Provided by: openvswitch-common_1.4.0-1ubuntu1_amd64
ovs-ofctl - administer OpenFlow switches
ovs-ofctl [options] command [switch] [args...]
The ovs-ofctl program is a command line tool for monitoring and administering OpenFlow switches. It can also show the current state of an OpenFlow switch, including features, configuration, and table entries. OpenFlow Switch Management Commands These commands allow ovs-ofctl to monitor and administer an OpenFlow switch. It is able to show the current state of a switch, including features, configuration, and table entries. Most of these commands take an argument that specifies the method for connecting to an OpenFlow switch. The following connection methods are supported: ssl:ip[:port] The specified SSL port (default: 6633) on the host at the given ip, which must be expressed as an IP address (not a DNS name). The --private-key, --certificate, and --ca-cert options are mandatory when this form is used. tcp:ip[:port] The specified TCP port (default: 6633) on the host at the given ip, which must be expressed as an IP address (not a DNS name). unix:file The Unix domain server socket named file. file This is short for unix:file, as long as file does not contain a colon. bridge This is short for unix:/var/run/openvswitch/bridge.mgmt, as long as bridge does not contain a colon. [type@]dp Attempts to look up the bridge associated with dp and open as above. If type is given, it specifies the datapath provider of dp, otherwise the default provider system is assumed. show switch Prints to the console information on switch, including information on its flow tables and ports. dump-tables switch Prints to the console statistics for each of the flow tables used by switch. dump-ports switch [netdev] Prints to the console statistics for network devices associated with switch. If netdev is specified, only the statistics associated with that device will be printed. netdev can be an OpenFlow assigned port number or device name, e.g. eth0. mod-port switch netdev action Modify characteristics of an interface monitored by switch. netdev can be referred to by its OpenFlow assigned port number or the device name, e.g. eth0. The action may be any one of the following: up Enables the interface. This is equivalent to ``ifconfig up'' on a Unix system. down Disables the interface. This is equivalent to ``ifconfig down'' on a Unix system. forward Allows forwarding of traffic on this interface. This is the default posture for all ports. noforward Disallows forwarding of traffic on this interface. flood When a flood action is specified, traffic will be sent out this interface. This is the default posture for monitored ports. noflood When a flood action is specified, traffic will not be sent out this interface. This is primarily useful to prevent loops when a spanning tree protocol is not in use. get-frags switch Prints switch's fragment handling mode. See set-frags, below, for a description of each fragment handling mode. The show command also prints the fragment handling mode among its other output. set-frags switch frag_mode Configures switch's treatment of IPv4 and IPv6 fragments. The choices for frag_mode are: normal Fragments pass through the flow table like non-fragmented packets. The TCP ports, UDP ports, and ICMP type and code fields are always set to 0, even for fragments where that information would otherwise be available (fragments with offset 0). This is the default fragment handling mode for an OpenFlow switch. drop Fragments are dropped without passing through the flow table. reassemble The switch reassembles fragments into full IP packets before passing them through the flow table. Open vSwitch does not implement this fragment handling mode. nx-match Fragments pass through the flow table like non-fragmented packets. The TCP ports, UDP ports, and ICMP type and code fields are available for matching for fragments with offset 0, and set to 0 in fragments with nonzero offset. This mode is a Nicira extension. See the description of ip_frag, below, for a way to match on whether a packet is a fragment and on its fragment offset. dump-flows switch [flows] Prints to the console all flow entries in switch's tables that match flows. If flows is omitted, all flows in the switch are retrieved. See Flow Syntax, below, for the syntax of flows. The output format is described in Table Entry Output. dump-aggregate switch [flows] Prints to the console aggregate statistics for flows in switch's tables that match flows. If flows is omitted, the statistics are aggregated across all flows in the switch's flow tables. See Flow Syntax, below, for the syntax of flows. The output format is descrbed in Table Entry Output. queue-stats switch [port [queue]] Prints to the console statistics for the specified queue on port within switch. Either of port or queue or both may be omitted (or equivalently specified as ALL). If both are omitted, statistics are printed for all queues on all ports. If only queue is