Provided by: openvswitch-common_1.4.0-1ubuntu1_amd64 bug

NAME

       ovs-ofctl - administer OpenFlow switches

SYNOPSIS

       ovs-ofctl [options] command [switch] [args...]

DESCRIPTION

       The  ovs-ofctl  program  is  a command line tool for monitoring and administering OpenFlow
       switches.  It can also show the current state of an OpenFlow switch,  including  features,
       configuration, and table entries.

   OpenFlow Switch Management Commands
       These  commands  allow ovs-ofctl to monitor and administer an OpenFlow switch.  It is able
       to show the current state of  a  switch,  including  features,  configuration,  and  table
       entries.

       Most  of  these  commands  take an argument that specifies the method for connecting to an
       OpenFlow switch.  The following connection methods are supported:

              ssl:ip[:port]
                     The specified SSL port (default: 6633) on the host at the  given  ip,  which
                     must  be  expressed  as  an IP address (not a DNS name).  The --private-key,
                     --certificate, and --ca-cert options are mandatory when this form is used.

              tcp:ip[:port]
                     The specified TCP port (default: 6633) on the host at the  given  ip,  which
                     must be expressed as an IP address (not a DNS name).

              unix:file
                     The Unix domain server socket named file.

              file   This is short for unix:file, as long as file does not contain a colon.

              bridge This  is  short for unix:/var/run/openvswitch/bridge.mgmt, as long as bridge
                     does not contain a colon.

              [type@]dp
                     Attempts to look up the bridge associated with dp and  open  as  above.   If
                     type  is  given,  it  specifies  the  datapath provider of dp, otherwise the
                     default provider system is assumed.

       show switch
              Prints to the console information on switch,  including  information  on  its  flow
              tables and ports.

       dump-tables switch
              Prints to the console statistics for each of the flow tables used by switch.

       dump-ports switch [netdev]
              Prints  to  the  console statistics for network devices associated with switch.  If
              netdev is specified, only the  statistics  associated  with  that  device  will  be
              printed.  netdev can be an OpenFlow assigned port number or device name, e.g. eth0.

       mod-port switch netdev action
              Modify characteristics of an interface monitored by switch.  netdev can be referred
              to by its OpenFlow assigned port number or the device name, e.g. eth0.  The  action
              may be any one of the following:

              up     Enables  the  interface.   This  is  equivalent to ``ifconfig up'' on a Unix
                     system.

              down   Disables the interface.  This is equivalent to ``ifconfig down'' on  a  Unix
                     system.

              forward
                     Allows forwarding of traffic on this interface.  This is the default posture
                     for all ports.

              noforward
                     Disallows forwarding of traffic on this interface.

              flood  When a flood action is specified, traffic will be sent out  this  interface.
                     This is the default posture for monitored ports.

              noflood
                     When  a  flood  action  is  specified,  traffic  will  not  be sent out this
                     interface.  This is primarily useful to prevent loops when a  spanning  tree
                     protocol is not in use.

       get-frags switch
              Prints switch's fragment handling mode.  See set-frags, below, for a description of
              each fragment handling mode.

              The show command also prints the fragment handling mode among its other output.

       set-frags switch frag_mode
              Configures switch's  treatment  of  IPv4  and  IPv6  fragments.   The  choices  for
              frag_mode are:

              normal Fragments  pass through the flow table like non-fragmented packets.  The TCP
                     ports, UDP ports, and ICMP type and code fields are always set  to  0,  even
                     for fragments where that information would otherwise be available (fragments
                     with offset 0).  This is the default fragment handling mode for an  OpenFlow
                     switch.

              drop   Fragments are dropped without passing through the flow table.

              reassemble
                     The  switch  reassembles  fragments into full IP packets before passing them
                     through the flow table.  Open  vSwitch  does  not  implement  this  fragment
                     handling mode.

              nx-match
                     Fragments  pass through the flow table like non-fragmented packets.  The TCP
                     ports, UDP ports, and ICMP type and code fields are available  for  matching
                     for  fragments with offset 0, and set to 0 in fragments with nonzero offset.
                     This mode is a Nicira extension.

              See the description of ip_frag, below, for a way to match on whether a packet is  a
              fragment and on its fragment offset.

       dump-flows switch [flows]
              Prints  to  the  console  all flow entries in switch's tables that match flows.  If
              flows is omitted, all flows in the switch are retrieved.  See Flow  Syntax,  below,
              for the syntax of flows.  The output format is described in Table Entry Output.

       dump-aggregate switch [flows]
              Prints  to the console aggregate statistics for flows in switch's tables that match
              flows.  If flows is omitted, the statistics are aggregated across all flows in  the
              switch's flow tables.  See Flow Syntax, below, for the syntax of flows.  The output
              format is descrbed in Table Entry Output.

       queue-stats switch [port [queue]]
              Prints to the console statistics for the specified queue  on  port  within  switch.
              Either  of port or queue or both may be omitted (or equivalently specified as ALL).
              If both are omitted, statistics are printed for all queues on all ports.   If  only
              queue  is omitted, then statistics are printed for all queues on port; if only port
              is omitted, then statistics are printed for queue on every port where it exists.

   OpenFlow Switch Flow Table Commands
       These commands manage the flow table in an OpenFlow switch.  In each case, flow  specifies
       a  flow  entry in the format described in Flow Syntax, below, and file is a text file that
       contains zero or more flows in the same syntax, one per line.

       add-flow switch flow
       add-flow switch - < file
       add-flows switch file
              Add each flow entry to switch's tables.

