Provided by: openvswitch-common_2.5.0-0ubuntu1_amd64 bug

NAME

       ovs-ofctl - administer OpenFlow switches

SYNOPSIS

       ovs-ofctl [options] command [switch] [args...]

DESCRIPTION

       The  ovs-ofctl  program  is  a command line tool for monitoring and administering OpenFlow
       switches.  It can also show the current state of an OpenFlow switch,  including  features,
       configuration,  and table entries.  It should work with any OpenFlow switch, not just Open
       vSwitch.

   OpenFlow Switch Management Commands
       These commands allow ovs-ofctl to monitor and administer an OpenFlow switch.  It  is  able
       to  show  the  current  state  of  a  switch, including features, configuration, and table
       entries.

       Most of these commands take an argument that specifies the method  for  connecting  to  an
       OpenFlow switch.  The following connection methods are supported:

              ssl:ip[:port]
              tcp:ip[:port]
                     The  specified  port on the host at the given ip, which must be expressed as
                     an IP address (not a DNS name) in IPv4 or IPv6 address  format.   Wrap  IPv6
                     addresses   in   square   brackets,   e.g.  tcp:[::1]:6653.   For  ssl,  the
                     --private-key, --certificate, and --ca-cert options are mandatory.

                     If port is not specified, it defaults to 6653.

              unix:file
                     On POSIX, a Unix domain server socket named file.

                     On Windows, a localhost TCP port written in file.

              file   This is short for unix:file, as long as file does not contain a colon.

              bridge This is short for unix:/var/run/openvswitch/bridge.mgmt, as long  as  bridge
                     does not contain a colon.

              [type@]dp
                     Attempts  to  look  up  the bridge associated with dp and open as above.  If
                     type is given, it specifies the  datapath  provider  of  dp,  otherwise  the
                     default provider system is assumed.

       show switch
              Prints  to  the  console  information  on switch, including information on its flow
              tables and ports.

       dump-tables switch
              Prints to the console statistics for each of the flow tables used by switch.

       dump-table-features switch
              Prints to the console features for each of the flow tables used by switch.

       dump-table-desc switch
              Prints to the console configuration for each of the flow tables used by switch  for
              OpenFlow 1.4+.

       mod-table switch table_id setting
              This  command  configures  flow  table  settings for OpenFlow table table_id within
              switch.  The available settings depend on the OpenFlow version in use.  In OpenFlow
              1.1  and  1.2 (which must be enabled with the -O option) only, mod-table configures
              behavior when no flow is found when a packet is looked up in  a  flow  table.   The
              following setting values are available:

              drop   Drop the packet.

              continue
                     Continue  to  the  next table in the pipeline.  (This is how an OpenFlow 1.0
                     switch always handles packets that do not match any flow,  in  tables  other
                     than the last one.)

              controller
                     Send  to  controller.   (This  is  how an OpenFlow 1.0 switch always handles
                     packets that do not match any flow in the last table.)

              In OpenFlow 1.4 and later  (which  must  be  enabled  with  the  -O  option)  only,
              mod-table  configures  the  behavior  when a controller attempts to add a flow to a
              flow table that is full.  The following setting values are available:

              evict  Delete some existing flow from the flow table, according  to  the  algorithm
                     described for the Flow_Table table in ovs-vswitchd.conf.db(5).

              noevict
                     Refuse  to  add  the new flow.  (Eviction might still be enabled through the
                     overflow_policy  column  in  the  Flow_Table  table   documented   in   ovs-
                     vswitchd.conf.db(5).)

              vacancy:low,high
                     Enables  sending  vacancy events to controllers using TABLE_STATUS messages,
                     based on percentage thresholds low and high.

              novacancy
                     Disables vacancy events.

       dump-ports switch [netdev]
              Prints to the console statistics for network devices associated  with  switch.   If
              netdev  is  specified,  only  the  statistics  associated  with that device will be
              printed.  netdev can be an OpenFlow assigned port number or device name, e.g. eth0.

       dump-ports-desc switch [port]
              Prints to the console detailed information about network  devices  associated  with
              switch.   To  dump only a specific port, specify its number as port.  Otherwise, if
              port is omitted, or if it is specified as ANY, then all ports are printed.  This is
              a subset of the information provided by the show command.

              If the connection to switch negotiates OpenFlow 1.0, 1.2, or 1.2, this command uses
              an OpenFlow extension only implemented in Open vSwitch (version 1.7 and later).

              Only OpenFlow 1.5 and later support dumping a specific port.  Earlier  versions  of
              OpenFlow always dump all ports.

       mod-port switch port action
              Modify characteristics of port port in switch.  port may be an OpenFlow port number
              or name or the keyword LOCAL (the preferred way to  refer  to  the  OpenFlow  local
              port).  The action may be any one of the following:
              up
              down   Enable  or  disable  the  interface.   This  is equivalent to ifconfig up or
                     ifconfig down on a Unix system.

              stp
              no-stp Enable or disable 802.1D spanning tree  protocol  (STP)  on  the  interface.
                     OpenFlow implementations that don't support STP will refuse to enable it.

              receive
              no-receive
              receive-stp
              no-receive-stp
                     Enable or disable OpenFlow processing of packets received on this interface.
                     When packet processing is disabled, packets will be dropped instead of being
                     processed  through  the  OpenFlow  table.  The receive or no-receive setting
                     applies to all packets  except  802.1D  spanning  tree  packets,  which  are
                     separately controlled by receive-stp or no-receive-stp.

              forward
              no-forward
                     Allow  or  disallow  forwarding  of  traffic to this interface.  By default,
                     forwarding is enabled.

              flood
              no-flood
                     Controls whether an  OpenFlow  flood  action  will  send  traffic  out  this
                     interface.    By  default,  flooding  is  enabled.   Disabling  flooding  is
                     primarily useful to prevent loops when a spanning tree protocol  is  not  in
                     use.

              packet-in
              no-packet-in
                     Controls whether packets received on this interface that do not match a flow
                     table entry generate a ``packet in'' message to the OpenFlow controller.  By
                     default, ``packet in'' messages are enabled.

              The show command displays (among other information) the configuration that mod-port
              changes.

       get-frags switch
              Prints switch's fragment handling mode.  See set-frags, below, for a description of
              each fragment handling mode.

              The show command also prints the fragment handling mode among its other output.

       set-frags switch frag_mode
              Configures  switch's  treatment  of  IPv4  and  IPv6  fragments.   The  choices for
              frag_mode are:

              normal Fragments pass through the flow table like non-fragmented packets.  The  TCP
                     ports,  UDP  ports,  and ICMP type and code fields are always set to 0, even
                     for fragments where that information would otherwise be available (fragments
                     with  offset 0).  This is the default fragment handling mode for an OpenFlow
                     switch.

              drop   Fragments are dropped without passing through the flow table.

              reassemble
                     The switch reassembles fragments into full IP packets  before  passing  them
                     through  the  flow  table.   Open  vSwitch  does not implement this fragment
                     handling mode.

              nx-match
                     Fragments pass through the flow table like non-fragmented packets.  The  TCP
                     ports,  UDP  ports, and ICMP type and code fields are available for matching
                     for fragments with offset 0, and set to 0 in fragments with nonzero  offset.
                     This mode is a Nicira extension.

              See  the description of ip_frag, below, for a way to match on whether a packet is a
              fragment and on its fragment offset.

       dump-flows switch [flows]
              Prints to the console all flow entries in switch's tables  that  match  flows.   If
              flows  is  omitted, all flows in the switch are retrieved.  See Flow Syntax, below,
              for the syntax of flows.  The output format is described in Table Entry Output.

              By default, ovs-ofctl prints flow entries in the same order that the  switch  sends
              them,  which  is  unlikely  to  be intuitive or consistent.  See the description of
              --sort and --rsort, under OPTIONS below, to influence the display order.

       dump-aggregate switch [flows]
              Prints to the console aggregate statistics for flows in switch's tables that  match
              flows.   If flows is omitted, the statistics are aggregated across all flows in the
              switch's flow tables.  See Flow Syntax, below, for the syntax of flows.  The output
              format is described in Table Entry Output.

       queue-stats switch [port [queue]]
              Prints  to  the  console  statistics for the specified queue on port within switch.
              port can be an OpenFlow port number or name, the keyword LOCAL (the  preferred  way
              to  refer to the OpenFlow local port), or the keyword ALL.  Either of port or queue
              or both may be omitted (or equivalently the keyword ALL).   If  both  are  omitted,
              statistics are printed for all queues on all ports.  If only queue is omitted, then
              statistics are printed for all queues on  port;  if  only  port  is  omitted,  then
              statistics are printed for queue on every port where it exists.

   OpenFlow 1.1+ Group Table Commands
       The  following  commands  work  only  with  switches  that  support OpenFlow 1.1 or later.
       Because support for OpenFlow 1.1 and later is still experimental in Open  vSwitch,  it  is
       necessary  to explicitly enable these protocol versions in ovs-ofctl (using -O) and in the
       switch itself (with the protocols column in the Bridge table).  For more information,  see
       ``Q: What versions of OpenFlow does Open vSwitch support?'' in the Open vSwitch FAQ.

       dump-groups switch [group]
              Prints group entries in switch's tables to console.  To dump only a specific group,
              specify its number as group.  Otherwise, if group is omitted, or if it is specified
              as  ALL,  then  all  groups  are  printed.  Each line of output is a group entry as
              described in Group Syntax below.

              Only OpenFlow 1.5 and later support dumping a specific group.  Earlier versions  of
              OpenFlow always dump all groups.

       dump-group-features switch
              Prints to the console the group features of the switch.

       dump-group-stats switch [groups]
              Prints  to  the console statistics for the specified groups in the switch's tables.
              If groups is omitted then statistics for all groups are printed.  See Group Syntax,
              below, for the syntax of groups.

   OpenFlow 1.3+ Switch Meter Table Commands
       These  commands  manage  the  meter  table  in  an  OpenFlow  switch.  In each case, meter
       specifies a meter entry in the format described in Meter Syntax, below.

       OpenFlow 1.3 introduced support for meters, so these commands only work with switches that
       support  OpenFlow  1.3 or later.  The caveats described for groups in the previous section
       also apply to meters.

       add-meter switch meter
              Add a meter entry to switch's tables. The meter  syntax  is  described  in  section
              Meter Syntax, below.

       mod-meter switch meter
              Modify an existing meter.

       del-meters switch
       del-meter switch [meter]
              Delete  entries  from  switch's meter table.  meter can specify a single meter with
              syntax meter=id, or all meters with syntax meter=all.

       dump-meters switch
       dump-meter switch [meter]
              Print meter configuration.  meter can specify a single meter with syntax  meter=id,
              or all meters with syntax meter=all.

       meter-stats switch [meter]
              Print  meter statistics.  meter can specify a single meter with syntax meter=id, or
              all meters with syntax meter=all.

       meter-features switch
              Print meter features.

   OpenFlow Switch Flow Table Commands
       These commands manage the flow table in an OpenFlow switch.  In each case, flow  specifies
       a  flow  entry  in  the  format  described in Flow Syntax, below, file is a text file that
       contains zero or more flows in the same syntax, one per line, and  the  optional  --bundle
       option operates the command as a single atomic transation, see option --bundle, below.

       [--bundle] add-flow switch flow
       [--bundle] add-flow switch - < file
       [--bundle] add-flows switch file
              Add  each  flow entry to switch's tables.  Each flow specification (e.g., each line
              in file) may start  with  add,  modify,  delete,  modify_strict,  or  delete_strict
              keyword to specify whether a flow is to be added, modified, or deleted, and whether
              the modify or delete  is  strict  or  not.   For  backwards  compatibility  a  flow
              specification  without  one  of  these keywords is treated as a flow add.  All flow
              mods are executed in the order specified.

       [--bundle] [--strict] mod-flows switch flow
       [--bundle] [--strict] mod-flows switch - < file
              Modify the actions in entries from switch's tables that match the specified  flows.
              With --strict, wildcards are not treated as active for matching purposes.

       [--bundle] del-flows switch
       [--bundle] [--strict] del-flows switch [flow]
       [--bundle] [--strict] del-flows switch - < file
              Deletes entries from switch's flow table.  With only a switch argument, deletes all
              flows.  Otherwise, deletes flow entries  that  match  the  specified  flows.   With
              --strict, wildcards are not treated as active for matching purposes.

