cookie by specifying the \fIcookie\fR field twice (once with a mask for matching and once without to indicate the new value): .RS .IP "\fBovs\-ofctl mod\-flows br0 cookie=1,actions=normal\fR" Change all flows' cookies to 1 and change their actions to \fBnormal\fR. .IP "\fBovs\-ofctl mod\-flows br0 cookie=1/\-1,cookie=2,actions=normal\fR" Update cookies with a value of 1 to 2 and change their actions to \fBnormal\fR. .RE .IP The ability to match on cookies was added in Open vSwitch 1.5.0. . .PP The following additional field sets the priority for flows added by the \fBadd\-flow\fR and \fBadd\-flows\fR commands. For \fBmod\-flows\fR and \fBdel\-flows\fR when \fB\-\-strict\fR is specified, priority must match along with the rest of the flow specification. For \fBmod-flows\fR without \fB\-\-strict\fR, priority is only significant if the command creates a new flow, that is, non-strict \fBmod\-flows\fR does not match on priority and will not change the priority of existing flows. Other commands do not allow priority to be specified. . .IP \fBpriority=\fIvalue\fR The priority at which a wildcarded entry will match in comparison to others. \fIvalue\fR is a number between 0 and 65535, inclusive. A higher \fIvalue\fR will match before a lower one. An exact-match entry will always have priority over an entry containing wildcards, so it has an implicit priority value of 65535. When adding a flow, if the field is not specified, the flow's priority will default to 32768. .IP OpenFlow leaves behavior undefined when two or more flows with the same priority can match a single packet. Some users expect ``sensible'' behavior, such as more specific flows taking precedence over less specific flows, but OpenFlow does not specify this and Open vSwitch does not implement it. Users should therefore take care to use priorities to ensure the behavior that they expect. . .PP The \fBadd\-flow\fR, \fBadd\-flows\fR, and \fBmod\-flows\fR commands support the following additional options. These options affect only new flows. Thus, for \fBadd\-flow\fR and \fBadd\-flows\fR, these options are always significant, but for \fBmod\-flows\fR they are significant only if the command creates a new flow, that is, their values do not update or affect existing flows. . .IP "\fBidle_timeout=\fIseconds\fR" Causes the flow to expire after the given number of seconds of inactivity. A value of 0 (the default) prevents a flow from expiring due to inactivity. . .IP \fBhard_timeout=\fIseconds\fR Causes the flow to expire after the given number of seconds, regardless of activity. A value of 0 (the default) gives the flow no hard expiration deadline. . .IP "\fBimportance=\fIvalue\fR" Sets the importance of a flow. The flow entry eviction mechanism can use importance as a factor in deciding which flow to evict. A value of 0 (the default) makes the flow non-evictable on the basis of importance. Specify a value between 0 and 65535. .IP Only OpenFlow 1.4 and later support \fBimportance\fR. . .IP "\fBsend_flow_rem\fR" Marks the flow with a flag that causes the switch to generate a ``flow removed'' message and send it to interested controllers when the flow later expires or is removed. . .IP "\fBcheck_overlap\fR" Forces the switch to check that the flow match does not overlap that of any different flow with the same priority in the same table. (This check is expensive so it is best to avoid it.) . .IP "\fBreset_counts\fR" When this flag is specified on a flow being added to a switch, and the switch already has a flow with an identical match, an OpenFlow 1.2 (or later) switch resets the flow's packet and byte counters to 0. Without the flag, the packet and byte counters are preserved. .IP OpenFlow 1.0 and 1.1 switches always reset counters in this situation, as if \fBreset_counts\fR were always specified. .IP Open vSwitch 1.10 added support for \fBreset_counts\fR. . .IP "\fBno_packet_counts\fR" .IQ "\fBno_byte_counts\fR" Adding these flags to a flow advises an OpenFlow 1.3 (or later) switch that the controller does not need packet or byte counters, respectively, for the flow. Some switch implementations might achieve higher performance or reduce resource consumption when these flags are used. These flags provide no benefit to the Open vSwitch software switch implementation. .IP OpenFlow 1.2 and earlier do not support these flags. .IP Open vSwitch 1.10 added support for \fBno_packet_counts\fR and \fBno_byte_counts\fR. . .PP The \fBdump\-flows\fR, \fBdump\-aggregate\fR, \fBdel\-flow\fR and \fBdel\-flows\fR commands support these additional optional fields: . .TP \fBout_port=\fIport\fR If set, a matching flow must include an output action to \fIport\fR, which must be an OpenFlow port number or name (e.g. \fBlocal\fR). . .TP \fBout_group=\fIgroup\fR If set, a matching flow must include an \fBgroup\fR action naming \fIgroup\fR, which must be an OpenFlow group number. This field is supported in Open vSwitch 2.5 and later and requires OpenFlow 1.1 or later. . .SS "Table Entry Output" . The \fBdump\-tables\fR and \fBdump\-aggregate\fR commands print information about the entries in a datapath's tables. Each line of output is a flow entry as described in \fBFlow Syntax\fR, above, plus some additional fields: . .IP \fBduration=\fIsecs\fR The time, in seconds, that the entry has been in the table. \fIsecs\fR includes as much precision as the switch provides, possibly to nanosecond resolution. . .IP \fBn_packets\fR The number of packets that have matched the entry. . .IP \fBn_bytes\fR The total number of bytes from packets that have matched the entry. . .PP The following additional fields are included only if