       [--strict] mod-flows switch flow
       [--strict] mod-flows switch - < file
              Modify the actions in entries from switch's tables that match the specified  flows.
              With --strict, wildcards are not treated as active for matching purposes.

       del-flows switch
       [--strict] del-flows switch [flow]
       [--strict] del-flows switch - < file
              Deletes entries from switch's flow table.  With only a switch argument, deletes all
              flows.  Otherwise, deletes flow entries  that  match  the  specified  flows.   With
              --strict, wildcards are not treated as active for matching purposes.

       [--readd] replace-flows switch file
              Reads  flow  entries  from  file (or stdin if file is -) and queries the flow table
              from switch.  Then it fixes up any differences, adding flows  from  flow  that  are
              missing  on  switch,  deleting flows from switch that are not in file, and updating
              flows in switch whose actions, cookie, or timeouts differ in file.

              With --readd, ovs-ofctl adds all the flows from file, even those  that  exist  with
              the  same  actions, cookie, and timeout in switch.  This resets all the flow packet
              and byte counters to 0, which can be useful for debugging.

       diff-flows source1 source2
              Reads flow entries from source1 and source2 and prints  the  differences.   A  flow
              that  is  in source1 but not in source2 is printed preceded by a -, and a flow that
              is in source2 but not in source1 is printed preceded by a +.  If a flow  exists  in
              both  source1  and  source2  with different actions, cookie, or timeouts, then both
              versions are printed preceded by - and +, respectively.

              source1 and source2 may each name a file or a switch.  If a name begins with  /  or
              .,  then  it is considered to be a file name.  A name that contains : is considered
              to be a switch.  Otherwise, it is a file if a file by that name exists, a switch if
              not.

              For this command, an exit status of 0 means that no differences were found, 1 means
              that an error occurred, and 2 means that some differences were found.

   OpenFlow Switch Monitoring Commands
       snoop switch
              Connects to switch and prints  to  the  console  all  OpenFlow  messages  received.
              Unlike  other ovs-ofctl commands, if switch is the name of a bridge, then the snoop
              command connects to a Unix domain socket  named  /var/run/openvswitch/bridge.snoop.
              ovs-vswitchd  listens  on  such a socket for each bridge and sends to it all of the
              OpenFlow messages sent to or received  from  its  configured  OpenFlow  controller.
              Thus,  this command can be used to view OpenFlow protocol activity between a switch
              and its controller.

              When a switch has more than one controller configured, only the traffic to and from
              a  single  controller  is  output.   If  none of the controllers is configured as a
              master or a slave (using a Nicira extension to  OpenFlow),  then  a  controller  is
              chosen  arbitrarily  among  them.   If  there is a master controller, it is chosen;
              otherwise, if there are any controllers that are not  masters  or  slaves,  one  is
              chosen  arbitrarily;  otherwise,  a  slave  controller is chosen arbitrarily.  This
              choice is made  once  at  connection  time  and  does  not  change  as  controllers
              reconfigure their roles.

              If  a  switch  has  no  controller  configured,  or if the configured controller is
              disconnected, no traffic is sent, so monitoring will not show any traffic.

       monitor switch [miss-len]
              Connects to switch and prints  to  the  console  all  OpenFlow  messages  received.
              Usually, switch should specify the name of a bridge in the ovs-vswitchd database.

              If  miss-len is provided, ovs-ofctl sends an OpenFlow ``set configuration'' message
              at connection setup time that requests miss-len bytes of each  packet  that  misses
              the  flow  table.  Open vSwitch does not send these and other asynchronous messages
              to an ovs-ofctl monitor client connection unless a nonzero value  is  specified  on
              this  argument.   (Thus,  if  miss-len  is  not specified, very little traffic will
              ordinarily be printed.)

              This command may be useful for debugging switch or controller implementations.

   OpenFlow Switch and Controller Commands
       The following commands, like those in the previous section, may  be  applied  to  OpenFlow
       switches,  using  any  of  the connection methods described in that section.  Unlike those
       commands, these may also be applied to OpenFlow controllers.

       probe target
              Sends a single OpenFlow echo-request message to target and waits for the  response.
              With  the  -t or --timeout option, this command can test whether an OpenFlow switch
              or controller is up and running.

       ping target [n]
              Sends a series of 10 echo request packets to target and times each reply.  The echo
              request  packets  consist  of  an  OpenFlow  header  plus  n bytes (default: 64) of
              randomly generated payload.  This measures the latency of individual requests.

       benchmark target n count
              Sends count echo request packets that each consist of an  OpenFlow  header  plus  n
              bytes  of  payload  and  waits for each response.  Reports the total time required.
              This is a measure of the maximum bandwidth to  target  for  round-trips  of  n-byte
              messages.

   Flow Syntax
       Some  ovs-ofctl  commands  accept  an  argument that describes a flow or flows.  Such flow
       descriptions comprise a series field=value  assignments,  separated  by  commas  or  white
       space.  (Embedding spaces into a flow description normally requires quoting to prevent the
       shell from breaking the description into multiple arguments.)