       [--bundle] [--readd] replace-flows switch file
              Reads  flow  entries  from  file (or stdin if file is -) and queries the flow table
              from switch.  Then it fixes up any differences, adding flows  from  flow  that  are
              missing  on  switch,  deleting flows from switch that are not in file, and updating
              flows in switch whose actions, cookie, or timeouts differ in file.

              With --readd, ovs-ofctl adds all the flows from file, even those  that  exist  with
              the  same  actions, cookie, and timeout in switch.  This resets all the flow packet
              and byte counters to 0, which can be useful for debugging.

       diff-flows source1 source2
              Reads flow entries from source1 and source2 and prints  the  differences.   A  flow
              that  is  in source1 but not in source2 is printed preceded by a -, and a flow that
              is in source2 but not in source1 is printed preceded by a +.  If a flow  exists  in
              both  source1  and  source2  with different actions, cookie, or timeouts, then both
              versions are printed preceded by - and +, respectively.

              source1 and source2 may each name a file or a switch.  If a name begins with  /  or
              .,  then  it is considered to be a file name.  A name that contains : is considered
              to be a switch.  Otherwise, it is a file if a file by that name exists, a switch if
              not.

              For this command, an exit status of 0 means that no differences were found, 1 means
              that an error occurred, and 2 means that some differences were found.

       packet-out switch in_port actions packet...
              Connects to switch and instructs it to execute the OpenFlow actions on each packet.
              Each  packet  is specified as a series of hex digits.  For the purpose of executing
              the actions, the packets are considered to have arrived on in_port, which may be an
              OpenFlow  port  number or name (e.g. eth0), the keyword LOCAL (the preferred way to
              refer to the OpenFlow ``local'' port), or the keyword NONE  to  indicate  that  the
              packet was generated by the switch itself.

   OpenFlow Switch Group Table Commands
       These  commands  manage  the  group  table  in  an  OpenFlow  switch.  In each case, group
       specifies a group entry in the format described in Group Syntax, below, and file is a text
       file that contains zero or more groups in the same syntax, one per line.

       add-group switch group
       add-group switch - < file
       add-groups switch file
              Add each group entry to switch's tables.

       mod-group switch group
       mod-group switch - < file
              Modify the action buckets in entries from switch's tables for each group entry.

       del-groups switch
       del-groups switch [group]
       del-groups switch - < file
              Deletes  entries  from  switch's group table.  With only a switch argument, deletes
              all groups.  Otherwise, deletes the group for each group entry.

       insert-buckets switch group
       insert-buckets switch - < file
              Add buckets to an existing group present  in  the  switch's  group  table.   If  no
              command_bucket_id  is  present  in  the group specification then all buckets of the
              group are removed.

       remove-buckets switch group
       remove-buckets switch - < file
              Remove buckets to an existing group present in the switch's  group  table.   If  no
              command_bucket_id  is  present  in  the group specification then all buckets of the
              group are removed.

   OpenFlow Switch Tunnel TLV Table Commands
       Open vSwitch maintains a mapping table between tunnel  option  TLVs  (defined  by  <class,
       type,  length>)  and  NXM  fields  tun_metadatan, where n ranges from 0 to 63, that can be
       operated on for the purposes of matches, actions, etc. This TLV  table  can  be  used  for
       Geneve  option  TLVs or other protocols with options in same TLV format as Geneve options.
       This mapping must be explicitly specified by the user through the following commands.

       A       TLV        mapping        is        specified        with        the        syntax
       {class=class,type=type,len=length}->tun_metadatan.   When  an  option mapping exists for a
       given tun_metadatan, matching on the defined field becomes possible, e.g.:

              ovs-ofctl add-tlv-map br0 "{class=0xffff,type=0,len=4}->tun_metadata0"

              ovs-ofctl add-flow br0 tun_metadata0=1234,actions=controller

       A mapping should not be changed while it is in active use by a flow. The result  of  doing
       so is undefined.

       Currently,  the  TLV  mapping  table  is  shared  between all OpenFlow switches in a given
       instance of Open vSwitch. This restriction will be lifted  in  the  future  to  allow  for
       easier management.

       These commands are Nicira extensions to OpenFlow and require Open vSwitch 2.5 or later.

       add-TLV-map switch option[,option]...
              Add each option to switch's tables. Duplicate fields are rejected.

       del-TLV-map switch [option[,option]]...
              Delete  each  option from switch's table, or all option TLV mapping if no option is
              specified.  Fields that aren't mapped are ignored.

       dump-TLV-map switch
              Show the currently mapped fields in the switch's option table  as  well  as  switch
              capabilities.

   OpenFlow Switch Monitoring Commands
       snoop switch
              Connects  to  switch  and  prints  to  the  console all OpenFlow messages received.
              Unlike other ovs-ofctl commands, if switch is the name of a bridge, then the  snoop
              command  connects  to a Unix domain socket named /var/run/openvswitch/switch.snoop.
              ovs-vswitchd listens on such a socket for each bridge and sends to it  all  of  the
              OpenFlow  messages  sent  to  or  received from its configured OpenFlow controller.
              Thus, this command can be used to view OpenFlow protocol activity between a  switch
              and its controller.

              When a switch has more than one controller configured, only the traffic to and from
              a single controller is output.  If none of  the  controllers  is  configured  as  a
              master  or  a slave (using a Nicira extension to OpenFlow 1.0 or 1.1, or a standard
              request in OpenFlow 1.2 or later), then a controller is  chosen  arbitrarily  among
              them.   If  there is a master controller, it is chosen; otherwise, if there are any
              controllers that are not masters or slaves, one is chosen arbitrarily; otherwise, a
              slave  controller  is  chosen  arbitrarily.  This choice is made once at connection
              time and does not change as controllers reconfigure their roles.

              If a switch has no controller  configured,  or  if  the  configured  controller  is
              disconnected, no traffic is sent, so monitoring will not show any traffic.

       monitor switch [miss-len] [invalid_ttl] [watch:[spec...]]
              Connects  to  switch  and  prints  to  the  console all OpenFlow messages received.
              Usually, switch should specify the name of a bridge in the ovs-vswitchd database.

              If miss-len is provided, ovs-ofctl sends an OpenFlow ``set configuration''  message
              at  connection  setup  time that requests miss-len bytes of each packet that misses
              the flow table.  Open vSwitch does not send these and other  asynchronous  messages
              to  an  ovs-ofctl  monitor client connection unless a nonzero value is specified on
              this argument.  (Thus, if miss-len is  not  specified,  very  little  traffic  will
              ordinarily be printed.)

              If invalid_ttl is passed, ovs-ofctl sends an OpenFlow ``set configuration'' message
              at connection setup time that requests INVALID_TTL_TO_CONTROLLER, so that ovs-ofctl
              monitor can receive ``packet-in'' messages when TTL reaches zero on dec_ttl action.

              watch:[spec...]  causes  ovs-ofctl  to  send a ``monitor request'' Nicira extension
              message to the switch at connection setup time.  This message causes the switch  to
              send  information  about  flow  table  changes as they occur.  The following comma-
              separated spec syntax is available:

              !initial
                     Do not report the switch's initial flow table contents.

              !add   Do not report newly added flows.

              !delete
                     Do not report deleted flows.

              !modify
                     Do not report modifications to existing flows.

              !own   Abbreviate changes made to the flow table by ovs-ofctl's own  connection  to
                     the  switch.  (These could only occur using the ofctl/send command described
                     below under RUNTIME MANAGEMENT COMMANDS.)

              !actions
                     Do not report actions as part of flow updates.

              table=number
                     Limits the monitoring to the table with the given number between 0 and  254.
                     By default, all tables are monitored.

              out_port=port
                     If  set,  only  flows that output to port are monitored.  The port may be an
                     OpenFlow port number or keyword (e.g. LOCAL).

              field=value
                     Monitors only flows that have field  specified  as  the  given  value.   Any
                     syntax valid for matching on dump-flows may be used.

              This  command  may  be  useful  for debugging switch or controller implementations.
              With watch:, it is particularly useful for observing how a controller updates  flow
              tables.

   OpenFlow Switch and Controller Commands
       The  following  commands,  like  those in the previous section, may be applied to OpenFlow
       switches, using any of the connection methods described in  that  section.   Unlike  those
       commands, these may also be applied to OpenFlow controllers.

       probe target
              Sends  a single OpenFlow echo-request message to target and waits for the response.
              With the -t or --timeout option, this command can test whether an  OpenFlow  switch
              or controller is up and running.

       ping target [n]
              Sends a series of 10 echo request packets to target and times each reply.  The echo
              request packets consist of an  OpenFlow  header  plus  n  bytes  (default:  64)  of
              randomly generated payload.  This measures the latency of individual requests.

       benchmark target n count
              Sends  count  echo  request  packets that each consist of an OpenFlow header plus n
              bytes of payload and waits for each response.  Reports  the  total  time  required.
              This  is  a  measure  of  the maximum bandwidth to target for round-trips of n-byte
              messages.

   Other Commands
       ofp-parse file
              Reads file (or stdin if file is -) as a series of OpenFlow messages in  the  binary
              format used on an OpenFlow connection, and prints them to the console.  This can be
              useful for printing OpenFlow messages captured from a TCP stream.

       ofp-parse-pcap file [port...]
              Reads file, which must be in the PCAP format used by network capture tools such  as
              tcpdump  or  wireshark,  extracts all the TCP streams for OpenFlow connections, and
              prints the OpenFlow messages in  those  connections  in  human-readable  format  on
              stdout.

              OpenFlow  connections  are  distinguished by TCP port number.  Non-OpenFlow packets
              are ignored.  By default, data on TCP ports 6633 and  6653  are  considered  to  be
              OpenFlow.  Specify one or more port arguments to override the default.

              This  command  cannot usefully print SSL encrypted traffic.  It does not understand
              IPv6.

   Flow Syntax
       Some ovs-ofctl commands accept an argument that describes a  flow  or  flows.   Such  flow
       descriptions  comprise  a  series  field=value  assignments,  separated by commas or white
       space.  (Embedding spaces into a flow description normally requires quoting to prevent the
       shell from breaking the description into multiple arguments.)

       Flow  descriptions  should  be  in normal form.  This means that a flow may only specify a
       value for an L3 field if it also specifies a particular L2 protocol, and that a  flow  may
       only  specify  an  L4 field if it also specifies particular L2 and L3 protocol types.  For
       example, if the L2 protocol type dl_type is wildcarded, then L3 fields nw_src, nw_dst, and
       nw_proto  must  also  be  wildcarded.   Similarly, if dl_type or nw_proto (the L3 protocol
       type) is wildcarded, so must be the L4 fields tcp_dst and tcp_src.   ovs-ofctl  will  warn
       about flows not in normal form.

       The  following  field  assignments  describe how a flow matches a packet.  If any of these
       assignments is omitted from the flow syntax, the field is treated as a wildcard; thus,  if
       all  of  them  are  omitted,  the resulting flow matches all packets.  The string * may be
       specified to explicitly mark any of these fields as a wildcard.  (* should  be  quoted  to
       protect it from shell expansion.)

       in_port=port
              Matches  OpenFlow  port port, which may be an OpenFlow port number or keyword (e.g.
              LOCAL).  ovs-ofctl show.