omitted, then statistics are printed for all queues on port; if only port is omitted, then statistics are printed for queue on every port where it exists. OpenFlow Switch Flow Table Commands These commands manage the flow table in an OpenFlow switch. In each case, flow specifies a flow entry in the format described in Flow Syntax, below, and file is a text file that contains zero or more flows in the same syntax, one per line. add-flow switch flow add-flow switch - < file add-flows switch file Add each flow entry to switch's tables. [--strict] mod-flows switch flow [--strict] mod-flows switch - < file Modify the actions in entries from switch's tables that match the specified flows. With --strict, wildcards are not treated as active for matching purposes. del-flows switch [--strict] del-flows switch [flow] [--strict] del-flows switch - < file Deletes entries from switch's flow table. With only a switch argument, deletes all flows. Otherwise, deletes flow entries that match the specified flows. With --strict, wildcards are not treated as active for matching purposes. [--readd] replace-flows switch file Reads flow entries from file (or stdin if file is -) and queries the flow table from switch. Then it fixes up any differences, adding flows from flow that are missing on switch, deleting flows from switch that are not in file, and updating flows in switch whose actions, cookie, or timeouts differ in file. With --readd, ovs-ofctl adds all the flows from file, even those that exist with the same actions, cookie, and timeout in switch. This resets all the flow packet and byte counters to 0, which can be useful for debugging. diff-flows source1 source2 Reads flow entries from source1 and source2 and prints the differences. A flow that is in source1 but not in source2 is printed preceded by a -, and a flow that is in source2 but not in source1 is printed preceded by a +. If a flow exists in both source1 and source2 with different actions, cookie, or timeouts, then both versions are printed preceded by - and +, respectively. source1 and source2 may each name a file or a switch. If a name begins with / or ., then it is considered to be a file name. A name that contains : is considered to be a switch. Otherwise, it is a file if a file by that name exists, a switch if not. For this command, an exit status of 0 means that no differences were found, 1 means that an error occurred, and 2 means that some differences were found. OpenFlow Switch Monitoring Commands snoop switch Connects to switch and prints to the console all OpenFlow messages received. Unlike other ovs-ofctl commands, if switch is the name of a bridge, then the snoop command connects to a Unix domain socket named /var/run/openvswitch/bridge.snoop. ovs-vswitchd listens on such a socket for each bridge and sends to it all of the OpenFlow messages sent to or received from its configured OpenFlow controller. Thus, this command can be used to view OpenFlow protocol activity between a switch and its controller. When a switch has more than one controller configured, only the traffic to and from a single controller is output. If none of the controllers is configured as a master or a slave (using a Nicira extension to OpenFlow), then a controller is chosen arbitrarily among them. If there is a master controller, it is chosen; otherwise, if there are any controllers that are not masters or slaves, one is chosen arbitrarily; otherwise, a slave controller is chosen arbitrarily. This choice is made once at connection time and does not change as controllers reconfigure their roles. If a switch has no controller configured, or if the configured controller is disconnected, no traffic is sent, so monitoring will not show any traffic. monitor switch [miss-len] Connects to switch and prints to the console all OpenFlow messages received. Usually, switch should specify the name of a bridge in the ovs-vswitchd database. If miss-len is provided, ovs-ofctl sends an OpenFlow ``set configuration'' message at connection setup time that requests miss-len bytes of each packet that misses the flow table. Open vSwitch does not send these and other asynchronous messages to an ovs-ofctl monitor client connection unless a nonzero value is specified on this argument. (Thus, if miss-len is not specified, very little traffic will ordinarily be printed.) This command may be useful for debugging switch or controller implementations. OpenFlow Switch and Controller Commands The following commands, like those in the previous section, may be applied to OpenFlow switches, using any of the connection methods described in that section. Unlike those commands, these may also be applied to OpenFlow controllers. probe target Sends a single OpenFlow echo-request message to target and waits for the response. With the -t or --timeout option, this command can test whether an OpenFlow switch or controller is up and running. ping target [n] Sends a series of 10 echo request packets to target and times