       Flow descriptions should be in normal form.  This means that a flow  may  only  specify  a
       value  for  an L3 field if it also specifies a particular L2 protocol, and that a flow may
       only specify an L4 field if it also specifies particular L2 and L3  protocol  types.   For
       example, if the L2 protocol type dl_type is wildcarded, then L3 fields nw_src, nw_dst, and
       nw_proto must also be wildcarded.  Similarly, if dl_type  or  nw_proto  (the  L3  protocol
       type)  is  wildcarded,  so must be tp_dst and tp_src, which are L4 fields.  ovs-ofctl will
       warn about flows not in normal form.

       The following field assignments describe how a flow matches a packet.   If  any  of  these
       assignments  is omitted from the flow syntax, the field is treated as a wildcard; thus, if
       all of them are omitted, the resulting flow matches all packets.  The string * or ANY  may
       be specified to explicitly mark any of these fields as a wildcard.  (* should be quoted to
       protect it from shell expansion.)

       in_port=port_no
              Matches OpenFlow port port_no.  Ports are numbered as displayed by ovs-ofctl show.

              (The resubmit action can search OpenFlow flow tables with arbitrary in_port values,
              so flows that match port numbers that do not exist from an OpenFlow perspective can
              still potentially be matched.)

       dl_vlan=vlan
              Matches IEEE 802.1q Virtual LAN tag vlan.  Specify 0xffff as vlan to match  packets
              that  are  not tagged with a Virtual LAN; otherwise, specify a number between 0 and
              4095, inclusive, as the 12-bit VLAN ID to match.

       dl_vlan_pcp=priority
              Matches IEEE 802.1q Priority Code Point (PCP) priority, which  is  specified  as  a
              value between 0 and 7, inclusive.  A higher value indicates a higher frame priority
              level.

       dl_src=xx:xx:xx:xx:xx:xx
       dl_dst=xx:xx:xx:xx:xx:xx
              Matches an Ethernet source  (or  destination)  address  specified  as  6  pairs  of
              hexadecimal digits delimited by colons (e.g. 00:0A:E4:25:6B:B0).

       dl_dst=xx:xx:xx:xx:xx:xx/xx:xx:xx:xx:xx:xx
              Matches  an Ethernet destination address specified as 6 pairs of hexadecimal digits
              delimited by colons (e.g. 00:0A:E4:25:6B:B0), with a wildcard  mask  following  the
              slash.  Only the following masks are allowed:

              01:00:00:00:00:00
                     Match         only         the         multicast         bit.          Thus,
                     dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 matches all multicast  (including
                     broadcast)  Ethernet packets, and dl_dst=00:00:00:00:00:00/01:00:00:00:00:00
                     matches all unicast Ethernet packets.

              fe:ff:ff:ff:ff:ff
                     Match all bits except the multicast bit.  This is probably not useful.

              ff:ff:ff:ff:ff:ff
                     Exact match (equivalent to omitting the mask).

              00:00:00:00:00:00
                     Wildcard all bits (equivalent to dl_dst=*.)

       dl_type=ethertype
              Matches Ethernet protocol type ethertype, which is specified as an integer  between
              0 and 65535, inclusive, either in decimal or as a hexadecimal number prefixed by 0x
              (e.g. 0x0806 to match ARP packets).

       nw_src=ip[/netmask]
       nw_dst=ip[/netmask]
              When dl_type is 0x0800 (possibly via shorthand,  e.g.  ip  or  tcp),  matches  IPv4
              source (or destination) address ip, which may be specified as an IP address or host
              name  (e.g.  192.168.1.1  or  www.example.com).   The   optional   netmask   allows
              restricting  a  match to an IPv4 address prefix.  The netmask may be specified as a
              dotted  quad  (e.g.  192.168.1.0/255.255.255.0)  or   as   a   CIDR   block   (e.g.
              192.168.1.0/24).

              When  dl_type=0x0806  or  arp  is  specified,  matches  the ar_spa or ar_tpa field,
              respectively, in ARP packets for IPv4 and Ethernet.

              When dl_type is wildcarded or set to a value  other  than  0x0800  or  0x0806,  the
              values of nw_src and nw_dst are ignored (see Flow Syntax above).

       nw_proto=proto
              When  ip  or  dl_type=0x0800 is specified, matches IP protocol type proto, which is
              specified as a decimal number between 0 and 255, inclusive (e.g. 1  to  match  ICMP
              packets or 6 to match TCP packets).

              When  ipv6 or dl_type=0x86dd is specified, matches IPv6 header type proto, which is
              specified as a decimal number between 0 and 255, inclusive (e.g. 58 to match ICMPv6
              packets or 6 to match TCP).  The header type is the terminal header as described in
              the DESIGN document.

              When arp or dl_type=0x0806 is specified, matches  the  lower  8  bits  of  the  ARP
              opcode.  ARP opcodes greater than 255 are treated as 0.

              When  dl_type is wildcarded or set to a value other than 0x0800, 0x0806, or 0x86dd,
              the value of nw_proto is ignored (see Flow Syntax above).

       nw_tos=tos
              Matches IP ToS/DSCP or IPv6 traffic class  field  tos,  which  is  specified  as  a
              decimal number between 0 and 255, inclusive.  Note that the two lower reserved bits
              are ignored for matching purposes.

              When dl_type is wildcarded or set to a value other than 0x0800 or 0x86dd, the value
              of nw_tos is ignored (see Flow Syntax above).

       nw_ecn=ecn
              Matches  ecn  bits  in IP ToS or IPv6 traffic class fields, which is specified as a
              decimal number between 0 and 3, inclusive.