              (The resubmit action can search OpenFlow flow tables with arbitrary in_port values,
              so flows that match port numbers that do not exist from an OpenFlow perspective can
              still potentially be matched.)

       dl_vlan=vlan
              Matches IEEE 802.1q Virtual LAN tag vlan.  Specify 0xffff as vlan to match  packets
              that  are  not tagged with a Virtual LAN; otherwise, specify a number between 0 and
              4095, inclusive, as the 12-bit VLAN ID to match.

       dl_vlan_pcp=priority
              Matches IEEE 802.1q Priority Code Point (PCP) priority, which  is  specified  as  a
              value between 0 and 7, inclusive.  A higher value indicates a higher frame priority
              level.

       dl_src=xx:xx:xx:xx:xx:xx
       dl_dst=xx:xx:xx:xx:xx:xx
              Matches an Ethernet source  (or  destination)  address  specified  as  6  pairs  of
              hexadecimal digits delimited by colons (e.g. 00:0A:E4:25:6B:B0).

       dl_src=xx:xx:xx:xx:xx:xx/xx:xx:xx:xx:xx:xx
       dl_dst=xx:xx:xx:xx:xx:xx/xx:xx:xx:xx:xx:xx
              Matches  an Ethernet destination address specified as 6 pairs of hexadecimal digits
              delimited by colons (e.g. 00:0A:E4:25:6B:B0), with a wildcard  mask  following  the
              slash.  Open  vSwitch  1.8  and  later  support  arbitrary  masks for source and/or
              destination. Earlier  versions  only  support  masking  the  destination  with  the
              following masks:

              01:00:00:00:00:00
                     Match         only         the         multicast         bit.          Thus,
                     dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 matches all multicast  (including
                     broadcast)  Ethernet packets, and dl_dst=00:00:00:00:00:00/01:00:00:00:00:00
                     matches all unicast Ethernet packets.

              fe:ff:ff:ff:ff:ff
                     Match all bits except the multicast bit.  This is probably not useful.

              ff:ff:ff:ff:ff:ff
                     Exact match (equivalent to omitting the mask).

              00:00:00:00:00:00
                     Wildcard all bits (equivalent to dl_dst=*.)

       dl_type=ethertype
              Matches Ethernet protocol type ethertype, which is specified as an integer  between
              0 and 65535, inclusive, either in decimal or as a hexadecimal number prefixed by 0x
              (e.g. 0x0806 to match ARP packets).

       nw_src=ip[/netmask]
       nw_dst=ip[/netmask]
              When dl_type is 0x0800 (possibly via shorthand,  e.g.  ip  or  tcp),  matches  IPv4
              source (or destination) address ip, which may be specified as an IP address or host
              name  (e.g.  192.168.1.1  or  www.example.com).   The   optional   netmask   allows
              restricting  a  match to an IPv4 address prefix.  The netmask may be specified as a
              dotted  quad  (e.g.  192.168.1.0/255.255.255.0)  or   as   a   CIDR   block   (e.g.
              192.168.1.0/24).   Open  vSwitch 1.8 and later support arbitrary dotted quad masks;
              earlier versions support only CIDR masks,  that  is,  the  dotted  quads  that  are
              equivalent to some CIDR block.

              When  dl_type=0x0806  or  arp  is  specified,  matches  the ar_spa or ar_tpa field,
              respectively, in ARP packets for IPv4 and Ethernet.

              When dl_type=0x8035 or rarp is specified,  matches  the  ar_spa  or  ar_tpa  field,
              respectively, in RARP packets for IPv4 and Ethernet.

              When  dl_type is wildcarded or set to a value other than 0x0800, 0x0806, or 0x8035,
              the values of nw_src and nw_dst are ignored (see Flow Syntax above).

       nw_proto=proto
       ip_proto=proto
              When ip or dl_type=0x0800 is specified, matches IP protocol type  proto,  which  is
              specified  as  a  decimal number between 0 and 255, inclusive (e.g. 1 to match ICMP
              packets or 6 to match TCP packets).

              When ipv6 or dl_type=0x86dd is specified, matches IPv6 header type proto, which  is
              specified as a decimal number between 0 and 255, inclusive (e.g. 58 to match ICMPv6
              packets or 6 to match TCP).  The header type is the terminal header as described in
              the DESIGN document.

              When  arp  or  dl_type=0x0806  is  specified,  matches  the lower 8 bits of the ARP
              opcode.  ARP opcodes greater than 255 are treated as 0.

              When rarp or dl_type=0x8035 is specified, matches the  lower  8  bits  of  the  ARP
              opcode.  ARP opcodes greater than 255 are treated as 0.

              When  dl_type  is wildcarded or set to a value other than 0x0800, 0x0806, 0x8035 or
              0x86dd, the value of nw_proto is ignored (see Flow Syntax above).

       nw_tos=tos
              Matches IP ToS/DSCP or IPv6 traffic class  field  tos,  which  is  specified  as  a
              decimal number between 0 and 255, inclusive.  Note that the two lower reserved bits
              are ignored for matching purposes.

              When dl_type is wildcarded or set to a value other than 0x0800 or 0x86dd, the value
              of nw_tos is ignored (see Flow Syntax above).

       ip_dscp=dscp
              Matches  IP  ToS/DSCP  or  IPv6  traffic  class field dscp, which is specified as a
              decimal number between 0 and 63, inclusive.

              When dl_type is wildcarded or set to a value other than 0x0800 or 0x86dd, the value
              of ip_dscp is ignored (see Flow Syntax above).

       nw_ecn=ecn
       ip_ecn=ecn
              Matches  ecn  bits  in IP ToS or IPv6 traffic class fields, which is specified as a
              decimal number between 0 and 3, inclusive.

              When dl_type is wildcarded or set to a value other than 0x0800 or 0x86dd, the value
              of nw_ecn is ignored (see Flow Syntax above).

       nw_ttl=ttl
              Matches  IP TTL or IPv6 hop limit value ttl, which is specified as a decimal number
              between 0 and 255, inclusive.

              When dl_type is wildcarded or set to a value other than 0x0800 or 0x86dd, the value
              of nw_ttl is ignored (see Flow Syntax above).

       tcp_src=port
       tcp_dst=port
       udp_src=port
       udp_dst=port
       sctp_src=port
       sctp_dst=port
              Matches  a TCP, UDP, or SCTP source or destination port port, which is specified as
              a decimal number between 0 and 65535, inclusive.

              When dl_type and nw_proto are wildcarded or set to values that do not  indicate  an
              appropriate  protocol,  the  values  of these settings are ignored (see Flow Syntax
              above).

       tcp_src=port/mask
       tcp_dst=port/mask
       udp_src=port/mask
       udp_dst=port/mask
       sctp_src=port/mask
       sctp_dst=port/mask
              Bitwise match on TCP (or UDP or SCTP) source or destination  port.   The  port  and
              mask  are 16-bit numbers written in decimal or in hexadecimal prefixed by 0x.  Each
              1-bit in mask requires that the corresponding bit in port must match.   Each  0-bit
              in mask causes the corresponding bit to be ignored.

              Bitwise  matches  on transport ports are rarely useful in isolation, but a group of
              them can be used to reduce the number of flows required to  match  on  a  range  of
              transport  ports.   For example, suppose that the goal is to match TCP source ports
              1000 to 1999, inclusive.  One way is to insert 1000 flows, each of which matches on
              a single source port.  Another way is to look at the binary representations of 1000
              and 1999, as follows:
              01111101000
              11111001111
              and then to transform those into a series of bitwise matches  that  accomplish  the
              same results:
              01111101xxx
              0111111xxxx
              10xxxxxxxxx
              110xxxxxxxx
              1110xxxxxxx
              11110xxxxxx
              1111100xxxx
              which become the following when written in the syntax required by ovs-ofctl:
              tcp,tcp_src=0x03e8/0xfff8
              tcp,tcp_src=0x03f0/0xfff0
              tcp,tcp_src=0x0400/0xfe00
              tcp,tcp_src=0x0600/0xff00
              tcp,tcp_src=0x0700/0xff80
              tcp,tcp_src=0x0780/0xffc0
              tcp,tcp_src=0x07c0/0xfff0

              Only Open vSwitch 1.6 and later supports bitwise matching on transport ports.

              Like the exact-match forms described above, the bitwise match forms apply only when
              dl_type and nw_proto specify TCP or UDP or SCTP.

       tp_src=port
       tp_dst=port
              These are deprecated generic forms of L4 port matches.  In new code, please use the
              TCP-, UDP-, or SCTP-specific forms described above.

       tcp_flags=flags/mask
       tcp_flags=[+flag...][-flag...]
              Bitwise  match  on  TCP  flags.   The  flags and mask are 16-bit numbers written in
              decimal or in hexadecimal prefixed by 0x.  Each 1-bit in  mask  requires  that  the
              corresponding bit in flags must match.  Each 0-bit in mask causes the corresponding
              bit to be ignored.

              Alternatively, the flags can be specified by their symbolic names  (listed  below),
              each preceded by either + for a flag that must be set, or - for a flag that must be
              unset, without any other delimiters between the flags.   Flags  not  mentioned  are
              wildcarded.   For  example,  tcp,tcp_flags=+syn-ack  matches  TCP SYNs that are not
              ACKs.

              TCP protocol currently defines 9 flag bits, and  additional  3  bits  are  reserved
              (must  be  transmitted  as zero), see RFCs 793, 3168, and 3540.  The flag bits are,
              numbering from the least significant bit:

              0: fin No more data from sender.

              1: syn Synchronize sequence numbers.

              2: rst Reset the connection.

              3: psh Push function.

              4: ack Acknowledgement field significant.

              5: urg Urgent pointer field significant.

              6: ece ECN Echo.

              7: cwr Congestion Windows Reduced.

              8: ns  Nonce Sum.

              9-11:  Reserved.

              12-15: Not matchable, must be zero.

       icmp_type=type
       icmp_code=code
              When dl_type and nw_proto specify ICMP or ICMPv6, type matches the  ICMP  type  and
              code  matches  the  ICMP code.  Each is specified as a decimal number between 0 and
              255, inclusive.

              When dl_type and nw_proto take other values,  the  values  of  these  settings  are
              ignored (see Flow Syntax above).

       table=number
              For  flow  dump  commands,  limits  the flows dumped to those in the table with the
              given number between 0 and 254.  If not  specified  (or  if  255  is  specified  as
              number), then flows in all tables are dumped.

              For flow table modification commands, behavior varies based on the OpenFlow version
              used to connect to the switch:

              OpenFlow 1.0
                     OpenFlow 1.0 does not support table for  modifying  flows.   ovs-ofctl  will
                     exit with an error if table (other than table=255) is specified for a switch
                     that only supports OpenFlow 1.0.

                     In OpenFlow 1.0, the switch chooses the table into which  to  insert  a  new
                     flow.   The Open vSwitch software switch always chooses table 0.  Other Open
                     vSwitch datapaths and other OpenFlow implementations  may  choose  different
                     tables.

                     The  OpenFlow  1.0  behavior in Open vSwitch for modifying or removing flows
                     depends on whether --strict is used.  Without --strict, the command  applies
                     to matching flows in all tables.  With --strict, the command will operate on
                     any single matching flow in any table; it  will  do  nothing  if  there  are
                     matches  in  more  than one table.  (The distinction between these behaviors
                     only matters if non-OpenFlow 1.0 commands were also used,  because  OpenFlow
                     1.0  alone  cannot  add  flows  with  the same matching criteria to multiple
                     tables.)

              OpenFlow 1.0 with table_id extension
                     Open vSwitch implements an OpenFlow extension that allows the controller  to
                     specify  the table on which to operate.  ovs-ofctl automatically enables the
                     extension when table is specified  and  OpenFlow  1.0  is  used.   ovs-ofctl
                     automatically detects whether the switch supports the extension.  As of this
                     writing, this extension is only known to be implemented by Open vSwitch.

                     With this extension, ovs-ofctl operates on the requested table when table is
                     specified,  and  acts  as  described for OpenFlow 1.0 above when no table is
                     specified (or for table=255).

              OpenFlow 1.1
                     OpenFlow 1.1 requires flow table modification commands to specify  a  table.
                     When  table is not specified (or table=255 is specified), ovs-ofctl defaults
                     to table 0.

              OpenFlow 1.2 and later
                     OpenFlow 1.2 and later allow flow deletion  commands,  but  not  other  flow
                     table  modification  commands,  to  operate  on  all  flow  tables, with the
                     behavior described above for OpenFlow 1.0.

       metadata=value[/mask]
              Matches value either exactly or with optional mask in the metadata field. value and
              mask  are  64-bit  integers,  by  default  in  decimal  (use a 0x prefix to specify
              hexadecimal). Arbitrary mask values are allowed: a 1-bit in mask indicates that the
              corresponding  bit  in  value  must  match exactly, and a 0-bit wildcards that bit.
              Matching on metadata was added in Open vSwitch 1.8.