the switch is Open vSwitch 1.6 or later and the NXM flow format is used to dump the flow (see the description of the \fB\-\-flow-format\fR option below). The values of these additional fields are approximations only and in particular \fBidle_age\fR will sometimes become nonzero even for busy flows. . .IP \fBhard_age=\fIsecs\fR The integer number of seconds since the flow was added or modified. \fBhard_age\fR is displayed only if it differs from the integer part of \fBduration\fR. (This is separate from \fBduration\fR because \fBmod\-flows\fR restarts the \fBhard_timeout\fR timer without zeroing \fBduration\fR.) . .IP \fBidle_age=\fIsecs\fR The integer number of seconds that have passed without any packets passing through the flow. . .SS "Packet\-Out Syntax" .PP \fBovs\-ofctl bundle\fR command accepts packet-outs to be specified in the bundle file. Each packet-out comprises of a series of \fIfield\fB=\fIvalue\fR assignments, separated by commas or white space. (Embedding spaces into a packet-out description normally requires quoting to prevent the shell from breaking the description into multiple arguments.). Unless noted otherwise only the last instance of each field is honoured. This same syntax is also supported by the \fBovs\-ofctl packet-out\fR command. .PP .IP \fBin_port=\fIport\fR The port number to be considered the in_port when processing actions. This can be any valid OpenFlow port number, or any of the \fBLOCAL\fR, \fBCONTROLLER\fR, or \fBNONE\fR. . This field is required. .IP \fIpipeline_field\fR=\fIvalue\fR Optionally, user can specify a list of pipeline fields for a packet-out message. The supported pipeline fields includes \fBtunnel fields\fR and \fBregister fields\fR as defined in \fBovs\-fields\fR(7). .IP \fBpacket=\fIhex-string\fR The actual packet to send, expressed as a string of hexadecimal bytes. . This field is required. .IP \fBactions=\fR[\fIaction\fR][\fB,\fIaction\fR...]\fR The syntax of actions are identical to the \fBactions=\fR field described in \fBFlow Syntax\fR above. Specifying \fBactions=\fR is optional, but omitting actions is interpreted as a drop, so the packet will not be sent anywhere from the switch. . \fBactions\fR must be specified at the end of each line, like for flow mods. .RE . .SS "Group Syntax" .PP Some \fBovs\-ofctl\fR commands accept an argument that describes a group or groups. Such flow descriptions comprise a series \fIfield\fB=\fIvalue\fR assignments, separated by commas or white space. (Embedding spaces into a group description normally requires quoting to prevent the shell from breaking the description into multiple arguments.). Unless noted otherwise only the last instance of each field is honoured. .PP .IP \fBgroup_id=\fIid\fR The integer group id of group. When this field is specified in \fBdel\-groups\fR or \fBdump\-groups\fR, the keyword "all" may be used to designate all groups. . This field is required. .IP \fBtype=\fItype\fR The type of the group. The \fBadd-group\fR, \fBadd-groups\fR and \fBmod-groups\fR commands require this field. It is prohibited for other commands. The following keywords designated the allowed types: .RS .IP \fBall\fR Execute all buckets in the group. .IP \fBselect\fR Execute one bucket in the group, balancing across the buckets according to their weights. To select a bucket, for each live bucket, Open vSwitch hashes flow data with the bucket ID and multiplies by the bucket weight to obtain a ``score,'' and then selects the bucket with the highest score. Use \fBselection_method\fR to control the flow data used for selection. .IP \fBindirect\fR Executes the one bucket in the group. .IP \fBff\fR .IQ \fBfast_failover\fR Executes the first live bucket in the group which is associated with a live port or group. .RE .IP \fBcommand_bucket_id=\fIid\fR The bucket to operate on. The \fBinsert-buckets\fR and \fBremove-buckets\fR commands require this field. It is prohibited for other commands. \fIid\fR may be an integer or one of the following keywords: .RS .IP \fBall\fR Operate on all buckets in the group. Only valid when used with the \fBremove-buckets\fR command in which case the effect is to remove all buckets from the group. .IP \fBfirst\fR Operate on the first bucket present in the group. In the case of the \fBinsert-buckets\fR command the effect is to insert new bucets just before the first bucket already present in the group; or to replace the buckets of the group if there are no buckets already present in the group. In the case of the \fBremove-buckets\fR command the effect is to remove the first bucket of the group; or do nothing if there are no buckets present in the group. .IP \fBlast\fR Operate on the last bucket present in the group. In the case of the \fBinsert-buckets\fR command the effect is to insert new bucets just after the last bucket already present in the group; or to replace the buckets of the group if there are no buckets already present in the group. In the case of the \fBremove-buckets\fR command the effect is to remove the last bucket of the group; or do nothing if there are no buckets present in the group. .RE .IP If \fIid\fR is an integer then it should correspond to the \fBbucket_id\fR of a bucket present in the group. In case of the \fBinsert-buckets\fR command the effect is to insert buckets just before the bucket in the group whose \fBbucket_id\fR is \fIid\fR. In case of the \fBiremove-buckets\fR command the effect is to remove the in the group whose \fBbucket_id\fR is \fIid\fR. It is an error if there is no bucket persent group in whose \fBbucket_id\fR is \fIid\fR. .IP \fBselection_method\fR=\fImethod\fR The selection method used