each reply. The echo request packets consist of an OpenFlow header plus n bytes (default: 64) of randomly generated payload. This measures the latency of individual requests. benchmark target n count Sends count echo request packets that each consist of an OpenFlow header plus n bytes of payload and waits for each response. Reports the total time required. This is a measure of the maximum bandwidth to target for round-trips of n-byte messages. Flow Syntax Some ovs-ofctl commands accept an argument that describes a flow or flows. Such flow descriptions comprise a series field=value assignments, separated by commas or white space. (Embedding spaces into a flow description normally requires quoting to prevent the shell from breaking the description into multiple arguments.) Flow descriptions should be in normal form. This means that a flow may only specify a value for an L3 field if it also specifies a particular L2 protocol, and that a flow may only specify an L4 field if it also specifies particular L2 and L3 protocol types. For example, if the L2 protocol type dl_type is wildcarded, then L3 fields nw_src, nw_dst, and nw_proto must also be wildcarded. Similarly, if dl_type or nw_proto (the L3 protocol type) is wildcarded, so must be tp_dst and tp_src, which are L4 fields. ovs-ofctl will warn about flows not in normal form. The following field assignments describe how a flow matches a packet. If any of these assignments is omitted from the flow syntax, the field is treated as a wildcard; thus, if all of them are omitted, the resulting flow matches all packets. The string * or ANY may be specified to explicitly mark any of these fields as a wildcard. (* should be quoted to protect it from shell expansion.) in_port=port_no Matches OpenFlow port port_no. Ports are numbered as displayed by ovs-ofctl show. (The resubmit action can search OpenFlow flow tables with arbitrary in_port values, so flows that match port numbers that do not exist from an OpenFlow perspective can still potentially be matched.) dl_vlan=vlan Matches IEEE 802.1q Virtual LAN tag vlan. Specify 0xffff as vlan to match packets that are not tagged with a Virtual LAN; otherwise, specify a number between 0 and 4095, inclusive, as the 12-bit VLAN ID to match. dl_vlan_pcp=priority Matches IEEE 802.1q Priority Code Point (PCP) priority, which is specified as a value between 0 and 7, inclusive. A higher value indicates a higher frame priority level. dl_src=xx:xx:xx:xx:xx:xx dl_dst=xx:xx:xx:xx:xx:xx Matches an Ethernet source (or destination) address specified as 6 pairs of hexadecimal digits delimited by colons (e.g. 00:0A:E4:25:6B:B0). dl_dst=xx:xx:xx:xx:xx:xx/xx:xx:xx:xx:xx:xx Matches an Ethernet destination address specified as 6 pairs of hexadecimal digits delimited by colons (e.g. 00:0A:E4:25:6B:B0), with a wildcard mask following the slash. Only the following masks are allowed: 01:00:00:00:00:00 Match only the multicast bit. Thus, dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 matches all multicast (including broadcast) Ethernet packets, and dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 matches all unicast Ethernet packets. fe:ff:ff:ff:ff:ff Match all bits except the multicast bit. This is probably not useful. ff:ff:ff:ff:ff:ff Exact match (equivalent to omitting the mask). 00:00:00:00:00:00 Wildcard all bits (equivalent to dl_dst=*.) dl_type=ethertype Matches Ethernet protocol type ethertype, which is specified as an integer between 0 and 65535, inclusive, either in decimal or as a hexadecimal number prefixed by 0x (e.g. 0x0806 to match ARP packets). nw_src=ip[/netmask] nw_dst=ip[/netmask] When dl_type is 0x0800 (possibly via shorthand, e.g. ip or tcp), matches IPv4 source (or destination) address ip, which may be specified as an IP address or host name (e.g. 192.168.1.1 or www.example.com). The optional netmask allows restricting a match to an IPv4 address prefix. The netmask may be specified as a dotted quad (e.g. 192.168.1.0/255.255.255.0) or as a CIDR block (e.g. 192.168.1.0/24). When dl_type=0x0806 or arp is specified, matches the ar_spa or ar_tpa field, respectively, in ARP packets for IPv4 and Ethernet. When dl_type is wildcarded or set to a value other than 0x0800 or 0x0806, the values of nw_src and nw_dst are ignored (see Flow Syntax above). nw_proto=proto When ip or dl_type=0x0800 is specified, matches IP protocol type proto, which is specified as a decimal number between 0 and 255, inclusive (e.g. 1 to match ICMP packets or 6 to match TCP packets). When ipv6 or dl_type=0x86dd is specified, matches IPv6 header type proto, which is specified as a decimal number between 0 and 255, inclusive (e.g. 58 to match ICMPv6 packets or 6 to match TCP). The header type is the terminal header as described in the DESIGN document. When arp or dl_type=0x0806 is specified, matches the lower 8 bits of the ARP opcode. ARP opcodes greater than 255 are treated as 0. When dl_type is wildcarded or set to a value other than 0x0800, 