       The following shorthand notations are also available:

       ip     Same as dl_type=0x0800.

       ipv6   Same as dl_type=0x86dd.

       icmp   Same as dl_type=0x0800,nw_proto=1.

       icmp6  Same as dl_type=0x86dd,nw_proto=58.

       tcp    Same as dl_type=0x0800,nw_proto=6.

       tcp6   Same as dl_type=0x86dd,nw_proto=6.

       udp    Same as dl_type=0x0800,nw_proto=17.

       udp6   Same as dl_type=0x86dd,nw_proto=17.

       sctp   Same as dl_type=0x0800,nw_proto=132.

       sctp6  Same as dl_type=0x86dd,nw_proto=132.

       arp    Same as dl_type=0x0806.

       rarp   Same as dl_type=0x8035.

       mpls   Same as dl_type=0x8847.

       mplsm  Same as dl_type=0x8848.

       The following field assignments require  support  for  the  NXM  (Nicira  Extended  Match)
       extension  to  OpenFlow.   When  one  of  these is specified, ovs-ofctl will automatically
       attempt to negotiate use of this extension.  If the switch  does  not  support  NXM,  then
       ovs-ofctl will report a fatal error.

       vlan_tci=tci[/mask]
              Matches  modified  VLAN  TCI tci.  If mask is omitted, tci is the exact VLAN TCI to
              match; if mask is specified, then a 1-bit in mask indicates that the  corresponding
              bit  in  tci must match exactly, and a 0-bit wildcards that bit.  Both tci and mask
              are 16-bit values that are decimal by default; use a 0x prefix to specify  them  in
              hexadecimal.

              The  value  that  vlan_tci  matches  against  is  0 for a packet that has no 802.1Q
              header.  Otherwise, it is the TCI value from the 802.1Q header  with  the  CFI  bit
              (with value 0x1000) forced to 1.

              Examples:

              vlan_tci=0
                     Match only packets without an 802.1Q header.

              vlan_tci=0xf123
                     Match packets tagged with priority 7 in VLAN 0x123.

              vlan_tci=0x1123/0x1fff
                     Match packets tagged with VLAN 0x123 (and any priority).

              vlan_tci=0x5000/0xf000
                     Match packets tagged with priority 2 (in any VLAN).

              vlan_tci=0/0xfff
                     Match  packets  with  no  802.1Q  header  or  tagged  with  VLAN  0 (and any
                     priority).

              vlan_tci=0x5000/0xe000
                     Match packets with no 802.1Q header or tagged with priority 2 (in any VLAN).

              vlan_tci=0/0xefff
                     Match packets with no 802.1Q header or tagged with VLAN 0 and priority 0.

              Some of these  matching  possibilities  can  also  be  achieved  with  dl_vlan  and
              dl_vlan_pcp.

       ip_frag=frag_type
              When dl_type specifies IP or IPv6, frag_type specifies what kind of IP fragments or
              non-fragments to match.  The following values of frag_type are supported:

              no     Matches only non-fragmented packets.

              yes    Matches all fragments.

              first  Matches only fragments with offset 0.

              later  Matches only fragments with nonzero offset.

              not_later
                     Matches non-fragmented packets and fragments with zero offset.

              The ip_frag match type is likely to be most  useful  in  nx-match  mode.   See  the
              description of the set-frags command, above, for more details.

       arp_spa=ip[/netmask]
       arp_tpa=ip[/netmask]
              When dl_type specifies either ARP or RARP, arp_spa and arp_tpa match the source and
              target IPv4 address, respectively.  An address may be specified as an IP address or
              host  name  (e.g.  192.168.1.1  or  www.example.com).   The optional netmask allows
              restricting a match to an IPv4 address prefix.  The netmask may be specified  as  a
              dotted   quad   (e.g.   192.168.1.0/255.255.255.0)   or   as  a  CIDR  block  (e.g.
              192.168.1.0/24).

       arp_sha=xx:xx:xx:xx:xx:xx
       arp_tha=xx:xx:xx:xx:xx:xx
              When dl_type specifies either ARP or RARP, arp_sha and arp_tha match the source and
              target  hardware  address,  respectively.   An  address  is specified as 6 pairs of
              hexadecimal digits delimited by colons (e.g. 00:0A:E4:25:6B:B0).

       arp_sha=xx:xx:xx:xx:xx:xx/xx:xx:xx:xx:xx:xx
       arp_tha=xx:xx:xx:xx:xx:xx/xx:xx:xx:xx:xx:xx
              When dl_type specifies either ARP or RARP, arp_sha and arp_tha match the source and
              target  hardware  address,  respectively.   An  address  is specified as 6 pairs of
              hexadecimal digits delimited by colons (e.g. 00:0A:E4:25:6B:B0),  with  a  wildcard
              mask following the slash.

       arp_op=opcode
              When dl_type specifies either ARP or RARP, arp_op matches the ARP opcode.  Only ARP
              opcodes between 1 and 255 should be specified for matching.

       ipv6_src=ipv6[/netmask]
       ipv6_dst=ipv6[/netmask]
              When dl_type is 0x86dd (possibly via shorthand, e.g., ipv6 or tcp6),  matches  IPv6
              source  (or  destination)  address  ipv6,  which may be specified as defined in RFC
              2373.  The preferred format is x:x:x:x:x:x:x:x, where x are the hexadecimal  values
              of  the eight 16-bit pieces of the address.  A single instance of :: may be used to
              indicate multiple  groups  of  16-bits  of  zeros.   The  optional  netmask  allows
              restricting  a  match to an IPv6 address prefix.  A netmask is specified as an IPv6
              address  (e.g.  2001:db8:3c4d:1::/ffff:ffff:ffff:ffff::)  or  a  CIDR  block  (e.g.
              2001:db8:3c4d:1::/64).  Open vSwitch 1.8 and later support arbitrary masks; earlier
              versions support only CIDR masks, that is, CIDR block and IPv6 addresses  that  are
              equivalent to CIDR blocks.

       ipv6_label=label
              When  dl_type  is 0x86dd (possibly via shorthand, e.g., ipv6 or tcp6), matches IPv6
              flow label label.

       nd_target=ipv6[/netmask]
              When dl_type, nw_proto, and icmp_type specify IPv6 Neighbor Discovery (ICMPv6  type
              135 or 136), matches the target address ipv6.  ipv6 is in the same format described
              earlier for the ipv6_src and ipv6_dst fields.

       nd_sll=xx:xx:xx:xx:xx:xx
              When dl_type, nw_proto, and icmp_type specify IPv6  Neighbor  Solicitation  (ICMPv6
              type  135),  matches the source link-layer address option.  An address is specified
              as 6 pairs of hexadecimal digits delimited by colons.

       nd_tll=xx:xx:xx:xx:xx:xx
              When dl_type, nw_proto, and icmp_type specify IPv6 Neighbor  Advertisement  (ICMPv6
              type  136),  matches the target link-layer address option.  An address is specified
              as 6 pairs of hexadecimal digits delimited by colons.

       mpls_bos=bos
              When dl_type is 0x8847 or 0x8848 (possibly via  shorthand  e.g.,  mpls  or  mplsm),
              matches  the  bottom-of-stack  bit  of the outer-most MPLS label stack entry. Valid
              values are 0 and 1.

              If 1 then for a packet with a well-formed MPLS label stack the bottom-of-stack  bit
              indicates that the outer label stack entry is also the inner-most label stack entry
              and thus that is that there is only one label stack entry present.  Conversely,  if
              0  then  for  a  packet with a well-formed MPLS label stack the bottom-of-stack bit
              indicates that the outer label stack entry is not the inner-most label stack  entry
              and thus there is more than one label stack entry present.

       mpls_label=label
              When  dl_type  is  0x8847  or  0x8848 (possibly via shorthand e.g., mpls or mplsm),
              matches the label of the outer MPLS label stack entry. The label is a 20-bit  value
              that is decimal by default; use a 0x prefix to specify them in hexadecimal.

       mpls_tc=tc
              When  dl_type  is  0x8847  or  0x8848 (possibly via shorthand e.g., mpls or mplsm),
              matches the traffic-class of the outer MPLS label stack  entry.  Valid  values  are
              between 0 (lowest) and 7 (highest).

       tun_id=tunnel-id[/mask]
       tunnel_id=tunnel-id[/mask]
              Matches  tunnel  identifier tunnel-id.  Only packets that arrive over a tunnel that
              carries a key (e.g. GRE with the RFC 2890 key extension and a  nonzero  key  value)
              will  have  a nonzero tunnel ID.  If mask is omitted, tunnel-id is the exact tunnel
              ID to match; if mask is  specified,  then  a  1-bit  in  mask  indicates  that  the
              corresponding bit in tunnel-id must match exactly, and a 0-bit wildcards that bit.

       tun_flags=flags
              Matches  flags  indicating  various aspects of the tunnel encapsulation. Currently,
              there is only one flag defined:

              oam: The tunnel protocol indicated that this is an OAM control packet.

              Flags can be prefixed by + or - to indicate that the  flag  should  be  matched  as
              either  present  or  not present, respectively. In addition, flags can be specified
              without a prefix and separated by | to indicate an exact match.

              Note that it is possible for newer version of Open vSwitch to introduce  additional
              flags  with  varying meaning. It is therefore not recommended to use an exact match
              on this field since the behavior of these  new  flags  is  unknown  and  should  be
              ignored.

              For non-tunneled packets, the value is 0.

              This field was introduced in Open vSwitch 2.5.

       tun_src=ip[/netmask]
       tun_dst=ip[/netmask]
              Matches  tunnel  IPv4  source (or destination) address ip. Only packets that arrive
              over a tunnel will have nonzero tunnel addresses.  The address may be specified  as
              an  IP  address  or  host name (e.g. 192.168.1.1 or www.example.com).  The optional
              netmask allows restricting a match to a masked IPv4 address.  The  netmask  may  be
              specified  as  a  dotted  quad  (e.g. 192.168.1.0/255.255.255.0) or as a CIDR block
              (e.g. 192.168.1.0/24).

       tun_gbp_id=value[/mask]
       tun_gbp_flags=value[/mask]
              Matches the group policy identifier and flags in the  VXLAN  header.  Only  packets
              that  arrive  over  a  VXLAN  tunnel with the "gbp" extension enabled can have this
              field set. The fields may also be referred to by NXM_NX_TUN_GBP_ID[] (16 bits)  and
              NXM_NX_TUN_GBP_FLAGS[]  (8  bits)  in the context of field manipulation actions. If
              these fields are set and the packet matched by the flow is encapsulated in a VXLAN-
              GBP tunnel, then the policy identifier and flags are transmitted to the destination
              VXLAN tunnel endpoint.

              The tun_gbp_flags field has the following format:

                +-+-+-+-+-+-+-+-+
                |-|D|-|-|A|-|-|-|
                +-+-+-+-+-+-+-+-+

                D := Don't Learn bit. When  set,  this  bit  indicates  that  the  egress  tunnel
                endpoint MUST NOT learn the source address of the encapsulated frame.

                A  :=  Indicates  that  the group policy has already been applied to this packet.
                Policies MUST NOT be applied by devices when the A bit is set.

              For   more   information,   please    see    the    corresponding    IETF    draft:
              https://tools.ietf.org/html/draft-smith-vxlan-group-policy

       tun_metadataidx[=value[/mask]]
              Matches  value either exactly or with optional mask in tunnel metadata field number
              idx (numbered from 0 to 63).  The act of specifying a field implies a match on  the
              existence  of  that  field  in  the  packet  in  addition to the masked value. As a
              shorthand, it is possible to specify only the field name  to  simply  match  on  an
              option being present.

              Tunnel  metadata  fields can be dynamically assigned onto the data contained in the
              option TLVs of packets (e.g. Geneve variable options stores zero or more options in
              TLV  format  and  tunnel metadata can be assigned onto these option TLVs) using the
              commands described in the section OpenFlow Switch Tunnel TLV Table  Commands.  Once
              assigned,  the length of the field is variable according to the size of the option.
              Before updating a mapping in the option table, flows with references to  it  should
              be removed, otherwise the result is non-deterministic.

              These fields were introduced in Open vSwitch 2.5.

       regidx=value[/mask]
              Matches  value  either  exactly  or with optional mask in register number idx.  The
              valid range of idx depends on the switch.  value and mask are 32-bit  integers,  by
              default in decimal (use a 0x prefix to specify hexadecimal).  Arbitrary mask values
              are allowed: a 1-bit in mask indicates that the corresponding  bit  in  value  must
              match exactly, and a 0-bit wildcards that bit.