to select a bucket for a select group. This is a string of 1 to 15 bytes in length known to lower layers. This field is optional for \fBadd\-group\fR, \fBadd\-groups\fR and \fBmod\-group\fR commands on groups of type \fBselect\fR. Prohibited otherwise. If no selection method is specified, Open vSwitch up to release 2.9 applies the \fBhash\fR method with default fields. From 2.10 onwards Open vSwitch defaults to the \fBdp_hash\fR method with symmetric L3/L4 hash algorithm, unless the weighted group buckets cannot be mapped to a maximum of 64 dp_hash values with sufficient accuracy. In those rare cases Open vSwitch 2.10 and later fall back to the \fBhash\fR method with the default set of hash fields. .RS .IP \fBdp_hash\fR Use a datapath computed hash value. The hash algorithm varies accross different datapath implementations. \fBdp_hash\fR uses the upper 32 bits of the \fBselection_method_param\fR as the datapath hash algorithm selector. The supported values are \fB0\fR (corresponding to hash computation over the IP 5-tuple) and \fB1\fR (corresponding to a \fIsymmetric\fR hash computation over the IP 5-tuple). Selecting specific fields with the \fBfields\fR option is not supported with \fBdp_hash\fR). The lower 32 bits are used as the hash basis. .IP Using \fBdp_hash\fR has the advantage that it does not require the generated datapath flows to exact match any additional packet header fields. For example, even if multiple TCP connections thus hashed to different select group buckets have different source port numbers, generally all of them would be handled with a small set of already established datapath flows, resulting in less latency for TCP SYN packets. The downside is that the shared datapath flows must match each packet twice, as the datapath hash value calculation happens only when needed, and a second match is required to match some bits of its value. This double-matching incurs a small additional latency cost for each packet, but this latency is orders of magnitude less than the latency of creating new datapath flows for new TCP connections. .IP \fBhash\fR Use a hash computed over the fields specified with the \fBfields\fR option, see below. If no hash fields are specified, \fBhash\fR defaults to a symmetric hash over the combination of MAC addresses, VLAN tags, Ether type, IP addresses and L4 port numbers. \fBhash\fR uses the \fBselection_method_param\fR as the hash basis. .IP Note that the hashed fields become exact matched by the datapath flows. For example, if the TCP source port is hashed, the created datapath flows will match the specific TCP source port value present in the packet received. Since each TCP connection generally has a different source port value, a separate datapath flow will be need to be inserted for each TCP connection thus hashed to a select group bucket. .RE .IP This option uses a Netronome OpenFlow extension which is only supported when using Open vSwitch 2.4 and later with OpenFlow 1.5 and later. .IP \fBselection_method_param\fR=\fIparam\fR 64-bit integer parameter to the selection method selected by the \fBselection_method\fR field. The parameter's use is defined by the lower-layer that implements the \fBselection_method\fR. It is optional if the \fBselection_method\fR field is specified as a non-empty string. Prohibited otherwise. The default value is zero. .IP This option uses a Netronome OpenFlow extension which is only supported when using Open vSwitch 2.4 and later with OpenFlow 1.5 and later. .IP \fBfields\fR=\fIfield\fR .IQ \fBfields(\fIfield\fR[\fB=\fImask\fR]\fR...\fB)\fR The field parameters to selection method selected by the \fBselection_method\fR field. The syntax is described in \fBFlow Syntax\fR with the additional restrictions that if a value is provided it is treated as a wildcard mask and wildcard masks following a slash are prohibited. The pre-requisites of fields must be provided by any flows that output to the group. The use of the fields is defined by the lower-layer that implements the \fBselection_method\fR. They are optional if the \fBselection_method\fR field is specified as ``hash', prohibited otherwise. The default is no fields. .IP This option will use a Netronome OpenFlow extension which is only supported when using Open vSwitch 2.4 and later with OpenFlow 1.5 and later. .IP \fBbucket\fR=\fIbucket_parameters\fR The \fBadd-group\fR, \fBadd-groups\fR and \fBmod-group\fR commands require at least one bucket field. Bucket fields must appear after all other fields. . Multiple bucket fields to specify multiple buckets. The order in which buckets are specified corresponds to their order in the group. If the type of the group is "indirect" then only one group may be specified. . \fIbucket_parameters\fR consists of a list of \fIfield\fB=\fIvalue\fR assignments, separated by commas or white space followed by a comma-separated list of actions. The fields for \fIbucket_parameters\fR are: . .RS .IP \fBbucket_id=\fIid\fR The 32-bit integer group id of the bucket. Values greater than 0xffffff00 are reserved. . This field was added in Open vSwitch 2.4 to conform with the OpenFlow 1.5 specification. It is not supported when earlier versions of OpenFlow are used. Open vSwitch will automatically allocate bucket ids when they are not specified. .IP \fBactions=\fR[\fIaction\fR][\fB,\fIaction\fR...]