              When dl_type is wildcarded or set to a value other than 0x0800 or 0x86dd, the value
              of nw_ecn is ignored (see Flow Syntax above).

       nw_ttl=ttl
              Matches  IP TTL or IPv6 hop limit value ttl, which is specified as a decimal number
              between 0 and 255, inclusive.

              When dl_type is wildcarded or set to a value other than 0x0800 or 0x86dd, the value
              of nw_ttl is ignored (see Flow Syntax above).

       tp_src=port
       tp_dst=port
              When  dl_type  and  nw_proto specify TCP or UDP, tp_src and tp_dst match the UDP or
              TCP source or destination port port, respectively. which is specified as a  decimal
              number  between 0 and 65535, inclusive (e.g. 80 to match packets originating from a
              HTTP server).

              When dl_type and nw_proto take other values,  the  values  of  these  settings  are
              ignored (see Flow Syntax above).

       icmp_type=type
       icmp_code=code
              When  dl_type  and  nw_proto specify ICMP or ICMPv6, type matches the ICMP type and
              code matches the ICMP code.  Each is specified as a decimal number  between  0  and
              255, inclusive.

              When  dl_type  and  nw_proto  take  other  values, the values of these settings are
              ignored (see Flow Syntax above).

       table=number
              If specified, limits the flow manipulation and flow dump commands to only apply  to
              the table with the given number between 0 and 254.  Behavior varies if table is not
              specified (equivalent to specifying 255 as number).  For  flow  table  modification
              commands  without  --strict, the switch will choose the table for these commands to
              operate on.  For flow table modification commands with --strict, the  command  will
              operate  on  any single matching flow in any table; it will do nothing if there are
              matches in more than one table.  The dump-flows and  dump-aggregate  commands  will
              gather statistics about flows from all tables.

              When  this  field  is  specified  in  add-flow,  add-flows, mod-flows and del-flows
              commands, it activates a Nicira extension to OpenFlow, which as of this writing  is
              only known to be implemented by Open vSwitch.

       The following shorthand notations are also available:

       ip     Same as dl_type=0x0800.

       icmp   Same as dl_type=0x0800,nw_proto=1.

       tcp    Same as dl_type=0x0800,nw_proto=6.

       udp    Same as dl_type=0x0800,nw_proto=17.

       arp    Same as dl_type=0x0806.

       The  following  field  assignments  require  support  for  the NXM (Nicira Extended Match)
       extension to OpenFlow.  When one of  these  is  specified,  ovs-ofctl  will  automatically
       attempt  to  negotiate  use  of  this extension.  If the switch does not support NXM, then
       ovs-ofctl will report a fatal error.

       vlan_tci=tci[/mask]
              Matches modified VLAN TCI tci.  If mask is omitted, tci is the exact  VLAN  TCI  to
              match;  if mask is specified, then a 1-bit in mask indicates that the corresponding
              bit in tci must match exactly, and a 0-bit wildcards that bit.  Both tci  and  mask
              are  16-bit  values that are decimal by default; use a 0x prefix to specify them in
              hexadecimal.

              The value that vlan_tci matches against is 0  for  a  packet  that  has  no  802.1Q
              header.   Otherwise,  it  is  the TCI value from the 802.1Q header with the CFI bit
              (with value 0x1000) forced to 1.

              Examples:

              vlan_tci=0
                     Match only packets without an 802.1Q header.

              vlan_tci=0xf123
                     Match packets tagged with priority 7 in VLAN 0x123.

              vlan_tci=0x1123/0x1fff
                     Match packets tagged with VLAN 0x123 (and any priority).

              vlan_tci=0x5000/0xf000
                     Match packets tagged with priority 2 (in any VLAN).

              vlan_tci=0/0xfff
                     Match packets with  no  802.1Q  header  or  tagged  with  VLAN  0  (and  any
                     priority).

              vlan_tci=0x5000/0xe000
                     Match packets with no 802.1Q header or tagged with priority 2 (in any VLAN).

              vlan_tci=0/0xefff
                     Match packets with no 802.1Q header or tagged with VLAN 0 and priority 0.

              Some  of  these  matching  possibilities  can  also  be  achieved  with dl_vlan and
              dl_vlan_pcp.

       ip_frag=frag_type
              When dl_type specifies IP or IPv6, frag_type specifies what kind of IP fragments or
              non-fragments to match.  The following values of frag_type are supported:

              no     Matches only non-fragmented packets.

              yes    Matches all fragments.

              first  Matches only fragments with offset 0.

              later  Matches only fragments with nonzero offset.

              not_later
                     Matches non-fragmented packets and fragments with zero offset.