              When  a  packet enters an OpenFlow switch, all of the registers are set to 0.  Only
              explicit actions change register values.

       xregidx=value[/mask]
              Matches value either exactly or with optional mask in 64-bit ``extended  register''
              number  idx.   Each  of  the  64-bit  extended registers overlays two of the 32-bit
              registers: xreg0 overlays reg0 and reg1, with reg0 supplying  the  most-significant
              bits  of  xreg0  and reg1 the least-significant.  xreg1 similarly overlays reg2 and
              reg3, and so on.

              These fields were added in Open vSwitch  2.3  to  conform  with  the  OpenFlow  1.5
              specification.   OpenFlow 1.5 calls these fields just the ``packet registers,'' but
              Open vSwitch already had 32-bit registers by that name, which is why  Open  vSwitch
              refers to the standard registers as ``extended registers''.

       pkt_mark=value[/mask]
              Matches  packet  metadata mark value either exactly or with optional mask. The mark
              is associated data that may be passed into other  system  components  in  order  to
              facilitate  interaction  between  subsystems.  On Linux this corresponds to the skb
              mark but the exact implementation is platform-dependent.

       actset_output=port
              Matches the output port currently in the OpenFlow action set, where port may be  an
              OpenFlow  port  number  or keyword (e.g. LOCAL).  If there is no output port in the
              OpenFlow action set, or if the output port will be ignored (e.g. because  there  is
              an output group in the OpenFlow action set), then the value will be UNSET.

              This  field  was  introduced  in  Open vSwitch 2.4 to conform with the OpenFlow 1.5
              specification.

       conj_id=value
              Matches the given 32-bit value against the conjunction ID.  This is used only  with
              the conjunction action (see below).

              This field was introduced in Open vSwitch 2.4.

       ct_state=flags/mask
       ct_state=[+flag...][-flag...]
              Bitwise  match  on  connection  state  flags.  This is used with the ct action (see
              below).

              The ct_state field provides information  from  a  connection  tracking  module.  It
              describes  whether  the  packet  has  previously  traversed  the connection tracker
              (tracked, or trk) and, if it has been tracked, any additional information that  the
              connection tracker was able to provide about the connection that the current packet
              belongs to.

              Individual packets may be in one of two states: Untracked or tracked. When  the  ct
              action  is  executed  on  a  packet,  it  becomes  tracked for the the remainder of
              OpenFlow pipeline processing. Once a packet has become tracked, the  state  of  its
              corresponding  connection  may  be  determined.  Note  that  the  ct_state  is only
              significant for the current ct_zone.

              Connections may be in one of two states: uncommitted or committed. Connections  are
              uncommitted  by  default. To determine ongoing information about a connection, like
              whether the connection is established or not, the  connection  must  be  committed.
              When  the  ct  action  is  executed  on  a  packet  with  the commit parameter, the
              connection will become committed and will remain in this state until the end of the
              connection.  Committed  connections  store  state  beyond  the  duration  of packet
              processing.

              The flags and mask are 32-bit numbers written in decimal or in hexadecimal prefixed
              by 0x.  Each 1-bit in mask requires that the corresponding bit in flags must match.
              Each 0-bit in mask causes the corresponding bit to be ignored.

              Alternatively, the flags can be specified by their symbolic names  (listed  below),
              each preceded by either + for a flag that must be set, or - for a flag that must be
              unset, without any other delimiters between the flags.   Flags  not  mentioned  are
              wildcarded.   For example, tcp,ct_state=+trk-new matches TCP packets that have been
              run through the connection tracker and do not establish a new connection.

              The following flags describe the state of the tracking:

              0x01: new
                     This is the beginning of a new connection. This flag may only be present for
                     uncommitted connections.

              0x02: est
                     This  is  part  of  an  already  existing  connection. This flag may only be
                     present for committed connections.

              0x04: rel
                     This is a connection that is related to an existing connection, for instance
                     ICMP  "destination  unreachable" messages or FTP data connections. This flag
                     may only be present for committed connections.

              0x08: rpl
                     The flow is in  the  reply  direction,  meaning  it  did  not  initiate  the
                     connection. This flag may only be present for committed connections.

              0x10: inv
                     The  state is invalid, meaning that the connection tracker couldn't identify
                     the connection.  This  flag  is  a  catch-all  for  any  problems  that  the
                     connection tracker may have, for example:

                     -  L3/L4  protocol  handler is not loaded/unavailable. With the Linux kernel
                     datapath, this may mean that the "nf_conntrack_ipv4" or  "nf_conntrack_ipv6"
                     modules are not loaded.

                     - L3/L4 protocol handler determines that the packet is malformed.

                     - Packets are unexpected length for protocol.

              0x20: trk
                     This  packet  is  tracked,  meaning  that  it  has  previously traversed the
                     connection tracker. If this flag is not set, then no  other  flags  will  be
                     set.  If  this  flag  is set, then the packet is tracked and other flags may
                     also be set.

              This field was introduced in Open vSwitch 2.5.

       The following fields are associated with the connection tracker and will only be populated
       for  tracked packets. The ct action will populate these fields, and allows modification of
       some of the below fields.

       ct_zone=zone
              Matches the given 16-bit connection zone exactly. This represents the  most  recent
              connection  tracking  context  that ct was executed in. Each zone is an independent
              connection tracking context, so if you wish to track the same  packet  in  multiple
              contexts then you must use the ct action multiple times. Introduced in Open vSwitch
              2.5.

       ct_mark=value[/mask]
              Matches the given 32-bit connection mark value  either  exactly  or  with  optional
              mask.  This  represents  metadata  associated  with the connection that the current
              packet is part of. Introduced in Open vSwitch 2.5.

       ct_label=value[/mask]
              Matches the given 128-bit connection labels value either exactly or  with  optional
              mask.  This  represents  metadata  associated  with the connection that the current
              packet is part of. Introduced in Open vSwitch 2.5.

       Defining IPv6 flows (those with dl_type equal to 0x86dd) requires support  for  NXM.   The
       following shorthand notations are available for IPv6-related flows:

       ipv6   Same as dl_type=0x86dd.

       tcp6   Same as dl_type=0x86dd,nw_proto=6.

       udp6   Same as dl_type=0x86dd,nw_proto=17.

       sctp6  Same as dl_type=0x86dd,nw_proto=132.

       icmp6  Same as dl_type=0x86dd,nw_proto=58.

       Finally,  field assignments to duration, n_packets, or n_bytes are ignored to allow output
       from the dump-flows command to be used as input for other commands that parse flows.

       The add-flow, add-flows, and mod-flows commands require an additional field, which must be
       the final field specified:

       actions=[action][,action...]
              Specifies a comma-separated list of actions to take on a packet when the flow entry
              matches.  If no action is specified, then packets matching the  flow  are  dropped.
              The following forms of action are supported:

              port
              output:port
                     Outputs  the  packet  to OpenFlow port number port.  If port is the packet's
                     input port, the packet is not output.

              output:src[start..end]
                     Outputs the packet to the OpenFlow port number read from src, which must  be
                     an  NXM  field  as described above.  For example, output:NXM_NX_REG0[16..31]
                     outputs to the OpenFlow port number written in the upper half of register 0.
                     If the port number is the packet's input port, the packet is not output.

                     This  form  of  output was added in Open vSwitch 1.3.0.  This form of output
                     uses an OpenFlow extension  that  is  not  supported  by  standard  OpenFlow
                     switches.

              group:group_id
                     Outputs  the  packet  to  the OpenFlow group group_id. Group tables are only
                     supported in OpenFlow 1.1+. See Group Syntax for more details.

              normal Subjects the packet to the device's normal L2/L3 processing.   (This  action
                     is not implemented by all OpenFlow switches.)

              flood  Outputs the packet on all switch physical ports other than the port on which
                     it was received and any ports on  which  flooding  is  disabled  (typically,
                     these would be ports disabled by the IEEE 802.1D spanning tree protocol).

              all    Outputs the packet on all switch physical ports other than the port on which
                     it was received.

              local  Outputs the packet on the ``local port,'' which corresponds to  the  network
                     device that has the same name as the bridge.

              in_port
                     Outputs the packet on the port from which it was received.

              controller(key=value...)
                     Sends the packet to the OpenFlow controller as a ``packet in'' message.  The
                     supported key-value pairs are:

                     max_len=nbytes
                            Limit to nbytes the number of bytes of the  packet  to  send  to  the
                            controller.  By default the entire packet is sent.

                     reason=reason
                            Specify  reason as the reason for sending the message in the ``packet
                            in'' message.   The  supported  reasons  are  action  (the  default),
                            no_match, and invalid_ttl.

                     id=controller-id
                            Specify  controller-id, a 16-bit integer, as the connection ID of the
                            OpenFlow controller or controllers to which the ``packet in'' message
                            should  be  sent.   The  default  is  zero.  Zero is also the default
                            connection ID for each controller connection, and a given  controller
                            connection  will  only have a nonzero connection ID if its controller
                            uses the NXT_SET_CONTROLLER_ID Nicira extension to OpenFlow.

                     Any reason other than action and any nonzero  controller-id  uses  a  Nicira
                     vendor  extension  that, as of this writing, is only known to be implemented
                     by Open vSwitch (version 1.6 or later).

              controller
              controller[:nbytes]
                     Shorthand for controller() or controller(max_len=nbytes), respectively.

              enqueue(port,queue)
                     Enqueues the packet on the specified queue within port port, which  must  be
                     an  OpenFlow  port  number or keyword (e.g. LOCAL).  The number of supported
                     queues depends on the switch; some OpenFlow implementations do  not  support
                     queuing at all.

              drop   Discards the packet, so no further processing or forwarding takes place.  If
                     a drop action is used, no other actions may be specified.

              mod_vlan_vid:vlan_vid
                     Modifies the VLAN id on a packet.  The VLAN tag  is  added  or  modified  as
                     necessary  to  match  the  value  specified.   If  the  VLAN tag is added, a
                     priority of zero is used (see the mod_vlan_pcp action to set this).

              mod_vlan_pcp:vlan_pcp
                     Modifies the VLAN priority on a packet.  The VLAN tag is added  or  modified
                     as  necessary  to  match  the  value  specified.  Valid values are between 0
                     (lowest) and 7 (highest).  If the VLAN tag is added, a vid of zero  is  used
                     (see the mod_vlan_vid action to set this).

              strip_vlan
                     Strips the VLAN tag from a packet if it is present.

              push_vlan:ethertype
                     Push a new VLAN tag onto the packet.  Ethertype is used as the Ethertype for
                     the tag. Only ethertype 0x8100 should be used. (0x88a8 which the spec allows
                     isn't  supported at the moment.)  A priority of zero and the tag of zero are
                     used for the new tag.

              push_mpls:ethertype
                     Changes the packet's Ethertype to ethertype, which must be either 0x8847  or
                     0x8848, and pushes an MPLS LSE.

                     If the packet does not already contain any MPLS labels then an initial label
                     stack entry is pushed.  The label stack entry's label is  2  if  the  packet
                     contains  IPv6 and 0 otherwise, its default traffic control value is the low
                     3 bits of the packet's DSCP value (0 if the packet is not IP), and  its  TTL
                     is copied from the IP TTL (64 if the packet is not IP).

                     If  the  packet  does  already contain an MPLS label, pushes a new outermost
                     label as a copy of the existing outermost label.

                     A limitation of the implementation is that processing of actions  will  stop
                     if  push_mpls  follows  another  push_mpls  unless  there  is  a pop_mpls in
                     between.

              pop_mpls:ethertype
                     Strips the outermost MPLS label stack entry.  Currently  the  implementation
                     restricts ethertype to a non-MPLS Ethertype and thus pop_mpls should only be
                     applied to packets with  an  MPLS  label  stack  depth  of  one.  A  further
                     limitation  is  that  processing  of  actions  will stop if pop_mpls follows
                     another pop_mpls unless there is a push_mpls in between.

              mod_dl_src:mac
                     Sets the source Ethernet address to mac.

              mod_dl_dst:mac
                     Sets the destination Ethernet address to mac.

              mod_nw_src:ip
                     Sets the IPv4 source address to ip.

              mod_nw_dst:ip
                     Sets the IPv4 destination address to ip.

              mod_tp_src:port
                     Sets the TCP or UDP or SCTP source port to port.

              mod_tp_dst:port
                     Sets the TCP or UDP or SCTP destination port to port.

              mod_nw_tos:tos
                     Sets the DSCP bits in the IPv4 ToS/DSCP or IPv6 traffic class field to  tos,
                     which  must  be  a  multiple  of  4 between 0 and 255.  This action does not
                     modify the two least significant bits of the ToS field (the ECN bits).

              mod_nw_ecn:ecn
                     Sets the ECN bits in the IPv4 ToS or IPv6 traffic class field to ecn,  which
                     must be a value between 0 and 3, inclusive.  This action does not modify the
                     six most significant bits of the field (the DSCP bits).