0x0806, or 0x86dd, the value of nw_proto is ignored (see Flow Syntax above). nw_tos=tos Matches IP ToS/DSCP or IPv6 traffic class field tos, which is specified as a decimal number between 0 and 255, inclusive. Note that the two lower reserved bits are ignored for matching purposes. When dl_type is wildcarded or set to a value other than 0x0800 or 0x86dd, the value of nw_tos is ignored (see Flow Syntax above). nw_ecn=ecn Matches ecn bits in IP ToS or IPv6 traffic class fields, which is specified as a decimal number between 0 and 3, inclusive. When dl_type is wildcarded or set to a value other than 0x0800 or 0x86dd, the value of nw_ecn is ignored (see Flow Syntax above). nw_ttl=ttl Matches IP TTL or IPv6 hop limit value ttl, which is specified as a decimal number between 0 and 255, inclusive. When dl_type is wildcarded or set to a value other than 0x0800 or 0x86dd, the value of nw_ttl is ignored (see Flow Syntax above). tp_src=port tp_dst=port When dl_type and nw_proto specify TCP or UDP, tp_src and tp_dst match the UDP or TCP source or destination port port, respectively. which is specified as a decimal number between 0 and 65535, inclusive (e.g. 80 to match packets originating from a HTTP server). When dl_type and nw_proto take other values, the values of these settings are ignored (see Flow Syntax above). icmp_type=type icmp_code=code When dl_type and nw_proto specify ICMP or ICMPv6, type matches the ICMP type and code matches the ICMP code. Each is specified as a decimal number between 0 and 255, inclusive. When dl_type and nw_proto take other values, the values of these settings are ignored (see Flow Syntax above). table=number If specified, limits the flow manipulation and flow dump commands to only apply to the table with the given number between 0 and 254. Behavior varies if table is not specified (equivalent to specifying 255 as number). For flow table modification commands without --strict, the switch will choose the table for these commands to operate on. For flow table modification commands with --strict, the command will operate on any single matching flow in any table; it will do nothing if there are matches in more than one table. The dump-flows and dump-aggregate commands will gather statistics about flows from all tables. When this field is specified in add-flow, add-flows, mod-flows and del-flows commands, it activates a Nicira extension to OpenFlow, which as of this writing is only known to be implemented by Open vSwitch. The following shorthand notations are also available: ip Same as dl_type=0x0800. icmp Same as dl_type=0x0800,nw_proto=1. tcp Same as dl_type=0x0800,nw_proto=6. udp Same as dl_type=0x0800,nw_proto=17. arp Same as dl_type=0x0806. The following field assignments require support for the NXM (Nicira Extended Match) extension to OpenFlow. When one of these is specified, ovs-ofctl will automatically attempt to negotiate use of this extension. If the switch does not support NXM, then ovs-ofctl will report a fatal error. vlan_tci=tci[/mask] Matches modified VLAN TCI tci. If mask is omitted, tci is the exact VLAN TCI to match; if mask is specified, then a 1-bit in mask indicates that the corresponding bit in tci must match exactly, and a 0-bit wildcards that bit. Both tci and mask are 16-bit values that are decimal by default; use a 0x prefix to specify them in hexadecimal. The value that vlan_tci matches against is 0 for a packet that has no 802.1Q header. Otherwise, it is the TCI value from the 802.1Q header with the CFI bit (with value 0x1000) forced to 1. Examples: vlan_tci=0 Match only packets without an 802.1Q header. vlan_tci=0xf123 Match packets tagged with priority 7 in VLAN 0x123. vlan_tci=0x1123/0x1fff Match packets tagged with VLAN 0x123 (and any priority). vlan_tci=0x5000/0xf000 Match packets tagged with priority 2 (in any VLAN). vlan_tci=0/0xfff Match packets with no 802.1Q header or tagged with VLAN 0 (and any priority). vlan_tci=0x5000/0xe000 Match packets with no 802.1Q header or tagged with priority 2 (in any VLAN). vlan_tci=0/0xefff Match packets with no 802.1Q header or tagged with VLAN 0 and priority 0. Some of these matching possibilities can also be achieved with dl_vlan and dl_vlan_pcp. ip_frag=frag_type When dl_type specifies IP or IPv6, frag_type specifies what kind of IP fragments or non-fragments to match. The following values of frag_type are supported: no Matches only non-fragmented packets. yes Matches all fragments. first Matches only fragments with offset 0. later Matches only fragments with nonzero offset. not_later Matches non-fragmented packets and fragments with zero offset. The ip_frag match type is likely to be most useful in nx-match mode. See the description of the set-frags command, above, for more details. arp_sha=xx:xx:xx:xx:xx:xx arp_tha=xx:xx:xx:xx:xx:xx When dl_type specifies ARP, arp_sha and arp_tha match the source and target hardware address, respectively. An address is specified as 6 pairs of hexadecimal digits delimited by