\fR The syntax of actions are identical to the \fBactions=\fR field described in \fBFlow Syntax\fR above. Specifying \fBactions=\fR is optional, any unknown bucket parameter will be interpreted as an action. .IP \fBweight=\fIvalue\fR The relative weight of the bucket as an integer. This may be used by the switch during bucket select for groups whose \fBtype\fR is \fBselect\fR. .IP \fBwatch_port=\fIport\fR Port used to determine liveness of group. This or the \fBwatch_group\fR field is required for groups whose \fBtype\fR is \fBff\fR or \fBfast_failover\fR. This or the \fBwatch_group\fR field can also be used for groups whose \fBtype\fR is \fBselect\fR. .IP \fBwatch_group=\fIgroup_id\fR Group identifier of group used to determine liveness of group. This or the \fBwatch_port\fR field is required for groups whose \fBtype\fR is \fBff\fR or \fBfast_failover\fR. This or the \fBwatch_port\fR field can also be used for groups whose \fBtype\fR is \fBselect\fR. .RE . .SS "Meter Syntax" .PP The meter table commands accept an argument that describes a meter. Such meter descriptions comprise a series \fIfield\fB=\fIvalue\fR assignments, separated by commas or white space. (Embedding spaces into a group description normally requires quoting to prevent the shell from breaking the description into multiple arguments.). Unless noted otherwise only the last instance of each field is honoured. .PP .IP \fBmeter=\fIid\fR The identifier for the meter. An integer is used to specify a user-defined meter. In addition, the keywords "all", "controller", and "slowpath", are also supported as virtual meters. The "controller" and "slowpath" virtual meters apply to packets sent to the controller and to the OVS userspace, respectively. .IP When this field is specified in \fBdel-meter\fR, \fBdump-meter\fR, or \fBmeter-stats\fR, the keyword "all" may be used to designate all meters. This field is required, except for \fBmeter-stats\fR, which dumps all stats when this field is not specified. .IP \fBkbps\fR .IQ \fBpktps\fR The unit for the \fBrate\fR and \fBburst_size\fR band parameters. \fBkbps\fR specifies kilobits per second, and \fBpktps\fR specifies packets per second. A unit is required for the \fBadd-meter\fR and \fBmod-meter\fR commands. .IP \fBburst\fR If set, enables burst support for meter bands through the \fBburst_size\fR parameter. .IP \fBstats\fR If set, enables the collection of meter and band statistics. .IP \fBbands\fR=\fIband_parameters\fR The \fBadd-meter\fR and \fBmod-meter\fR commands require at least one band specification. Bands must appear after all other fields. .RS .IP \fBtype=\fItype\fR The type of the meter band. This keyword starts a new band specification. Each band specifies a rate above which the band is to take some action. The action depends on the band type. If multiple bands' rate is exceeded, then the band with the highest rate among the exceeded bands is selected. The following keywords designate the allowed meter band types: .RS .IP \fBdrop\fR Drop packets exceeding the band's rate limit. .RE . .IP "The other \fIband_parameters\fR are:" .IP \fBrate=\fIvalue\fR The relative rate limit for this band, in kilobits per second or packets per second, depending on whether \fBkbps\fR or \fBpktps\fR was specified. .IP \fBburst_size=\fIsize\fR If \fBburst\fR is specified for the meter entry, configures the maximum burst allowed for the band in kilobits or packets, depending on whether \fBkbps\fR or \fBpktps\fR was specified. If unspecified, the switch is free to select some reasonable value depending on its configuration. .RE . .SH OPTIONS .TP \fB\-\-strict\fR Uses strict matching when running flow modification commands. . .IP "\fB\-\-names\fR" .IQ "\fB\-\-no\-names\fR" Every OpenFlow port has a name and a number, and every OpenFlow flow table has a number and sometimes a name. By default, \fBovs\-ofctl\fR commands accept both port and table names and numbers, and they display port and table names if \fBovs\-ofctl\fR is running on an interactive console, numbers otherwise. With \fB\-\-names\fR, \fBovs\-ofctl\fR commands both accept and display port and table names; with \fB\-\-no\-names\fR, commands neither accept nor display port and table names. .IP If a port or table name contains special characters or might be confused with a keyword within a flow, it may be enclosed in double quotes (escaped from the shell). If necessary, JSON-style escape sequences may be used inside quotes, as specified in RFC 7159. When it displays port and table names, \fBovs\-ofctl\fR quotes any name that does not start with a letter followed by letters or digits. .IP Open vSwitch added support for port names and these options. Open vSwitch 2.10 added support for table names. Earlier versions always behaved as if \fB\-\-no\-names\fR were specified. .IP Open vSwitch does not place its own limit on the length of port names, but OpenFlow limits port names to 15 bytes. Because \fRovs\-ofctl\fR uses OpenFlow to retrieve the mapping between port names and numbers, names longer than this limit will be truncated for both display and acceptance. Truncation can also cause long names that are different to appear to be the same; when a switch has two ports with the same (truncated) name, \fBovs\-ofctl\fR refuses to display or accept the name, using the number instead. .IP OpenFlow and Open vSwitch limit table names to 32 bytes. . .IP "\fB\-\-stats\fR" .IQ "\fB\-\-no\-stats\fR" The \fBdump\-flows\fR command by default, or with \fB\-\-stats\fR, includes flow duration, packet and byte counts, and idle and hard age in its output. With \fB\-\-no\-stats\fR, it omits all of these, as well as cookie values and table IDs if they are zero. . .IP "\fB\-\-read-only\fR" Do not execute read/write commands. . .IP "\fB\-\-bundle\fR" Execute flow mods as an OpenFlow 1.4 atomic bundle transaction. .RS .IP \(bu Within a bundle, all flow mods are processed in the order they appear and as a single