              The  ip_frag  match  type  is  likely  to be most useful in nx-match mode.  See the
              description of the set-frags command, above, for more details.

       arp_sha=xx:xx:xx:xx:xx:xx
       arp_tha=xx:xx:xx:xx:xx:xx
              When dl_type specifies ARP,  arp_sha  and  arp_tha  match  the  source  and  target
              hardware  address, respectively.  An address is specified as 6 pairs of hexadecimal
              digits delimited by colons.

       ipv6_src=ipv6[/netmask]
       ipv6_dst=ipv6[/netmask]
              When dl_type is 0x86dd (possibly via shorthand, e.g., ipv6 or tcp6),  matches  IPv6
              source  (or  destination)  address  ipv6,  which may be specified as defined in RFC
              2373.  The preferred format is x:x:x:x:x:x:x:x, where x are the hexadecimal  values
              of  the eight 16-bit pieces of the address.  A single instance of :: may be used to
              indicate multiple  groups  of  16-bits  of  zeros.   The  optional  netmask  allows
              restricting  a  match  to an IPv6 address prefix.  A netmask is specified as a CIDR
              block (e.g. 2001:db8:3c4d:1::/64).

       ipv6_label=label
              When dl_type is 0x86dd (possibly via shorthand, e.g., ipv6 or tcp6),  matches  IPv6
              flow label label.

       nd_target=ipv6
              When  dl_type, nw_proto, and icmp_type specify IPv6 Neighbor Discovery (ICMPv6 type
              135 or 136), matches the target address ipv6.  ipv6 is in the same format described
              earlier for the ipv6_src and ipv6_dst fields.

       nd_sll=xx:xx:xx:xx:xx:xx
              When  dl_type,  nw_proto,  and icmp_type specify IPv6 Neighbor Solicitation (ICMPv6
              type 135), matches the source link-layer address option.  An address  is  specified
              as 6 pairs of hexadecimal digits delimited by colons.

       nd_tll=xx:xx:xx:xx:xx:xx
              When  dl_type,  nw_proto, and icmp_type specify IPv6 Neighbor Advertisement (ICMPv6
              type 136), matches the target link-layer address option.  An address  is  specified
              as 6 pairs of hexadecimal digits delimited by colons.

       tun_id=tunnel-id[/mask]
              Matches  tunnel  identifier tunnel-id.  Only packets that arrive over a tunnel that
              carries a key (e.g. GRE with the RFC 2890 key extension) will have a nonzero tunnel
              ID.   If  mask  is  omitted,  tunnel-id is the exact tunnel ID to match; if mask is
              specified, then a 1-bit in mask indicates that the corresponding bit  in  tunnel-id
              must match exactly, and a 0-bit wildcards that bit.

              In an attempt to be compatible with more switches, ovs-ofctl will prefer to use the
              ``tunnel ID from cookie'' Nicira extension to NXM.  The use of this extension comes
              with  three caveats: the top 32 bits of the cookie (see below) are used for tunnel-
              id and  thus  unavailable  for  other  use,  specifying  tun_id  on  dump-flows  or
              dump-aggregate  has  no effect, and mask is not supported.  If any of these caveats
              apply, ovs-ofctl will use NXM.

       regidx=value[/mask]
              Matches value either exactly or with optional mask in  register  number  idx.   The
              valid  range  of idx depends on the switch.  value and mask are 32-bit integers, by
              default in decimal (use a 0x prefix to specify hexadecimal).  Arbitrary mask values
              are  allowed:  a  1-bit  in mask indicates that the corresponding bit in value must
              match exactly, and a 0-bit wildcards that bit.

              When a packet enters an OpenFlow switch, all of the registers are set to  0.   Only
              explicit Nicira extension actions change register values.

       Defining  IPv6  flows  (those with dl_type equal to 0x86dd) requires support for NXM.  The
       following shorthand notations are available for IPv6-related flows:

       ipv6   Same as dl_type=0x86dd.

       tcp6   Same as dl_type=0x86dd,nw_proto=6.

       udp6   Same as dl_type=0x86dd,nw_proto=17.

       icmp6  Same as dl_type=0x86dd,nw_proto=58.

       Finally, field assignments to duration, n_packets, or n_bytes are ignored to allow  output
       from the dump-flows command to be used as input for other commands that parse flows.

       The add-flow, add-flows, and mod-flows commands require an additional field, which must be
       the final field specified:

       actions=[target][,target...]
              Specifies a comma-separated list of actions to take on a packet when the flow entry
              matches.   If  no  target is specified, then packets matching the flow are dropped.
              The target may be a decimal port number designating the physical port on  which  to
              output the packet, or one of the following keywords:

              output:port
              output:src[start..end]
                     Outputs  the packet. If port is an OpenFlow port number, outputs directly to
                     it.  Otherwise, outputs to the OpenFlow port number read from src which must
                     be  an  NXM  field  as  described  above.   Outputting to an NXM field is an
                     OpenFlow extension which is not supported by standard OpenFlow switches.

                     Example: output:NXM_NX_REG0[16..31] outputs  to  the  OpenFlow  port  number
                     written in the upper half of register 0.

              enqueue:port:queue
                     Enqueues  the packet on the specified queue within port port.  The number of
                     supported queues depends on the switch; some OpenFlow implementations do not
                     support queuing at all.

              normal Subjects  the  packet to the device's normal L2/L3 processing.  (This action
                     is not implemented by all OpenFlow switches.)

              flood  Outputs the packet on all switch physical ports other than the port on which
                     it  was  received  and  any  ports on which flooding is disabled (typically,
                     these would be ports disabled by the IEEE 802.1D spanning tree protocol).

              all    Outputs the packet on all switch physical ports other than the port on which
                     it was received.

              controller:max_len
                     Sends  the packet to the OpenFlow controller as a ``packet in'' message.  If
                     max_len is a number, then it specifies the  maximum  number  of  bytes  that
                     should  be  sent.   If  max_len is ALL or omitted, then the entire packet is
                     sent.