colons. ipv6_src=ipv6[/netmask] ipv6_dst=ipv6[/netmask] When dl_type is 0x86dd (possibly via shorthand, e.g., ipv6 or tcp6), matches IPv6 source (or destination) address ipv6, which may be specified as defined in RFC 2373. The preferred format is x:x:x:x:x:x:x:x, where x are the hexadecimal values of the eight 16-bit pieces of the address. A single instance of :: may be used to indicate multiple groups of 16-bits of zeros. The optional netmask allows restricting a match to an IPv6 address prefix. A netmask is specified as a CIDR block (e.g. 2001:db8:3c4d:1::/64). ipv6_label=label When dl_type is 0x86dd (possibly via shorthand, e.g., ipv6 or tcp6), matches IPv6 flow label label. nd_target=ipv6 When dl_type, nw_proto, and icmp_type specify IPv6 Neighbor Discovery (ICMPv6 type 135 or 136), matches the target address ipv6. ipv6 is in the same format described earlier for the ipv6_src and ipv6_dst fields. nd_sll=xx:xx:xx:xx:xx:xx When dl_type, nw_proto, and icmp_type specify IPv6 Neighbor Solicitation (ICMPv6 type 135), matches the source link-layer address option. An address is specified as 6 pairs of hexadecimal digits delimited by colons. nd_tll=xx:xx:xx:xx:xx:xx When dl_type, nw_proto, and icmp_type specify IPv6 Neighbor Advertisement (ICMPv6 type 136), matches the target link-layer address option. An address is specified as 6 pairs of hexadecimal digits delimited by colons. tun_id=tunnel-id[/mask] Matches tunnel identifier tunnel-id. Only packets that arrive over a tunnel that carries a key (e.g. GRE with the RFC 2890 key extension) will have a nonzero tunnel ID. If mask is omitted, tunnel-id is the exact tunnel ID to match; if mask is specified, then a 1-bit in mask indicates that the corresponding bit in tunnel-id must match exactly, and a 0-bit wildcards that bit. In an attempt to be compatible with more switches, ovs-ofctl will prefer to use the ``tunnel ID from cookie'' Nicira extension to NXM. The use of this extension comes with three caveats: the top 32 bits of the cookie (see below) are used for tunnel- id and thus unavailable for other use, specifying tun_id on dump-flows or dump-aggregate has no effect, and mask is not supported. If any of these caveats apply, ovs-ofctl will use NXM. regidx=value[/mask] Matches value either exactly or with optional mask in register number idx. The valid range of idx depends on the switch. value and mask are 32-bit integers, by default in decimal (use a 0x prefix to specify hexadecimal). Arbitrary mask values are allowed: a 1-bit in mask indicates that the corresponding bit in value must match exactly, and a 0-bit wildcards that bit. When a packet enters an OpenFlow switch, all of the registers are set to 0. Only explicit Nicira extension actions change register values. Defining IPv6 flows (those with dl_type equal to 0x86dd) requires support for NXM. The following shorthand notations are available for IPv6-related flows: ipv6 Same as dl_type=0x86dd. tcp6 Same as dl_type=0x86dd,nw_proto=6. udp6 Same as dl_type=0x86dd,nw_proto=17. icmp6 Same as dl_type=0x86dd,nw_proto=58. Finally, field assignments to duration, n_packets, or n_bytes are ignored to allow output from the dump-flows command to be used as input for other commands that parse flows. The add-flow, add-flows, and mod-flows commands require an additional field, which must be the final field specified: actions=[target][,target...] Specifies a comma-separated list of actions to take on a packet when the flow entry matches. If no target is specified, then packets matching the flow are dropped. The target may be a decimal port number designating the physical port on which to output the packet, or one of the following keywords: output:port output:src[start..end] Outputs the packet. If port is an OpenFlow port number, outputs directly to it. Otherwise, outputs to the OpenFlow port number read from src which must be an NXM field as described above. Outputting to an NXM field is an OpenFlow extension which is not supported by standard OpenFlow switches. Example: output:NXM_NX_REG0[16..31] outputs to the OpenFlow port number written in the upper half of register 0. enqueue:port:queue Enqueues the packet on the specified queue within port port. The number of supported queues depends on the switch; some OpenFlow implementations do not support queuing at all. normal Subjects the packet to the device's normal L2/L3 processing. (This action is not implemented by all OpenFlow switches.) flood Outputs the packet on all switch physical ports other than the port on which it was received and any ports on which flooding is disabled (typically, these would be ports disabled by the IEEE 802.1D spanning tree protocol). all Outputs the packet on all switch physical ports other than the port on which it was received. controller:max_len Sends the packet to the OpenFlow controller as a ``packet in'' message. If max_len is a number, then it specifies the maximum number of bytes that should be sent. If max_len is ALL or