atomic transaction, meaning that if one of them fails, the whole transaction fails and none of the changes are made to the \fIswitch\fR's flow table, and that each given datapath packet traversing the OpenFlow tables sees the flow tables either as before the transaction, or after all the flow mods in the bundle have been successfully applied. .IP \(bu The beginning and the end of the flow table modification commands in a bundle are delimited with OpenFlow 1.4 bundle control messages, which makes it possible to stream the included commands without explicit OpenFlow barriers, which are otherwise used after each flow table modification command. This may make large modifications execute faster as a bundle. .IP \(bu Bundles require OpenFlow 1.4 or higher. An explicit \fB-O OpenFlow14\fR option is not needed, but you may need to enable OpenFlow 1.4 support for OVS by setting the OVSDB \fIprotocols\fR column in the \fIbridge\fR table. .RE . .IP "\fB\-O \fR[\fIversion\fR[\fB,\fIversion\fR]...]\fR" .IQ "\fB\-\-protocols=\fR[\fIversion\fR[\fB,\fIversion\fR]...]\fR" Sets the OpenFlow protocol versions that are allowed when establishing an OpenFlow session. . .IP These protocol versions are enabled by default: . .RS .IP \(bu \fBOpenFlow10\fR, for OpenFlow 1.0. .RE . The following protocol versions are generally supported, but for compatibility with older versions of Open vSwitch they are not enabled by default: . .RS .IP \(bu \fBOpenFlow11\fR, for OpenFlow 1.1. . .IP \(bu \fBOpenFlow12\fR, for OpenFlow 1.2. . .IP \(bu \fBOpenFlow13\fR, for OpenFlow 1.3. . .IP \(bu \fBOpenFlow14\fR, for OpenFlow 1.4. . .IP \(bu \fBOpenFlow15\fR, for OpenFlow 1.5. .RE . .IP "\fB\-F \fIformat\fR[\fB,\fIformat\fR...]" .IQ "\fB\-\-flow\-format=\fIformat\fR[\fB,\fIformat\fR...]" \fBovs\-ofctl\fR supports the following individual flow formats, any number of which may be listed as \fIformat\fR: .RS .IP "\fBOpenFlow10\-table_id\fR" This is the standard OpenFlow 1.0 flow format. All OpenFlow switches and all versions of Open vSwitch support this flow format. . .IP "\fBOpenFlow10+table_id\fR" This is the standard OpenFlow 1.0 flow format plus a Nicira extension that allows \fBovs\-ofctl\fR to specify the flow table in which a particular flow should be placed. Open vSwitch 1.2 and later supports this flow format. . .IP "\fBNXM\-table_id\fR (Nicira Extended Match)" This Nicira extension to OpenFlow is flexible and extensible. It supports all of the Nicira flow extensions, such as \fBtun_id\fR and registers. Open vSwitch 1.1 and later supports this flow format. . .IP "\fBNXM+table_id\fR (Nicira Extended Match)" This combines Nicira Extended match with the ability to place a flow in a specific table. Open vSwitch 1.2 and later supports this flow format. . .IP "\fBOXM-OpenFlow12\fR" .IQ "\fBOXM-OpenFlow13\fR" .IQ "\fBOXM-OpenFlow14\fR" .IQ "\fBOXM-OpenFlow15\fR" These are the standard OXM (OpenFlow Extensible Match) flow format in OpenFlow 1.2 and later. .RE . .IP \fBovs\-ofctl\fR also supports the following abbreviations for collections of flow formats: .RS .IP "\fBany\fR" Any supported flow format. .IP "\fBOpenFlow10\fR" \fBOpenFlow10\-table_id\fR or \fBOpenFlow10+table_id\fR. .IP "\fBNXM\fR" \fBNXM\-table_id\fR or \fBNXM+table_id\fR. .IP "\fBOXM\fR" \fBOXM-OpenFlow12\fR, \fBOXM-OpenFlow13\fR, or \fBOXM-OpenFlow14\fR. .RE . .IP For commands that modify the flow table, \fBovs\-ofctl\fR by default negotiates the most widely supported flow format that supports the flows being added. For commands that query the flow table, \fBovs\-ofctl\fR by default uses the most advanced format supported by the switch. .IP This option, where \fIformat\fR is a comma-separated list of one or more of the formats listed above, limits \fBovs\-ofctl\fR's choice of flow format. If a command cannot work as requested using one of the specified flow formats, \fBovs\-ofctl\fR will report a fatal error. . .IP "\fB\-P \fIformat\fR" .IQ "\fB\-\-packet\-in\-format=\fIformat\fR" \fBovs\-ofctl\fR supports the following ``packet-in'' formats, in order of increasing capability: .RS .IP "\fBstandard\fR" This uses the \fBOFPT_PACKET_IN\fR message, the standard ``packet-in'' message for any given OpenFlow version. Every OpenFlow switch that supports a given OpenFlow version supports this format. . .IP "\fBnxt_packet_in\fR" This uses the \fBNXT_PACKET_IN\fR message, which adds many of the capabilities of the OpenFlow 1.1 and later ``packet-in'' messages before those OpenFlow versions were available in Open vSwitch. Open vSwitch 1.1 and later support this format. Only Open vSwitch 2.6 and later, however, support it for OpenFlow 1.1 and later (but there is little reason to use it with those versions of OpenFlow). . .IP "\fBnxt_packet_in2\fR" This uses the \fBNXT_PACKET_IN2\fR message, which is extensible and should avoid the need to define new formats later. In particular, this format supports passing arbitrary user-provided data to a controller using the \fBuserdata\fB option on the \fBcontroller\fR action. Open vSwitch 2.6 and later support this format. . .RE .IP Without this option, \fBovs\-ofctl\fR prefers \fBnxt_packet_in2\fR if the switch supports it. Otherwise, if OpenFlow 1.0 is in use, \fBovs\-ofctl\fR prefers \fBnxt_packet_in\fR if the switch supports it. Otherwise, \fBovs\-ofctl\fR falls back to the \fBstandard\fR packet-in format. When this option is specified, \fBovs\-ofctl\fR insists on the selected format. If the switch does not support the requested format, \fBovs\-ofctl\fR will report a fatal error. .IP Before version 2.6, Open vSwitch called \fBstandard\fR format \fBopenflow10\fR and \fBnxt_packet_in\fR