                     Requires OpenFlow 1.1 or later.

              mod_nw_ttl:ttl
                     Sets the IPv4 TTL or IPv6 hop limit field to ttl, which is  specified  as  a
                     decimal  number  between 0 and 255, inclusive.  Switch behavior when setting
                     ttl to zero is not well specified, though.

                     Requires OpenFlow 1.1 or later.

              The following actions are Nicira vendor extensions that, as of  this  writing,  are
              only known to be implemented by Open vSwitch:

              resubmit:port
              resubmit([port],[table])
                     Re-searches this OpenFlow flow table (or the table whose number is specified
                     by table) with the in_port field replaced by port (if port is specified) and
                     executes the actions found, if any, in addition to any other actions in this
                     flow entry.

                     Recursive resubmit  actions  are  obeyed  up  to  an  implementation-defined
                     maximum  depth.   Open  vSwitch 1.0.1 and earlier did not support recursion;
                     Open vSwitch before 1.2.90 did not support table.

              set_tunnel:id
              set_tunnel64:id
                     If outputting to a port  that  encapsulates  the  packet  in  a  tunnel  and
                     supports  an  identifier  (such  as GRE), sets the identifier to id.  If the
                     set_tunnel form is used and id fits in 32 bits, then  this  uses  an  action
                     extension that is supported by Open vSwitch 1.0 and later.  Otherwise, if id
                     is a 64-bit value, it requires Open vSwitch 1.1 or later.

              set_queue:queue
                     Sets the queue that should be used to queue when packets  are  output.   The
                     number   of   supported   queues   depends  on  the  switch;  some  OpenFlow
                     implementations do not support queuing at all.

              pop_queue
                     Restores the queue to the value it was before  any  set_queue  actions  were
                     applied.

              ct
              ct([argument][,argument...])
                     Send  the  packet  through  the  connection  tracker.  Refer to the ct_state
                     documentation above for possible packet and connection states. The following
                     arguments are supported:

                     commit
                            Commit  the connection to the connection tracking module. Information
                            about the connection will be stored beyond the lifetime of the packet
                            in  the  pipeline.   Some  ct_state  flags  are  only  available  for
                            committed connections.

                     table=number
                            Fork pipeline processing in two. The original instance of the  packet
                            will  continue  processing  the  current actions list as an untracked
                            packet. An additional instance of the packet  will  be  sent  to  the
                            connection  tracker,  which  will  be  re-injected  into the OpenFlow
                            pipeline to resume processing in table number, with the ct_state  and
                            other  ct  match  fields set. If the table is not specified, then the
                            packet which is submitted  to  the  connection  tracker  is  not  re-
                            injected  into  the  OpenFlow pipeline. It is strongly recommended to
                            specify a table later than the current table to prevent loops.

                     zone=value
                     zone=src[start..end]
                            A 16-bit context id that can be  used  to  isolate  connections  into
                            separate domains, allowing overlapping network addresses in different
                            zones. If a zone is not provided, then the default  is  to  use  zone
                            zero.  The zone may be specified either as an immediate 16-bit value,
                            or may be provided from an NXM field src. The start and end pair  are
                            inclusive,  and  must  specify  a 16-bit range within the field. This
                            value is copied to the ct_zone match field for packets which are  re-
                            injected into the pipeline using the table option.

                     exec([action][,action...])
                            Perform  actions within the context of connection tracking. This is a
                            restricted set of actions which are  in  the  same  format  as  their
                            specifications  as  part  of  a  flow.  Only actions which modify the
                            ct_mark or ct_label fields are accepted within the exec  action,  and
                            these fields may only be modified with this option. For example:

                            set_field:value->ct_mark
                                   Store  a  32-bit  metadata  value  with the connection. If the
                                   connection is committed, then subsequent lookups  for  packets
                                   in  this  connection will populate the ct_mark flow field when
                                   the packet is sent to the connection tracker  with  the  table
                                   specified.

                            set_field:value->ct_label
                                   Store  a  128-bit  metadata value with the connection.  If the
                                   connection is committed, then subsequent lookups  for  packets
                                   in  this connection will populate the ct_label flow field when
                                   the packet is sent to the connection tracker  with  the  table
                                   specified.

                            The commit parameter should be specified to use exec(...).

                     alg=alg
                            Specify  application  layer  gateway alg to track specific connection
                            types. Supported types include:

                            ftp    Look for negotiation of FTP data connections. If a  subsequent
                                   FTP  data  connection  arrives which is related, the ct action
                                   will set the rel flag in the ct_state field for  packets  sent
                                   through ct.

                            When  committing related connections, the ct_mark for that connection
                            is inherited from  the  current  ct_mark  stored  with  the  original
                            connection (ie, the connection created by ct(alg=...)).

                     The  ct action may be used as a primitive to construct stateful firewalls by
                     selectively committing some traffic, then matching  the  ct_state  to  allow
                     established  connections  while denying new connections. The following flows
                     provide an example of how to implement a simple  firewall  that  allows  new
                     connections  from  port 1 to port 2, and only allows established connections
                     to send traffic from port 2 to port 1:
                         table=0,priority=1,action=drop
                         table=0,priority=10,arp,action=normal
                         table=0,priority=100,ip,ct_state=-trk,action=ct(table=1)
                         table=1,in_port=1,ip,ct_state=+trk+new,action=ct(commit),2
                         table=1,in_port=1,ip,ct_state=+trk+est,action=2
                         table=1,in_port=2,ip,ct_state=+trk+new,action=drop
                         table=1,in_port=2,ip,ct_state=+trk+est,action=1

                     If ct is executed on IP (or IPv6) fragments, then the message is  implicitly
                     reassembled  before  sending to the connection tracker and refragmented upon
                     output, to the original maximum received fragment size.   Reassembly  occurs
                     within the context of the zone, meaning that IP fragments in different zones
                     are not assembled together. Pipeline processing for the initial fragments is
                     halted;  When  the  final fragment is received, the message is assembled and
                     pipeline processing will continue for that flow.  Because packet ordering is
                     not  guaranteed  by  IP  protocols, it is not possible to determine which IP
                     fragment will cause message  reassembly  (and  therefore  continue  pipeline
                     processing).  As such, it is strongly recommended that multiple flows should
                     not execute ct to reassemble fragments from the same IP message.

                     Currently, connection tracking is only available on Linux kernels  with  the
                     nf_conntrack  module  loaded.  The  ct action was introduced in Open vSwitch
                     2.5.

              dec_ttl
              dec_ttl(id1[,id2]...)
                     Decrement TTL of IPv4 packet or hop limit of IPv6 packet.  If the TTL or hop
                     limit  is  initially  zero  or  decrementing  would make it so, no decrement
                     occurs, as packets reaching TTL zero must be rejected.  Instead, a ``packet-
                     in''  message  with  reason  code OFPR_INVALID_TTL is sent to each connected
                     controller that has enabled receiving them, if any.  Processing the  current
                     set  of  actions  then  stops.   However,  if the current set of actions was
                     reached through ``resubmit'' then remaining actions in outer  levels  resume
                     processing.

                     This  action also optionally supports the ability to specify a list of valid
                     controller ids.  Each of the  controllers  in  the  list  will  receive  the
                     ``packet_in''  message  only  if they have registered to receive the invalid
                     ttl packets.  If controller ids are not specified, the ``packet_in'' message
                     will  be  sent  only to the controllers having controller id zero which have
                     registered for the invalid ttl packets.

              set_mpls_label:label
                     Set the label of the outer MPLS label stack entry of a packet.  label should
                     be  a  20-bit  value  that is decimal by default; use a 0x prefix to specify
                     them in hexadecimal.

              set_mpls_tc:tc
                     Set the traffic-class of the outer MPLS label stack entry of a  packet.   tc
                     should be a in the range 0 to 7 inclusive.

              set_mpls_ttl:ttl
                     Set  the TTL of the outer MPLS label stack entry of a packet.  ttl should be
                     in the range 0 to 255 inclusive.

              dec_mpls_ttl
                     Decrement TTL of the outer MPLS label stack entry of a packet.  If  the  TTL
                     is  initially  zero  or  decrementing would make it so, no decrement occurs.
                     Instead, a ``packet-in'' message with reason code OFPR_INVALID_TTL  is  sent
                     to  the  main  controller  (id  zero),  if  it  has  enabled receiving them.
                     Processing the current set of actions then stops.  However, if  the  current
                     set  of  actions  was reached through ``resubmit'' then remaining actions in
                     outer levels resume processing.

              note:[hh]...
                     Does nothing at all.  Any number of bytes represented as hex digits  hh  may
                     be  included.   Pairs  of  hex  digits  may  be  separated  by  periods  for
                     readability.  The note action's format doesn't include an exact  length  for
                     its  payload,  so  the  provided bytes will be padded on the right by enough
                     bytes with value 0 to make the total number 6 more than a multiple of 8.

              move:src[start..end]->dst[start..end]
                     Copies the named bits from field src to field dst.  src and dst must be  NXM
                     field  names as defined in nicira-ext.h, e.g. NXM_OF_UDP_SRC or NXM_NX_REG0.
                     Each start and end pair, which are inclusive, must specify the  same  number
                     of   bits  and  must  fit  within  its  respective  field.   Shorthands  for
                     [start..end] exist: use [bit] to specify a single bit or []  to  specify  an
                     entire field.

                     Examples:  move:NXM_NX_REG0[0..5]->NXM_NX_REG1[26..31]  copies  the six bits
                     numbered 0 through 5, inclusive, in register 0  into  bits  26  through  31,
                     inclusive;   move:NXM_NX_REG0[0..15]->NXM_OF_VLAN_TCI[]   copies  the  least
                     significant 16 bits of register 0 into the VLAN TCI field.

                     In OpenFlow 1.0 through 1.4, move ordinarily uses an Open vSwitch  extension
                     to  OpenFlow.   In  OpenFlow  1.5,  move  uses  the  OpenFlow  1.5  standard
                     copy_field action.  The  ONF  has  also  made  copy_field  available  as  an
                     extension  to  OpenFlow  1.3.   Open  vSwitch 2.4 and later understands this
                     extension  and  uses  it  if  a  controller  uses  it,  but   for   backward
                     compatibility  with  older  versions of Open vSwitch, ovs-ofctl does not use
                     it.

              set_field:value[/mask]->dst
              load:value->dst[start..end]
                     Loads a literal value into a field or part  of  a  field.   With  set_field,
                     value and the optional mask are given in the customary syntax for field dst,
                     which    is    expressed    as    a    field     name.      For     example,
                     set_field:00:11:22:33:44:55->eth_src  sets  the  Ethernet  source address to
                     00:11:22:33:44:55.  With load, value must be an integer value (in decimal or
                     prefixed  by  0x  for  hexadecimal)  and  dst is the NXM or OXM name for the
                     field.  For  example,  load:0x001122334455->OXM_OF_ETH_DST[]  has  the  same
                     effect as the prior set_field example.

                     The  two  forms  exist  for historical reasons.  Open vSwitch 1.1 introduced
                     NXAST_REG_LOAD as a Nicira extension  to  OpenFlow  1.0  and  used  load  to
                     express  it.   Later,  OpenFlow  1.2  introduced  a standard OFPAT_SET_FIELD
                     action that was restricted to loading entire fields, so Open  vSwitch  added
                     the   form   set_field   with   this  restriction.   OpenFlow  1.5  extended
                     OFPAT_SET_FIELD to the point that it became a  superset  of  NXAST_REG_LOAD.
                     Open  vSwitch translates either syntax as necessary for the OpenFlow version
                     in use: in OpenFlow 1.0 and 1.1, NXAST_REG_LOAD; in OpenFlow 1.2,  1.3,  and
                     1.4,  NXAST_REG_LOAD  for  load  or  for loading a subfield, OFPAT_SET_FIELD
                     otherwise; and OpenFlow 1.5 and later, OFPAT_SET_FIELD.

              push:src[start..end]
                     Pushes start to end bits inclusive, in fields on top of the stack.