omitted, then the entire packet is sent. local Outputs the packet on the ``local port,'' which corresponds to the network device that has the same name as the bridge. in_port Outputs the packet on the port from which it was received. drop Discards the packet, so no further processing or forwarding takes place. If a drop action is used, no other actions may be specified. mod_vlan_vid:vlan_vid Modifies the VLAN id on a packet. The VLAN tag is added or modified as necessary to match the value specified. If the VLAN tag is added, a priority of zero is used (see the mod_vlan_pcp action to set this). mod_vlan_pcp:vlan_pcp Modifies the VLAN priority on a packet. The VLAN tag is added or modified as necessary to match the value specified. Valid values are between 0 (lowest) and 7 (highest). If the VLAN tag is added, a vid of zero is used (see the mod_vlan_vid action to set this). strip_vlan Strips the VLAN tag from a packet if it is present. mod_dl_src:mac Sets the source Ethernet address to mac. mod_dl_dst:mac Sets the destination Ethernet address to mac. mod_nw_src:ip Sets the IPv4 source address to ip. mod_nw_dst:ip Sets the IPv4 destination address to ip. mod_tp_src:port Sets the TCP or UDP source port to port. mod_tp_dst:port Sets the TCP or UDP destination port to port. mod_nw_tos:tos Sets the IP ToS/DSCP field to tos. Valid values are between 0 and 255, inclusive. Note that the two lower reserved bits are never modified. The following actions are Nicira vendor extensions that, as of this writing, are only known to be implemented by Open vSwitch: resubmit:port resubmit([port],[table]) Re-searches this OpenFlow flow table (or the table whose number is specified by table) with the in_port field replaced by port (if port is specified) and executes the actions found, if any, in addition to any other actions in this flow entry. Recursive resubmit actions are obeyed up to an implementation-defined maximum depth. Open vSwitch 1.0.1 and earlier did not support recursion; Open vSwitch before 1.2.90 did not support table. set_tunnel:id set_tunnel64:id If outputting to a port that encapsulates the packet in a tunnel and supports an identifier (such as GRE), sets the identifier to id. If the set_tunnel form is used and id fits in 32 bits, then this uses an action extension that is supported by Open vSwitch 1.0 and later. Otherwise, if id is a 64-bit value, it requires Open vSwitch 1.1 or later. set_queue:queue Sets the queue that should be used to queue when packets are output. The number of supported queues depends on the switch; some OpenFlow implementations do not support queuing at all. pop_queue Restores the queue to the value it was before any set_queue actions were applied. note:[hh]... Does nothing at all. Any number of bytes represented as hex digits hh may be included. Pairs of hex digits may be separated by periods for readability. move:src[start..end]->dst[start..end] Copies the named bits from field src to field dst. src and dst must be NXM field names as defined in nicira-ext.h, e.g. NXM_OF_UDP_SRC or NXM_NX_REG0. Each start and end pair, which are inclusive, must specify the same number of bits and must fit within its respective field. Shorthands for [start..end] exist: use [bit] to specify a single bit or  to specify an entire field. Examples: move:NXM_NX_REG0[0..5]->NXM_NX_REG1[26..31] copies the six bits numbered 0 through 5, inclusive, in register 0 into bits 26 through 31, inclusive; move:NXM_NX_REG0[0..15]->NXM_OF_VLAN_TCI copies the least significant 16 bits of register 0 into the VLAN TCI field. load:value->dst[start..end] Writes value to bits start through end, inclusive, in field dst. Example: load:55->NXM_NX_REG2[0..5] loads value 55 (bit pattern 110111) into bits 0 through 5, inclusive, in register 2. multipath(fields, basis, algorithm, n_links, arg, dst[start..end]) Hashes fields using basis as a universal hash parameter, then the applies multipath link selection algorithm (with parameter arg) to choose one of n_links output links numbered 0 through n_links minus 1, and stores the link into dst[start..end], which must be an NXM field as described above. Currently, fields must be either eth_src or symmetric_l4 and algorithm must be one of modulo_n, hash_threshold, hrw, and iter_hash. Only the iter_hash algorithm uses arg. Refer to nicira-ext.h for more details. autopath(id, dst[start..end]) Given id, chooses an OpenFlow port and populates it in dst[start..end], which must be an NXM field as described above. Currently, id should be the OpenFlow port number of an interface on the bridge. If it isn't then dst[start..end] will be populated with the OpenFlow port "none". If id is a member of a bond, the normal bond selection logic will be used to choose the destination port. Otherwise, the register will be populated with id itself. Refer to nicira-ext.h for more details. bundle(fields, basis, algorithm, slave_type, slaves:[s1, s2, ...]) Hashes fields using basis as a universal hash parameter, then