              local  Outputs the packet on the ``local port,'' which corresponds to  the  network
                     device that has the same name as the bridge.

              in_port
                     Outputs the packet on the port from which it was received.

              drop   Discards the packet, so no further processing or forwarding takes place.  If
                     a drop action is used, no other actions may be specified.

              mod_vlan_vid:vlan_vid
                     Modifies the VLAN id on a packet.  The VLAN tag  is  added  or  modified  as
                     necessary  to  match  the  value  specified.   If  the  VLAN tag is added, a
                     priority of zero is used (see the mod_vlan_pcp action to set this).

              mod_vlan_pcp:vlan_pcp
                     Modifies the VLAN priority on a packet.  The VLAN tag is added  or  modified
                     as  necessary  to  match  the  value  specified.  Valid values are between 0
                     (lowest) and 7 (highest).  If the VLAN tag is added, a vid of zero  is  used
                     (see the mod_vlan_vid action to set this).

              strip_vlan
                     Strips the VLAN tag from a packet if it is present.

              mod_dl_src:mac
                     Sets the source Ethernet address to mac.

              mod_dl_dst:mac
                     Sets the destination Ethernet address to mac.

              mod_nw_src:ip
                     Sets the IPv4 source address to ip.

              mod_nw_dst:ip
                     Sets the IPv4 destination address to ip.

              mod_tp_src:port
                     Sets the TCP or UDP source port to port.

              mod_tp_dst:port
                     Sets the TCP or UDP destination port to port.

              mod_nw_tos:tos
                     Sets  the  IP  ToS/DSCP  field  to tos.  Valid values are between 0 and 255,
                     inclusive.  Note that the two lower reserved bits are never modified.

              The following actions are Nicira vendor extensions that, as of  this  writing,  are
              only known to be implemented by Open vSwitch:

              resubmit:port
              resubmit([port],[table])
                     Re-searches this OpenFlow flow table (or the table whose number is specified
                     by table) with the in_port field replaced by port (if port is specified) and
                     executes the actions found, if any, in addition to any other actions in this
                     flow entry.

                     Recursive resubmit  actions  are  obeyed  up  to  an  implementation-defined
                     maximum  depth.   Open  vSwitch 1.0.1 and earlier did not support recursion;
                     Open vSwitch before 1.2.90 did not support table.

              set_tunnel:id
              set_tunnel64:id
                     If outputting to a port  that  encapsulates  the  packet  in  a  tunnel  and
                     supports  an  identifier  (such  as GRE), sets the identifier to id.  If the
                     set_tunnel form is used and id fits in 32 bits, then  this  uses  an  action
                     extension that is supported by Open vSwitch 1.0 and later.  Otherwise, if id
                     is a 64-bit value, it requires Open vSwitch 1.1 or later.

              set_queue:queue
                     Sets the queue that should be used to queue when packets  are  output.   The
                     number   of   supported   queues   depends  on  the  switch;  some  OpenFlow
                     implementations do not support queuing at all.

              pop_queue
                     Restores the queue to the value it was before  any  set_queue  actions  were
                     applied.

              note:[hh]...
                     Does  nothing  at all.  Any number of bytes represented as hex digits hh may
                     be  included.   Pairs  of  hex  digits  may  be  separated  by  periods  for
                     readability.

              move:src[start..end]->dst[start..end]
                     Copies  the named bits from field src to field dst.  src and dst must be NXM
                     field names as defined in nicira-ext.h, e.g. NXM_OF_UDP_SRC or  NXM_NX_REG0.
                     Each  start  and end pair, which are inclusive, must specify the same number
                     of  bits  and  must  fit  within  its  respective  field.   Shorthands   for
                     [start..end]  exist:  use  [bit] to specify a single bit or [] to specify an
                     entire field.

                     Examples: move:NXM_NX_REG0[0..5]->NXM_NX_REG1[26..31] copies  the  six  bits
                     numbered  0  through  5,  inclusive,  in register 0 into bits 26 through 31,
                     inclusive;  move:NXM_NX_REG0[0..15]->NXM_OF_VLAN_TCI[]  copies   the   least
                     significant 16 bits of register 0 into the VLAN TCI field.

              load:value->dst[start..end]
                     Writes value to bits start through end, inclusive, in field dst.

                     Example: load:55->NXM_NX_REG2[0..5] loads value 55 (bit pattern 110111) into
                     bits 0 through 5, inclusive, in register 2.

              multipath(fields, basis, algorithm, n_links, arg, dst[start..end])
                     Hashes fields using basis as a universal hash parameter,  then  the  applies
                     multipath  link  selection  algorithm  (with parameter arg) to choose one of
                     n_links output links numbered 0 through n_links minus 1, and stores the link
                     into dst[start..end], which must be an NXM field as described above.

                     Currently,  fields must be either eth_src or symmetric_l4 and algorithm must
                     be one of modulo_n, hash_threshold, hrw, and iter_hash.  Only the  iter_hash
                     algorithm uses arg.

                     Refer to nicira-ext.h for more details.

              autopath(id, dst[start..end])
                     Given  id,  chooses  an  OpenFlow  port and populates it in dst[start..end],
                     which must be an NXM field as described above.