format \fBnxm\fR, and \fBovs\-ofctl\fR still accepts these names as synonyms. (The name \fBopenflow10\fR was a misnomer because this format actually varies from one OpenFlow version to another; it is not consistently OpenFlow 1.0 format. Similarly, when \fBnxt_packet_in2\fR was introduced, the name \fBnxm\fR became confusing because it also uses OXM/NXM.) . .IP This option affects only the \fBmonitor\fR command. . .IP "\fB\-\-timestamp\fR" Print a timestamp before each received packet. This option only affects the \fBmonitor\fR, \fBsnoop\fR, and \fBofp\-parse\-pcap\fR commands. . .IP "\fB\-m\fR" .IQ "\fB\-\-more\fR" Increases the verbosity of OpenFlow messages printed and logged by \fBovs\-ofctl\fR commands. Specify this option more than once to increase verbosity further. . .IP \fB\-\-sort\fR[\fB=\fIfield\fR] .IQ \fB\-\-rsort\fR[\fB=\fIfield\fR] Display output sorted by flow \fIfield\fR in ascending (\fB\-\-sort\fR) or descending (\fB\-\-rsort\fR) order, where \fIfield\fR is any of the fields that are allowed for matching or \fBpriority\fR to sort by priority. When \fIfield\fR is omitted, the output is sorted by priority. Specify these options multiple times to sort by multiple fields. .IP Any given flow will not necessarily specify a value for a given field. This requires special treatement: .RS .IP \(bu A flow that does not specify any part of a field that is used for sorting is sorted after all the flows that do specify the field. For example, \fB\-\-sort=tcp_src\fR will sort all the flows that specify a TCP source port in ascending order, followed by the flows that do not specify a TCP source port at all. .IP \(bu A flow that only specifies some bits in a field is sorted as if the wildcarded bits were zero. For example, \fB\-\-sort=nw_src\fR would sort a flow that specifies \fBnw_src=192.168.0.0/24\fR the same as \fBnw_src=192.168.0.0\fR. .RE .IP These options currently affect only \fBdump\-flows\fR output. . .SS "Daemon Options" .ds DD \ \fBovs\-ofctl\fR detaches only when executing the \fBmonitor\fR or \ \fBsnoop\fR commands. .PP The following options are valid on POSIX based platforms. .TP \fB\-\-pidfile\fR[\fB=\fIpidfile\fR] Causes a file (by default, \fB\*(PN.pid\fR) to be created indicating the PID of the running process. If the \fIpidfile\fR argument is not specified, or if it does not begin with \fB/\fR, then it is created in \fB/var/run/openvswitch\fR. .IP If \fB\-\-pidfile\fR is not specified, no pidfile is created. . .TP \fB\-\-overwrite\-pidfile\fR By default, when \fB\-\-pidfile\fR is specified and the specified pidfile already exists and is locked by a running process, \fB\*(PN\fR refuses to start. Specify \fB\-\-overwrite\-pidfile\fR to cause it to instead overwrite the pidfile. .IP When \fB\-\-pidfile\fR is not specified, this option has no effect. . .IP \fB\-\-detach\fR Runs \fB\*(PN\fR as a background process. The process forks, and in the child it starts a new session, closes the standard file descriptors (which has the side effect of disabling logging to the console), and changes its current directory to the root (unless \fB\-\-no\-chdir\fR is specified). After the child completes its initialization, the parent exits. \*(DD . .TP \fB\-\-monitor\fR Creates an additional process to monitor the \fB\*(PN\fR daemon. If the daemon dies due to a signal that indicates a programming error (\fBSIGABRT\fR, \fBSIGALRM\fR, \fBSIGBUS\fR, \fBSIGFPE\fR, \fBSIGILL\fR, \fBSIGPIPE\fR, \fBSIGSEGV\fR, \fBSIGXCPU\fR, or \fBSIGXFSZ\fR) then the monitor process starts a new copy of it. If the daemon dies or exits for another reason, the monitor process exits. .IP This option is normally used with \fB\-\-detach\fR, but it also functions without it. . .TP \fB\-\-no\-chdir\fR By default, when \fB\-\-detach\fR is specified, \fB\*(PN\fR changes its current working directory to the root directory after it detaches. Otherwise, invoking \fB\*(PN\fR from a carelessly chosen directory would prevent the administrator from unmounting the file system that holds that directory. .IP Specifying \fB\-\-no\-chdir\fR suppresses this behavior, preventing \fB\*(PN\fR from changing its current working directory. This may be useful for collecting core files, since it is common behavior to write core dumps into the current working directory and the root directory is not a good directory to use. .IP This option has no effect when \fB\-\-detach\fR is not specified. . .TP \fB\-\-no\-self\-confinement\fR By default daemon will try to self-confine itself to work with files under well-known directories determined during build. It is better to stick with this default behavior and not to use this flag unless some other Access Control is used to confine daemon. Note that in contrast to other access control implementations that are typically enforced from kernel-space (e.g. DAC or MAC), self-confinement is imposed from the user-space daemon itself and hence should not be considered as a full confinement strategy, but instead should be viewed as an additional layer of security. . .TP \fB\-\-user\fR Causes \fB\*(PN\fR to run as a different user specified in "user:group", thus dropping most of the root privileges. Short forms "user" and ":group" are also allowed, with current user or group are assumed respectively. Only daemons started by the root user accepts this argument. .IP On Linux, daemons will be granted CAP_IPC_LOCK and CAP_NET_BIND_SERVICES before dropping root privileges. Daemons that interact with a datapath, such as \fBovs\-vswitchd\fR, will be granted three additional capabilities, namely CAP_NET_ADMIN, CAP_NET_BROADCAST and CAP_NET_RAW. The capability change will apply even if the new user is root. .IP On Windows, this option is not currently supported. For security reasons, specifying this option will cause the daemon process not to start. .IP "\fB\-\-unixctl=\fIsocket\fR" Sets the name of the control socket on which \fB\*(PN\fR listens for runtime management commands (see \fBRUNTIME MANAGEMENT COMMANDS\fR, below). If \fIsocket\fR does not begin with \fB/\fR, it is interpreted as relative to \fB/var/run/openvswitch\fR. If \fB\-\-unixctl\fR is not used at all, the default socket is \fB/var/run/openvswitch/\*(PN.