applies the bundle link selection algorithm to choose one of the listed slaves represented as slave_type. Currently the only supported slave_type is ofport. Thus, each s1 through sN should be an OpenFlow port number. Outputs to the selected slave. Currently, fields must be either eth_src or symmetric_l4 and algorithm must be one of hrw and active_backup. Example: bundle(eth_src,0,hrw,ofport,slaves:4,8) uses an Ethernet source hash with basis 0, to select between OpenFlow ports 4 and 8 using the Highest Random Weight algorithm. Refer to nicira-ext.h for more details. bundle_load(fields, basis, algorithm, slave_type, dst[start..end], slaves:[s1, s2, ...]) Has the same behavior as the bundle action, with one exception. Instead of outputting to the selected slave, it writes its selection to dst[start..end], which must be an NXM field as described above. Example: bundle_load(eth_src, 0, hrw, ofport, NXM_NX_REG0, slaves:4, 8) uses an Ethernet source hash with basis 0, to select between OpenFlow ports 4 and 8 using the Highest Random Weight algorithm, and writes the selection to NXM_NX_REG0. Refer to nicira-ext.h for more details. learn(argument[,argument]...) This action adds or modifies a flow in an OpenFlow table, similar to ovs-ofctl --strict mod-flows. The arguments specify the flow's match fields, actions, and other properties, as follows. At least one match criterion and one action argument should ordinarily be specified. idle_timeout=seconds hard_timeout=seconds priority=value These key-value pairs have the same meaning as in the usual ovs-ofctl flow syntax. table=number The table in which the new flow should be inserted. Specify a decimal number between 0 and 254. The default, if table is unspecified, is table 1. field=value field[start..end]=src[start..end] field[start..end] Adds a match criterion to the new flow. The first form specifies that field must match the literal value, e.g. dl_type=0x0800. All of the fields and values for ovs-ofctl flow syntax are available with their usual meanings. The second form specifies that field[start..end] in the new flow must match src[start..end] taken from the flow currently being processed. The third form is a shorthand for the second form. It specifies that field[start..end] in the new flow must match field[start..end] taken from the flow currently being processed. load:value->dst[start..end] load:src[start..end]->dst[start..end] Adds a load action to the new flow. The first form loads the literal value into bits start through end, inclusive, in field dst. Its syntax is the same as the load action described earlier in this section. The second form loads src[start..end], a value from the flow currently being processed, into bits start through end, inclusive, in field dst. output:field[start..end] Add an output action to the new flow's actions, that outputs to the OpenFlow port taken from field[start..end], which must be an NXM field as described above. For best performance, segregate learned flows into a table (using table=number) that is not used for any other flows except possibly for a lowest-priority ``catch-all'' flow, that is, a flow with no match criteria. (This is why the default table is 1, to keep the learned flows separate from the primary flow table 0.) exit This action causes Open vSwitch to immediately halt execution of further actions. Those actions which have already been executed are unaffected. Any further actions, including those which may be in other tables, or different levels of the resubmit call stack, are ignored. The add-flow, add-flows, and mod-flows commands support an additional optional field: cookie=value A cookie is an opaque identifier that can be associated with the flow. value can be any 64-bit number and need not be unique among flows. If this field is omitted, these commands set a default cookie value of 0. The following additional field sets the priority for flows added by the add-flow and add-flows commands. For mod-flows and del-flows when --strict is specified, priority must match along with the rest of the flow specification. Other commands do not allow priority to be specified. priority=value The priority at which a wildcarded entry will match in comparison to others. value is a number between 0 and 65535, inclusive. A higher value will match before a lower one. An exact-match entry will always have priority over an entry containing wildcards, so it has an implicit priority value of 65535. When adding a flow, if the field is not specified, the flow's priority will default to 32768. The add-flow and add-flows commands support additional optional fields: idle_timeout=seconds Causes the flow to expire after the given number of seconds of inactivity. A value of 0 (the default) prevents a flow from expiring due to inactivity. hard_timeout=seconds Causes the flow to expire after the given number of seconds, regardless of activity. A value of 0 (the default) gives the flow no hard expiration deadline. The