                     Currently, id should be the OpenFlow port number  of  an  interface  on  the
                     bridge.   If  it  isn't  then  dst[start..end]  will  be  populated with the
                     OpenFlow port "none".  If id  is  a  member  of  a  bond,  the  normal  bond
                     selection logic will be used to choose the destination port.  Otherwise, the
                     register will be populated with id itself.

                     Refer to nicira-ext.h for more details.

              bundle(fields, basis, algorithm, slave_type, slaves:[s1, s2, ...])
                     Hashes fields using basis as a universal hash parameter,  then  applies  the
                     bundle  link  selection  algorithm  to  choose  one  of  the  listed  slaves
                     represented as slave_type.   Currently  the  only  supported  slave_type  is
                     ofport.  Thus, each s1 through sN should be an OpenFlow port number. Outputs
                     to the selected slave.

                     Currently, fields must be either eth_src or symmetric_l4 and algorithm  must
                     be one of hrw and active_backup.

                     Example:  bundle(eth_src,0,hrw,ofport,slaves:4,8)  uses  an  Ethernet source
                     hash with basis 0, to select between  OpenFlow  ports  4  and  8  using  the
                     Highest Random Weight algorithm.

                     Refer to nicira-ext.h for more details.

              bundle_load(fields,  basis, algorithm, slave_type, dst[start..end], slaves:[s1, s2,
              ...])
                     Has the same behavior as the bundle action, with one exception.  Instead  of
                     outputting   to   the   selected   slave,   it   writes   its  selection  to
                     dst[start..end], which must be an NXM field as described above.

                     Example: bundle_load(eth_src, 0, hrw, ofport,  NXM_NX_REG0[],  slaves:4,  8)
                     uses  an Ethernet source hash with basis 0, to select between OpenFlow ports
                     4 and 8 using the Highest Random Weight algorithm, and writes the  selection
                     to NXM_NX_REG0[].

                     Refer to nicira-ext.h for more details.

              learn(argument[,argument]...)
                     This  action  adds  or  modifies  a  flow  in  an OpenFlow table, similar to
                     ovs-ofctl --strict  mod-flows.   The  arguments  specify  the  flow's  match
                     fields,  actions,  and  other  properties,  as  follows.  At least one match
                     criterion and one action argument should ordinarily be specified.

                     idle_timeout=seconds
                     hard_timeout=seconds
                     priority=value
                            These key-value pairs have the same meaning as in the usual ovs-ofctl
                            flow syntax.

                     table=number
                            The  table  in  which  the  new  flow  should be inserted.  Specify a
                            decimal  number  between  0  and  254.   The  default,  if  table  is
                            unspecified, is table 1.

                     field=value
                     field[start..end]=src[start..end]
                     field[start..end]
                            Adds a match criterion to the new flow.

                            The  first  form  specifies  that field must match the literal value,
                            e.g. dl_type=0x0800.  All of the fields and values for ovs-ofctl flow
                            syntax are available with their usual meanings.

                            The second form specifies that field[start..end] in the new flow must
                            match src[start..end] taken from the flow currently being processed.

                            The third form is a shorthand for the second form.  It specifies that
                            field[start..end]  in the new flow must match field[start..end] taken
                            from the flow currently being processed.

                     load:value->dst[start..end]
                     load:src[start..end]->dst[start..end]
                            Adds a load action to the new flow.

                            The first form loads the literal value into bits start  through  end,
                            inclusive,  in  field dst.  Its syntax is the same as the load action
                            described earlier in this section.

                            The  second  form  loads  src[start..end],  a  value  from  the  flow
                            currently being processed, into bits start through end, inclusive, in
                            field dst.

                     output:field[start..end]
                            Add an output action to the new flow's actions, that outputs  to  the
                            OpenFlow  port  taken  from  field[start..end],  which must be an NXM
                            field as described above.

                     For  best  performance,  segregate  learned  flows  into  a   table   (using
                     table=number)  that  is  not  used for any other flows except possibly for a
                     lowest-priority ``catch-all'' flow, that is, a flow with no match  criteria.
                     (This is why the default table is 1, to keep the learned flows separate from
                     the primary flow table 0.)

       exit   This action causes Open vSwitch to immediately halt execution of  further  actions.
              Those  actions  which  have  already  been  executed  are  unaffected.  Any further
              actions, including those which may be in other tables, or different levels  of  the
              resubmit call stack, are ignored.

       The add-flow, add-flows, and mod-flows commands support an additional optional field:

       cookie=value
              A  cookie  is an opaque identifier that can be associated with the flow.  value can
              be any 64-bit number and need not be unique among flows.  If this field is omitted,
              these commands set a default cookie value of 0.

       The  following  additional  field  sets  the  priority for flows added by the add-flow and
       add-flows commands.  For mod-flows and del-flows when --strict is specified, priority must
       match along with the rest of the flow specification.  Other commands do not allow priority
       to be specified.

       priority=value
              The priority at which a wildcarded entry will match in comparison to others.  value
              is  a  number  between  0 and 65535, inclusive.  A higher value will match before a
              lower one.  An exact-match entry will always have priority over an entry containing
              wildcards,  so  it has an implicit priority value of 65535.  When adding a flow, if
              the field is not specified, the flow's priority will default to 32768.

       The add-flow and add-flows commands support additional optional fields:

       idle_timeout=seconds
              Causes the flow to expire after the given number of seconds of inactivity.  A value
              of 0 (the default) prevents a flow from expiring due to inactivity.

       hard_timeout=seconds
              Causes  the  flow  to  expire  after  the  given  number  of seconds, regardless of
              activity.  A value of 0 (the default) gives the flow no hard expiration deadline.