                     Example: push:NXM_NX_REG2[0..5] push the value stored in register 2  bits  0
                     through 5, inclusive, on to the internal stack.

              pop:dst[start..end]
                     Pops  from  the top of the stack, retrieves the start to end bits inclusive,
                     from the value popped and store them into the corresponding bits in dst.

                     Example: pop:NXM_NX_REG2[0..5] pops the value from top of  the  stack.   Set
                     register  2  bits 0 through 5, inclusive, based on bits 0 through 5 from the
                     value just popped.

              multipath(fields, basis, algorithm, n_links, arg, dst[start..end])
                     Hashes fields using basis as a universal hash parameter,  then  the  applies
                     multipath  link  selection  algorithm  (with parameter arg) to choose one of
                     n_links output links numbered 0 through n_links minus 1, and stores the link
                     into dst[start..end], which must be an NXM field as described above.

                     fields must be one of the following:

                     eth_src
                            Hashes Ethernet source address only.

                     symmetric_l4
                            Hashes  Ethernet  source,  destination,  and type, VLAN ID, IPv4/IPv6
                            source, destination, and protocol, and TCP  or  SCTP  (but  not  UDP)
                            ports.   The hash is computed so that pairs of corresponding flows in
                            each direction hash to the same value, in environments where L2 paths
                            are  the  same  in each direction.  UDP ports are not included in the
                            hash to support protocols such as VXLAN that use asymmetric ports  in
                            each direction.

                     symmetric_l3l4
                            Hashes  IPv4/IPv6  source, destination, and protocol, and TCP or SCTP
                            (but not UDP) ports.  Like symmetric_l4, this is  a  symmetric  hash,
                            but by excluding L2 headers it is more effective in environments with
                            asymmetric L2 paths (e.g. paths involving  VRRP  IP  addresses  on  a
                            router).   Not  an  effective  hash function for protocols other than
                            IPv4 and IPv6, which hash to a constant zero.

                     symmetric_l3l4+udp
                            Like symmetric_l3l4+udp, but UDP ports  are  included  in  the  hash.
                            This  is  a more effective hash when asymmetric UDP protocols such as
                            VXLAN are not a consideration.

                     algorithm must be one of modulo_n, hash_threshold, hrw, and iter_hash.  Only
                     the iter_hash algorithm uses arg.

                     Refer to nicira-ext.h for more details.

              bundle(fields, basis, algorithm, slave_type, slaves:[s1, s2, ...])
                     Hashes  fields  using  basis as a universal hash parameter, then applies the
                     bundle  link  selection  algorithm  to  choose  one  of  the  listed  slaves
                     represented  as  slave_type.   Currently  the  only  supported slave_type is
                     ofport.  Thus, each s1 through sN should be an OpenFlow port number. Outputs
                     to the selected slave.

                     Currently,  fields  must be either eth_src, symmetric_l4, symmetric_l3l4, or
                     symmetric_l3l4+udp, and algorithm must be one of hrw and active_backup.

                     Example: bundle(eth_src,0,hrw,ofport,slaves:4,8)  uses  an  Ethernet  source
                     hash  with  basis  0,  to  select  between  OpenFlow ports 4 and 8 using the
                     Highest Random Weight algorithm.

                     Refer to nicira-ext.h for more details.

              bundle_load(fields, basis, algorithm, slave_type, dst[start..end], slaves:[s1,  s2,
              ...])
                     Has  the same behavior as the bundle action, with one exception.  Instead of
                     outputting  to  the   selected   slave,   it   writes   its   selection   to
                     dst[start..end], which must be an NXM field as described above.

                     Example:  bundle_load(eth_src,  0,  hrw, ofport, NXM_NX_REG0[], slaves:4, 8)
                     uses an Ethernet source hash with basis 0, to select between OpenFlow  ports
                     4  and 8 using the Highest Random Weight algorithm, and writes the selection
                     to NXM_NX_REG0[].

                     Refer to nicira-ext.h for more details.

              learn(argument[,argument]...)
                     This action adds or modifies  a  flow  in  an  OpenFlow  table,  similar  to
                     ovs-ofctl  --strict  mod-flows.   The  arguments  specify  the  flow's match
                     fields, actions, and other properties,  as  follows.   At  least  one  match
                     criterion and one action argument should ordinarily be specified.

                     idle_timeout=seconds
                     hard_timeout=seconds
                     priority=value
                     cookie=value
                     send_flow_rem
                            These  arguments have the same meaning as in the usual ovs-ofctl flow
                            syntax.

                     fin_idle_timeout=seconds
                     fin_hard_timeout=seconds
                            Adds a fin_timeout action with the specified  arguments  to  the  new
                            flow.  This feature was added in Open vSwitch 1.5.90.

                     table=number
                            The  table  in  which  the  new  flow  should be inserted.  Specify a
                            decimal  number  between  0  and  254.   The  default,  if  table  is
                            unspecified, is table 1.

                     delete_learned
                            This  flag  enables  deletion of the learned flows when the flow with
                            the learn action is  removed.   Specifically,  when  the  last  learn
                            action  with  this  flag  and  particular  table and cookie values is
                            removed, the switch deletes all of the flows in the  specified  table
                            with the specified cookie.

                            This flag was added in Open vSwitch 2.4.

                     field=value
                     field[start..end]=src[start..end]
                     field[start..end]
                            Adds a match criterion to the new flow.

                            The  first  form  specifies  that field must match the literal value,
                            e.g. dl_type=0x0800.  All of the fields and values for ovs-ofctl flow
                            syntax are available with their usual meanings.

                            The second form specifies that field[start..end] in the new flow must
                            match src[start..end] taken from the flow currently being processed.

                            The third form is a shorthand for the second form.  It specifies that
                            field[start..end]  in the new flow must match field[start..end] taken
                            from the flow currently being processed.

                     load:value->dst[start..end]
                     load:src[start..end]->dst[start..end]
                            Adds a load action to the new flow.

                            The first form loads the literal value into bits start  through  end,
                            inclusive,  in  field dst.  Its syntax is the same as the load action
                            described earlier in this section.

                            The  second  form  loads  src[start..end],  a  value  from  the  flow
                            currently being processed, into bits start through end, inclusive, in
                            field dst.

                     output:field[start..end]
                            Add an output action to the new flow's actions, that outputs  to  the
                            OpenFlow  port  taken  from  field[start..end],  which must be an NXM
                            field as described above.

                     For  best  performance,  segregate  learned  flows  into  a   table   (using
                     table=number)  that  is  not  used for any other flows except possibly for a
                     lowest-priority ``catch-all'' flow, that is, a flow with no match  criteria.
                     (This is why the default table is 1, to keep the learned flows separate from
                     the primary flow table 0.)

              clear_actions
                     Clears all the actions in the action set immediately.

              write_actions([action][,action...])
                     Add the specific actions to the action set.  The syntax of  actions  is  the
                     same  as  in  the  actions=  field.   The action set is carried between flow
                     tables and then executed at the end of the pipeline.

                     The actions in the action  set  are  applied  in  the  following  order,  as
                     required  by  the  OpenFlow  specification, regardless of the order in which
                     they were added to the action set.  Except as specified otherwise below, the
                     action  set only holds at most a single action of each type.  When more than
                     one action of a single type is written to the action set,  the  one  written
                     later replaces the earlier action:

                     1.     strip_vlan
                            pop_mpls

                     2.     push_mpls

                     3.     push_vlan

                     4.     dec_ttl
                            dec_mpls_ttl

                     5.     load
                            move
                            mod_dl_dst
                            mod_dl_src
                            mod_nw_dst
                            mod_nw_src
                            mod_nw_tos
                            mod_nw_ecn
                            mod_nw_ttl
                            mod_tp_dst
                            mod_tp_src
                            mod_vlan_pcp
                            mod_vlan_vid
                            set_field
                            set_tunnel
                            set_tunnel64
                            The  action  set  can  contain  any  number  of  these  actions, with
                            cumulative effect. They will be applied in the order as added.   That
                            is,  when multiple actions modify the same part of a field, the later
                            modification takes effect, and when they modify different parts of  a
                            field (or different fields), then both modifications are applied.

                     6.     set_queue

                     7.     group
                            output
                            resubmit
                            If  more  than  one  of these actions is present, then the one listed
                            earliest above is executed and the others are ignored, regardless  of
                            the  order  in  which they were added to the action set.  (If none of
                            these actions is present, the action set has no real effect,  because
                            the  modified  packet is not sent anywhere and thus the modifications
                            are not visible.)

                     Only the actions listed above may be written to the action set.

              write_metadata:value[/mask]
                     Updates the metadata field for the flow. If mask is  omitted,  the  metadata
                     field  is  set  exactly to value; if mask is specified, then a 1-bit in mask
                     indicates that the corresponding bit in the metadata field will be  replaced
                     with the corresponding bit from value. Both value and mask are 64-bit values
                     that are decimal by default; use a 0x prefix to specify them in hexadecimal.

              meter:meter_id
                     Apply the meter_id before any  other  actions.  If  a  meter  band  rate  is
                     exceeded,  the  packet  may  be dropped, or modified, depending on the meter
                     band type. See the description of the Meter Table Commands, above, for  more
                     details.

              goto_table:table
                     Indicates the next table in the process pipeline.

              fin_timeout(argument[,argument])
                     This  action  changes  the  idle  timeout  or hard timeout, or both, of this
                     OpenFlow rule when the rule matches a TCP packet with the FIN or  RST  flag.
                     When  such  a  packet is observed, the action reduces the rule's timeouts to
                     those specified on the action.  If the rule's existing  timeout  is  already
                     shorter  than  the  one  that  the  action  specifies,  then that timeout is
                     unaffected.

                     argument takes the following forms:

                     idle_timeout=seconds
                            Causes the flow to expire  after  the  given  number  of  seconds  of
                            inactivity.

                     hard_timeout=seconds
                            Causes  the  flow  to  expire  after  the  given  number  of seconds,
                            regardless of activity.  (seconds specifies  time  since  the  flow's
                            creation, not since the receipt of the FIN or RST.)

                     This action was added in Open vSwitch 1.5.90.

              sample(argument[,argument]...)
                     Samples packets and sends one sample for every sampled packet.

                     argument takes the following forms:

                     probability=packets
                            The number of sampled packets out of 65535.  Must be greater or equal
                            to 1.

                     collector_set_id=id
                            The  unsigned  32-bit  integer  identifier  of  the  set  of   sample
                            collectors to send sampled packets to.  Defaults to 0.

                     obs_domain_id=id
                            When sending samples to IPFIX collectors, the unsigned 32-bit integer
                            Observation Domain ID sent in every IPFIX flow record.   Defaults  to
                            0.

                     obs_point_id=id
                            When sending samples to IPFIX collectors, the unsigned 32-bit integer
                            Observation Point ID sent in every IPFIX flow record.  Defaults to 0.

                     Refer to ovs-vswitchd.conf.db(8) for  more  details  on  configuring  sample
                     collector sets.