\fIpid\fB.ctl\fR, where \fIpid\fR is \fB\*(PN\fR's process ID. .IP On Windows a local named pipe is used to listen for runtime management commands. A file is created in the absolute path as pointed by \fIsocket\fR or if \fB\-\-unixctl\fR is not used at all, a file is created as \fB\*(PN.ctl\fR in the configured \fIOVS_RUNDIR\fR directory. The file exists just to mimic the behavior of a Unix domain socket. .IP Specifying \fBnone\fR for \fIsocket\fR disables the control socket feature. .SS "Public Key Infrastructure Options" .IP "\fB\-p\fR \fIprivkey.pem\fR" .IQ "\fB\-\-private\-key=\fIprivkey.pem\fR" Specifies a PEM file containing the private key used as \fB\*(PN\fR's identity for outgoing SSL connections. . .IP "\fB\-c\fR \fIcert.pem\fR" .IQ "\fB\-\-certificate=\fIcert.pem\fR" Specifies a PEM file containing a certificate that certifies the private key specified on \fB\-p\fR or \fB\-\-private\-key\fR to be trustworthy. The certificate must be signed by the certificate authority (CA) that the peer in SSL connections will use to verify it. . .IP "\fB\-C\fR \fIcacert.pem\fR" .IQ "\fB\-\-ca\-cert=\fIcacert.pem\fR" Specifies a PEM file containing the CA certificate that \fB\*(PN\fR should use to verify certificates presented to it by SSL peers. (This may be the same certificate that SSL peers use to verify the certificate specified on \fB\-c\fR or \fB\-\-certificate\fR, or it may be a different one, depending on the PKI design in use.) . .IP "\fB\-C none\fR" .IQ "\fB\-\-ca\-cert=none\fR" Disables verification of certificates presented by SSL peers. This introduces a security risk, because it means that certificates cannot be verified to be those of known trusted hosts. .IP "\fB\-v\fR[\fIspec\fR] .IQ "\fB\-\-verbose=\fR[\fIspec\fR] . Sets logging levels. Without any \fIspec\fR, sets the log level for every module and destination to \fBdbg\fR. Otherwise, \fIspec\fR is a list of words separated by spaces or commas or colons, up to one from each category below: . .RS .IP \(bu A valid module name, as displayed by the \fBvlog/list\fR command on \fBovs\-appctl\fR(8), limits the log level change to the specified module. . .IP \(bu \fBsyslog\fR, \fBconsole\fR, or \fBfile\fR, to limit the log level change to only to the system log, to the console, or to a file, respectively. (If \fB\-\-detach\fR is specified, \fB\*(PN\fR closes its standard file descriptors, so logging to the console will have no effect.) .IP On Windows platform, \fBsyslog\fR is accepted as a word and is only useful along with the \fB\-\-syslog\-target\fR option (the word has no effect otherwise). . .IP \(bu \fBoff\fR, \fBemer\fR, \fBerr\fR, \fBwarn\fR, \fBinfo\fR, or \fBdbg\fR, to control the log level. Messages of the given severity or higher will be logged, and messages of lower severity will be filtered out. \fBoff\fR filters out all messages. See \fBovs\-appctl\fR(8) for a definition of each log level. .RE . .IP Case is not significant within \fIspec\fR. .IP Regardless of the log levels set for \fBfile\fR, logging to a file will not take place unless \fB\-\-log\-file\fR is also specified (see below). .IP For compatibility with older versions of OVS, \fBany\fR is accepted as a word but has no effect. . .IP "\fB\-v\fR" .IQ "\fB\-\-verbose\fR" Sets the maximum logging verbosity level, equivalent to \fB\-\-verbose=dbg\fR. . .IP "\fB\-vPATTERN:\fIdestination\fB:\fIpattern\fR" .IQ "\fB\-\-verbose=PATTERN:\fIdestination\fB:\fIpattern\fR" Sets the log pattern for \fIdestination\fR to \fIpattern\fR. Refer to \fBovs\-appctl\fR(8) for a description of the valid syntax for \fIpattern\fR. . .IP "\fB\-vFACILITY:\fIfacility\fR" .IQ "\fB\-\-verbose=FACILITY:\fIfacility\fR" Sets the RFC5424 facility of the log message. \fIfacility\fR can be one of \fBkern\fR, \fBuser\fR, \fBmail\fR, \fBdaemon\fR, \fBauth\fR, \fBsyslog\fR, \fBlpr\fR, \fBnews\fR, \fBuucp\fR, \fBclock\fR, \fBftp\fR, \fBntp\fR, \fBaudit\fR, \fBalert\fR, \fBclock2\fR, \fBlocal0\fR, \fBlocal1\fR, \fBlocal2\fR, \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR or \fBlocal7\fR. If this option is not specified, \fBdaemon\fR is used as the default for the local system syslog and \fBlocal0\fR is used while sending a message to the target provided via the \fB\-\-syslog\-target\fR option. . .TP \fB\-\-log\-file\fR[\fB=\fIfile\fR] Enables logging to a file. If \fIfile\fR is specified, then it is used as the exact name for the log file. The default log file name used if \fIfile\fR is omitted is \fB/var/log/openvswitch/\*(PN.log\fR. . .IP "\fB\-\-syslog\-target=\fIhost\fB:\fIport\fR" Send syslog messages to UDP \fIport\fR on \fIhost\fR, in addition to the system syslog. The \fIhost\fR must be a numerical IP address, not a hostname. . .IP "\fB\-\-syslog\-method=\fImethod\fR" Specify \fImethod\fR how syslog messages should be sent to syslog daemon. Following forms are supported: .RS .IP \(bu \fBlibc\fR, use libc \fBsyslog()\fR function. Downside of using this options is that libc adds fixed prefix to every message before it is actually sent to the syslog daemon over \fB/dev/log\fR UNIX