       The dump-flows, dump-aggregate, del-flow and del-flows  commands  support  one  additional
       optional field:

       out_port=port
              If set, a matching flow must include an output action to port.

   Table Entry Output
       The  dump-tables  and  dump-aggregate  commands  print  information about the entries in a
       datapath's tables.  Each line of output is a unique flow entry,  which  begins  with  some
       common information:

       duration
              The number of seconds the entry has been in the table.

       table_id
              The  table  that  contains  the  flow.   When  a  packet arrives, the switch begins
              searching for an entry at the lowest numbered table.  Tables are numbered as  shown
              by the dump-tables command.

       priority
              The  priority  of  the entry in relation to other entries within the same table.  A
              higher value will match before a lower one.

       n_packets
              The number of packets that have matched the entry.

       n_bytes
              The total number of bytes from packets that have matched the entry.

       The rest of the line consists of a description of the flow  entry  as  described  in  Flow
       Syntax, above.

OPTIONS

       --strict
              Uses strict matching when running flow modification commands.

       -F format
       --flow-format=format
              ovs-ofctl supports the following flow formats, in order of increasing capability:

              openflow10
                     This  is  the  standard OpenFlow 1.0 flow format.  It should be supported by
                     all OpenFlow switches.

              nxm (Nicira Extended Match)
                     This Nicira extension to OpenFlow is flexible and extensible.   It  supports
                     all of the Nicira flow extensions, such as tun_id and registers.

              Usually,  ovs-ofctl  picks  the  correct  format  automatically.  For commands that
              modify the flow table, ovs-ofctl by default uses the  most  widely  supported  flow
              format  that  supports  the  flows  being  added.  For commands that query the flow
              table, ovs-ofctl by default queries and uses the most advanced format supported  by
              the switch.

              This  option,  where  format  is  one  of  the  formats  listed in the above table,
              overrides ovs-ofctl's default choice of flow format.  If a command cannot  work  as
              requested using the requested flow format, ovs-ofctl will report a fatal error.

       -m
       --more Increases  the  verbosity  of  OpenFlow  messages  printed  and logged by ovs-ofctl
              commands.  Specify this option more than once to increase verbosity further.

   Public Key Infrastructure Options
       -p privkey.pem
       --private-key=privkey.pem
              Specifies a PEM file containing the private key used as  ovs-ofctl's  identity  for
              outgoing SSL connections.

       -c cert.pem
       --certificate=cert.pem
              Specifies  a  PEM  file  containing  a  certificate  that certifies the private key
              specified on -p or --private-key to be trustworthy.  The certificate must be signed
              by  the  certificate  authority  (CA)  that the peer in SSL connections will use to
              verify it.

       -C cacert.pem
       --ca-cert=cacert.pem
              Specifies a PEM file containing the CA certificate that  ovs-ofctl  should  use  to
              verify  certificates  presented  to  it  by  SSL  peers.   (This  may  be  the same
              certificate that SSL peers use  to  verify  the  certificate  specified  on  -c  or
              --certificate, or it may be a different one, depending on the PKI design in use.)

       -C none
       --ca-cert=none
              Disables  verification  of  certificates presented by SSL peers.  This introduces a
              security risk, because it means that certificates cannot be verified to be those of
              known trusted hosts.

       -vmodule[:facility[:level]], --verbose=module[:facility[:level]]
              Sets the logging level for module in facility to level:

              ·      module  may  be  any valid module name (as displayed by the --list action on
                     ovs-appctl(8)), or the special name ANY to set the logging  levels  for  all
                     modules.

              ·      facility  may  be  syslog, console, or file to set the levels for logging to
                     the system log, the console, or a file  respectively,  or  ANY  to  set  the
                     logging  levels for both facilities.  If it is omitted, facility defaults to
                     ANY.

                     Regardless of the log levels set for file, logging to a file will  not  take
                     place unless --log-file is also specified (see below).

              ·      level  must  be  one  of off, emer, err, warn, info, or dbg, designating the
                     minimum severity of a message for it to be logged.  If it is omitted,  level
                     defaults to dbg.  See ovs-appctl(8) for a definition of each log level.

       -v, --verbose
              Sets the maximum logging verbosity level, equivalent to --verbose=ANY:ANY:dbg.

       -vPATTERN:facility:pattern, --verbose=PATTERN:facility:pattern
              Sets  the  log  pattern  for  facility  to  pattern.   Refer to ovs-appctl(8) for a
              description of the valid syntax for pattern.

       --log-file[=file]
              Enables logging to a file.  If file is specified, then it is used as the exact name
              for  the  log  file.   The  default  log  file  name  used  if  file  is omitted is
              /var/log/openvswitch/ovs-ofctl.log.

       -h, --help
              Prints a brief help message to the console.

       -V, --version
              Prints version information to the console.

EXAMPLES

       The following examples assume that ovs-vswitchd has a bridge named br0 configured.

       ovs-ofctl dump-tables br0
              Prints out the switch's table stats.  (This is more interesting after some  traffic
              has passed through.)

       ovs-ofctl dump-flows br0
              Prints the flow entries in the switch.

SEE ALSO

       ovs-appctl(8), ovs-controller(8), ovs-vswitchd(8)