dump-flows, dump-aggregate, del-flow and del-flows commands support one additional optional field: out_port=port If set, a matching flow must include an output action to port. Table Entry Output The dump-tables and dump-aggregate commands print information about the entries in a datapath's tables. Each line of output is a unique flow entry, which begins with some common information: duration The number of seconds the entry has been in the table. table_id The table that contains the flow. When a packet arrives, the switch begins searching for an entry at the lowest numbered table. Tables are numbered as shown by the dump-tables command. priority The priority of the entry in relation to other entries within the same table. A higher value will match before a lower one. n_packets The number of packets that have matched the entry. n_bytes The total number of bytes from packets that have matched the entry. The rest of the line consists of a description of the flow entry as described in Flow Syntax, above.
--strict Uses strict matching when running flow modification commands. -F format --flow-format=format ovs-ofctl supports the following flow formats, in order of increasing capability: openflow10 This is the standard OpenFlow 1.0 flow format. It should be supported by all OpenFlow switches. nxm (Nicira Extended Match) This Nicira extension to OpenFlow is flexible and extensible. It supports all of the Nicira flow extensions, such as tun_id and registers. Usually, ovs-ofctl picks the correct format automatically. For commands that modify the flow table, ovs-ofctl by default uses the most widely supported flow format that supports the flows being added. For commands that query the flow table, ovs-ofctl by default queries and uses the most advanced format supported by the switch. This option, where format is one of the formats listed in the above table, overrides ovs-ofctl's default choice of flow format. If a command cannot work as requested using the requested flow format, ovs-ofctl will report a fatal error. -m --more Increases the verbosity of OpenFlow messages printed and logged by ovs-ofctl commands. Specify this option more than once to increase verbosity further. Public Key Infrastructure Options -p privkey.pem --private-key=privkey.pem Specifies a PEM file containing the private key used as ovs-ofctl's identity for outgoing SSL connections. -c cert.pem --certificate=cert.pem Specifies a PEM file containing a certificate that certifies the private key specified on -p or --private-key to be trustworthy. The certificate must be signed by the certificate authority (CA) that the peer in SSL connections will use to verify it. -C cacert.pem --ca-cert=cacert.pem Specifies a PEM file containing the CA certificate that ovs-ofctl should use to verify certificates presented to it by SSL peers. (This may be the same certificate that SSL peers use to verify the certificate specified on -c or --certificate, or it may be a different one, depending on the PKI design in use.) -C none --ca-cert=none Disables verification of certificates presented by SSL peers. This introduces a security risk, because it means that certificates cannot be verified to be those of known trusted hosts. -vmodule[:facility[:level]], --verbose=module[:facility[:level]] Sets the logging level for module in facility to level: · module may be any valid module name (as displayed by the --list action on ovs-appctl(8)), or the special name ANY to set the logging levels for all modules. · facility may be syslog, console, or file to set the levels for logging to the system log, the console, or a file respectively, or ANY to set the logging levels for both facilities. If it is omitted, facility defaults to ANY. Regardless of the log levels set for file, logging to a file will not take place unless --log-file is also specified (see below). · level must be one of off, emer, err, warn, info, or dbg, designating the minimum severity of a message for it to be logged. If it is omitted, level defaults to dbg. See ovs-appctl(8) for a definition of each log level. -v, --verbose Sets the maximum logging verbosity level, equivalent to --verbose=ANY:ANY:dbg. -vPATTERN:facility:pattern, --verbose=PATTERN:facility:pattern Sets the log pattern for facility to pattern. Refer to ovs-appctl(8) for a description of the valid syntax for pattern. --log-file[=file] Enables logging to a file. If file is specified, then it is used as the exact name for the log file. The default log file name used if file is omitted is /var/log/openvswitch/ovs-ofctl.log. -h, --help Prints a brief help message to the console. -V, --version Prints version information to the console.
The following examples assume that ovs-vswitchd has a bridge named br0 configured. ovs-ofctl dump-tables br0 Prints out the switch's table stats. (This is more interesting after some traffic has passed through.) ovs-ofctl dump-flows br0 Prints the flow entries in the switch.
ovs-appctl(8), ovs-controller(8), ovs-vswitchd(8)