domain socket. .IP \(bu \fBunix:\fIfile\fR\fR, use UNIX domain socket directly. It is possible to specify arbitrary message format with this option. However, \fBrsyslogd 8.9\fR and older versions use hard coded parser function anyway that limits UNIX domain socket use. If you want to use arbitrary message format with older \fBrsyslogd\fR versions, then use UDP socket to localhost IP address instead. .IP \(bu \fBudp:\fIip\fR:\fIport\fR\fR, use UDP socket. With this method it is possible to use arbitrary message format also with older \fBrsyslogd\fR. When sending syslog messages over UDP socket extra precaution needs to be taken into account, for example, syslog daemon needs to be configured to listen on the specified UDP port, accidental iptables rules could be interfering with local syslog traffic and there are some security considerations that apply to UDP sockets, but do not apply to UNIX domain sockets. .IP \(bu \fBnull\fR, discards all messages logged to syslog. .RE .IP The default is taken from the \fBOVS_SYSLOG_METHOD\fR environment variable; if it is unset, the default is \fBlibc\fR. .IP "\fB\-\-color\fR[\fB=\fR\fIwhen\fR] . Colorize the output (for some commands); \fIwhen\fR can be \fBnever\fR, \fBalways\fR, or \fBauto\fR (the default). . .RS .PP Only some commands support output coloring. Color names and default colors may change in future releases. .PP The environment variable \fBOVS_COLORS\fR can be used to specify user-defined colors and other attributes used to highlight various parts of the output. If set, its value is a colon-separated list of capabilities that defaults to \fBac:01;31:dr=34:le=31:pm=36:pr=35:sp=33:vl=32\fR. Supported capabilities were initially designed for coloring flows from \fBovs-ofctl dump-flows\fR \fIswitch\fR command, and they are as follows. .RS .TP \fBac=01;31\fR SGR substring for \fBactions=\fR keyword in a flow. The default is a bold red text foreground. .TP \fBdr=34\fR SGR substring for \fBdrop\fR keyword. The default is a dark blue text foreground. .TP \fBle=31\fR SGR substring for \fBlearn=\fR keyword in a flow. The default is a red text foreground. .TP \fBpm=36\fR SGR substring for flow match attribute names. The default is a cyan text foreground. .TP \fBpr=35\fR SGR substring for keywords in a flow that are followed by arguments inside parenthesis. The default is a magenta text foreground. .TP \fBsp=33\fR SGR substring for some special keywords in a flow, notably: \fBtable=\fR, \fBpriority=\fR, \fBload:\fR, \fBoutput:\fR, \fBmove:\fR, \fBgroup:\fR, \fBCONTROLLER:\fR, \fBset_field:\fR, \fBresubmit:\fR, \fBexit\fR. The default is a yellow text foreground. .TP \fBvl=32\fR SGR substring for a lone flow match attribute with no field name. The default is a green text foreground. .RE .PP See the Select Graphic Rendition (SGR) section in the documentation of the text terminal that is used for permitted values and their meaning as character attributes. .RE .IP "\fB\-h\fR" .IQ "\fB\-\-help\fR" Prints a brief help message to the console. . .IP "\fB\-V\fR" .IQ "\fB\-\-version\fR" Prints version information to the console. . .SH "RUNTIME MANAGEMENT COMMANDS" \fBovs\-appctl\fR(8) can send commands to a running \fBovs\-ofctl\fR process. The supported commands are listed below. . .IP "\fBexit\fR" Causes \fBovs\-ofctl\fR to gracefully terminate. This command applies only when executing the \fBmonitor\fR or \fBsnoop\fR commands. . .IP "\fBofctl/set\-output\-file \fIfile\fR" Causes all subsequent output to go to \fIfile\fR instead of stderr. This command applies only when executing the \fBmonitor\fR or \fBsnoop\fR commands. . .IP "\fBofctl/send \fIofmsg\fR..." Sends each \fIofmsg\fR, specified as a sequence of hex digits that express an OpenFlow message, on the OpenFlow connection. This command is useful only when executing the \fBmonitor\fR command. . .IP "\fBofctl/packet\-out \fIpacket-out\fR" Sends an OpenFlow PACKET_OUT message specified in \fBPacket\-Out Syntax\fR, on the OpenFlow connection. See \fBPacket\-Out Syntax\fR section for more information. This command is useful only when executing the \fBmonitor\fR command. . .IP "\fBofctl/barrier\fR" Sends an OpenFlow barrier request on the OpenFlow connection and waits for a reply. This command is useful only for the \fBmonitor\fR command. . .SH EXAMPLES . The following examples assume that \fBovs\-vswitchd\fR has a bridge named \fBbr0\fR configured. . .TP \fBovs\-ofctl dump\-tables br0\fR Prints out the switch's table stats. (This is more interesting after some traffic has passed through.) . .TP \fBovs\-ofctl dump\-flows br0\fR Prints the flow entries in the switch. . .TP \fBovs\-ofctl add\-flow table=0 actions=learn(table=1,hard_timeout=10, NXM_OF_VLAN_TCI[0..11],output:NXM_OF_IN_PORT[]), resubmit(,1)\fR \fBovs\-ofctl add\-flow table=1 priority=0 actions=flood\fR Implements a level 2 MAC learning switch using the learn. . .TP \fBovs\-ofctl add\-flow br0 'table=0,priority=0 actions=load:3->NXM_NX_REG0[0..15],learn(table=0,priority=1,idle_timeout=10,NXM_OF_ETH_SRC[],NXM_OF_VLAN_TCI[0..11],output:NXM_NX_REG0[0..15]),output:2\fR In this use of a learn action, the first packet from each source MAC will be sent to port 2. Subsequent packets will be output to port 3, with an idle timeout of 10 seconds. NXM field names and match field names are both accepted, e.g. \fBNXM_NX_REG0\fR or \fBreg0\fR for the first register, and empty brackets may be omitted. .IP Additional examples may be found documented as part of related sections. . .SH "SEE ALSO" . .BR ovs\-fields (7), .BR ovs\-actions (7), .BR ovs\-appctl (8), .BR ovs\-vswitchd (8), .BR ovs\-vswitchd.conf.db (8)