                     This action was added in Open vSwitch 1.10.90.

              exit   This  action  causes  Open  vSwitch to immediately halt execution of further
                     actions.  Those actions which have already  been  executed  are  unaffected.
                     Any  further  actions,  including  those  which  may  be in other tables, or
                     different levels of the resubmit call stack, are ignored.   Actions  in  the
                     action  set  is still executed (specify clear_actions before exit to discard
                     them).

              conjunction(id, k/n)
                     An individual OpenFlow flow can match only a single value  for  each  field.
                     However,  situations  often  arise  where one wants to match one of a set of
                     values within a field or fields.  For matching a single field against a set,
                     it is straightforward and efficient to add multiple flows to the flow table,
                     one for each value in the set.  For example, one  might  use  the  following
                     flows  to  send packets with IP source address a, b, c, or d to the OpenFlow
                     controller:
                        ip,ip_src=a actions=controller
                        ip,ip_src=b actions=controller
                        ip,ip_src=c actions=controller
                        ip,ip_src=d actions=controller

                     Similarly, these flows send packets with IP destination address e, f, g,  or
                     h to the OpenFlow controller:
                        ip,ip_dst=e actions=controller
                        ip,ip_dst=f actions=controller
                        ip,ip_dst=g actions=controller
                        ip,ip_dst=h actions=controller

                     Installing  all  of  the  above  flows  in  a  single  flow  table  yields a
                     disjunctive effect: a packet is sent to the controller if ip_src ∈ {a,b,c,d}
                     or  ip_dst  ∈ {e,f,g,h} (or both).  (Pedantically, if both of the above sets
                     of flows  are  present  in  the  flow  table,  they  should  have  different
                     priorities,  because  OpenFlow  says that the results are undefined when two
                     flows with same priority can both match a single packet.)

                     Suppose, on the other hand, one wishes to match conjunctively, that  is,  to
                     send a packet to the controller only if both ip_src ∈ {a,b,c,d} and ip_dst ∈
                     {e,f,g,h}.  This requires 4 × 4 = 16 flows, one for each possible pairing of
                     ip_src  and  ip_dst.   That is acceptable for our small example, but it does
                     not gracefully extend to larger sets or greater numbers of dimensions.

                     The conjunction action is a solution for conjunctive matches that  is  built
                     into  Open vSwitch.  A conjunction action ties groups of individual OpenFlow
                     flows into higher-level ``conjunctive flows''.  Each  group  corresponds  to
                     one dimension, and each flow within the group matches one possible value for
                     the dimension.  A packet that matches one flow from each group  matches  the
                     conjunctive flow.

                     To  implement  a  conjunctive  flow with conjunction, assign the conjunctive
                     flow a 32-bit id, which must be unique within  an  OpenFlow  table.   Assign
                     each  of  the  n ≥ 2 dimensions a unique number from 1 to n; the ordering is
                     unimportant.  Add one flow to the OpenFlow  flow  table  for  each  possible
                     value  of  each  dimension  with conjunction(id, k/n) as the flow's actions,
                     where k is the number assigned to the  flow's  dimension.   Together,  these
                     flows  specify the conjunctive flow's match condition.  When the conjunctive
                     match condition is met, Open vSwitch looks up one more flow  that  specifies
                     the  conjunctive  flow's  actions and receives its statistics.  This flow is
                     found by setting conj_id to the specified id and then  again  searching  the
                     flow table.

                     The  following  flows  provide an example.  Whenever the IP source is one of
                     the values in the flows that match on the IP source (dimension 1 of 2),  and
                     the  IP  destination  is  one  of  the  values in the flows that match on IP
                     destination (dimension 2 of 2),  Open  vSwitch  searches  for  a  flow  that
                     matches  conj_id  against  the conjunction ID (1234), finding the first flow
                     listed below.
                        conj_id=1234 actions=controller
                        ip,ip_src=10.0.0.1 actions=conjunction(1234, 1/2)
                        ip,ip_src=10.0.0.4 actions=conjunction(1234, 1/2)
                        ip,ip_src=10.0.0.6 actions=conjunction(1234, 1/2)
                        ip,ip_src=10.0.0.7 actions=conjunction(1234, 1/2)
                        ip,ip_dst=10.0.0.2 actions=conjunction(1234, 2/2)
                        ip,ip_dst=10.0.0.5 actions=conjunction(1234, 2/2)
                        ip,ip_dst=10.0.0.7 actions=conjunction(1234, 2/2)
                        ip,ip_dst=10.0.0.8 actions=conjunction(1234, 2/2)

                     Many subtleties exist:

                     ·      In the example above, every flow in a single dimension has  the  same
                            form,  that is, dimension 1 matches on ip_src, dimension 2 on ip_dst,
                            but this is not a requirement.  Different flows  within  a  dimension
                            may  match on different bits within a field (e.g. IP network prefixes
                            of different lengths, or TCP/UDP port ranges as bitwise matches),  or
                            even  on  entirely  different  fields  (e.g. to match packets for TCP
                            source port 80 or TCP destination port 80).

                     ·      The flows within a dimension can vary their matches across more  than
                            one  field,  e.g.  to  match  only  specific  pairs  of IP source and
                            destination addresses or L4 port numbers.

                     ·      A flow may have  multiple  conjunction  actions,  with  different  id
                            values.    This   is  useful  for  multiple  conjunctive  flows  with
                            overlapping sets.  If one conjunctive flow matches packets with  both
                            ip_src  ∈  {a,b}  and  ip_dst  ∈  {d,e} and a second conjunctive flow
                            matches ip_src ∈ {b,c} and ip_dst ∈ {f,g}, for example, then the flow
                            that  matches  ip_src=b  would  have two conjunction actions, one for
                            each conjunctive flow.  The order of  conjunction  actions  within  a
                            list of actions is not significant.

                     ·      A  flow  with  conjunction  actions may also include note actions for
                            annotations, but not any other kind of actions.  (They would  not  be
                            useful because they would never be executed.)

                     ·      All  of  the flows that constitute a conjunctive flow with a given id
                            must have the same priority.  (Flows with the same id  but  different
                            priorities are currently treated as different conjunctive flows, that
                            is, currently id values need only be unique within an OpenFlow  table
                            at a given priority.  This behavior isn't guaranteed to stay the same
                            in later releases, so please use id values unique within an  OpenFlow
                            table.)

                     ·      Conjunctive  flows  must  not  overlap  with  each  other, at a given
                            priority, that is, any given packet must be able to match at most one
                            conjunctive  flow at a given priority.  Overlapping conjunctive flows
                            yield unpredictable results.

                     ·      Following a conjunctive flow match, the  search  for  the  flow  with
                            conj_id=id  is  done  in  the  same general-purpose way as other flow
                            table  searches,  so  one  can  use  flows  with  conj_id=id  to  act
                            differently  depending  on circumstances.  (One exception is that the
                            search for the conj_id=id flow itself ignores conjunctive  flows,  to
                            avoid  recursion.)  If the search with conj_id=id fails, Open vSwitch
                            acts as if the conjunctive flow had not matched at all, and continues
                            searching the flow table for other matching flows.

                     ·      OpenFlow prerequisite checking occurs for the flow with conj_id=id in
                            the same way as any other flow, e.g. in  an  OpenFlow  1.1+  context,
                            putting  a  mod_nw_src  action  into  the example above would require
                            adding an ip match, like this:
                               conj_id=1234,ip actions=mod_nw_src:1.2.3.4,controller

                     ·      OpenFlow prerequisite checking also occurs for the  individual  flows
                            that comprise a conjunctive match in the same way as any other flow.

                     ·      The  flows  that  constitute  a  conjunctive  flow do not have useful
                            statistics.  They are never updated with byte or packet  counts,  and
                            so  on.  (For such a flow, therefore, the idle and hard timeouts work
                            much the same way.)

                     ·      Conjunctive flows can be a useful building block for  negation,  that
                            is, inequality matches like tcp_src ≠ 80.  To implement an inequality
                            match, convert it to a pair of range matches, e.g. 0 ≤  tcp_src <  80
                            and 80 < tcp_src ≤ 65535, then convert each of the range matches into
                            a collection of bitwise matches as explained above in the description
                            of tcp_src.

                     ·      Sometimes  there  is  a  choice  of  which flows include a particular
                            match.  For example, suppose that we added an extra constraint to our
                            example,  to  match  on ip_src ∈ {a,b,c,d} and ip_dst ∈ {e,f,g,h} and
                            tcp_dst = i.  One way to implement this is to add the new  constraint
                            to the conj_id flow, like this:
                               conj_id=1234,tcp,tcp_dst=i actions=mod_nw_src:1.2.3.4,controller

                            but  this  is  not  recommended because of the cost of the extra flow
                            table lookup.  Instead, add the constraint to the  individual  flows,
                            either in one of the dimensions or (slightly better) all of them.

                     ·      A  conjunctive  match  must  have  n  ≥  2  dimensions  (otherwise  a
                            conjunctive match is not necessary).  Open vSwitch enforces this.

                     ·      Each dimension within a conjunctive match should ordinarily have more
                            than one flow.  Open vSwitch does not enforce this.

                     The  conjunction  action  and  conj_id field were introduced in Open vSwitch
                     2.4.

       An opaque identifier called a cookie can be used as a handle to identify a set of flows:

       cookie=value
              A cookie can be associated with a flow using the add-flow, add-flows, and mod-flows
              commands.   value  can be any 64-bit number and need not be unique among flows.  If
              this field is omitted, a default cookie value of 0 is used.

       cookie=value/mask
              When using NXM, the cookie can be used as a handle  for  querying,  modifying,  and
              deleting  flows.   value  and  mask  may  be supplied for the del-flows, mod-flows,
              dump-flows, and dump-aggregate commands to limit matching cookies.  A 1-bit in mask
              indicates  that  the  corresponding  bit  in cookie must match exactly, and a 0-bit
              wildcards that bit.  A mask of -1 may be used to exactly match a cookie.

              The mod-flows command can update the cookies  of  flows  that  match  a  cookie  by
              specifying  the  cookie field twice (once with a mask for matching and once without
              to indicate the new value):

              ovs-ofctl mod-flows br0 cookie=1,actions=normal
                     Change all flows' cookies to 1 and change their actions to normal.

              ovs-ofctl mod-flows br0 cookie=1/-1,cookie=2,actions=normal
                     Update cookies with a value of 1 to 2 and change their actions to normal.

              The ability to match on cookies was added in Open vSwitch 1.5.0.

       The following additional field sets the priority for  flows  added  by  the  add-flow  and
       add-flows commands.  For mod-flows and del-flows when --strict is specified, priority must
       match along with the rest of the flow  specification.   For  mod-flows  without  --strict,
       priority  is  only  significant  if  the  command  creates a new flow, that is, non-strict
       mod-flows does not match on priority and will not change the priority of  existing  flows.
       Other commands do not allow priority to be specified.

       priority=value
              The priority at which a wildcarded entry will match in comparison to others.  value
              is a number between 0 and 65535, inclusive.  A higher value  will  match  before  a
              lower one.  An exact-match entry will always have priority over an entry containing
              wildcards, so it has an implicit priority value of 65535.  When adding a  flow,  if
              the field is not specified, the flow's priority will default to 32768.

              OpenFlow  leaves  behavior  undefined when two or more flows with the same priority
              can match a single packet.  Some users expect ``sensible'' behavior, such  as  more
              specific  flows  taking  precedence over less specific flows, but OpenFlow does not
              specify this and Open vSwitch does not implement it.  Users should  therefore  take
              care to use priorities to ensure the behavior that they expect.

       The  add-flow, add-flows, and mod-flows commands support the following additional options.
       These options affect only new flows.  Thus, for add-flow and add-flows, these options  are
       always  significant,  but for mod-flows they are significant only if the command creates a
       new flow, that is, their values do not update or affect existing flows.

       idle_timeout=seconds
              Causes the flow to expire after the given number of seconds of inactivity.  A value
              of 0 (the default) prevents a flow from expiring due to inactivity.

       hard_timeout=seconds
              Causes  the  flow  to  expire  after  the  given  number  of seconds, regardless of
              activity.  A value of 0 (the default) gives the flow no hard expiration deadline.

       importance=value
              Sets the importance  of  a  flow.   The  flow  entry  eviction  mechanism  can  use
              importance as a factor in deciding which flow to evict.  A value of 0 (the default)
              makes the flow non-evictable on the basis of importance.  Specify a value between 0
              and 65535.

              Only OpenFlow 1.4 and later support importance.

       send_flow_rem
              Marks  the  flow  with a flag that causes the switch to generate a ``flow removed''
              message and send it to interested controllers when the flow  later  expires  or  is
              removed.

       check_overlap
              Forces  the  switch  to  check  that  the  flow  match does not overlap that of any
              different flow with the same priority in the same table.  (This check is  expensive
              so it is best to avoid it.)

       The  dump-flows,  dump-aggregate, del-flow and del-flows commands support these additional
       optional fields:

       out_port=port
              If set, a matching flow must include an output action to port,  which  must  be  an
              OpenFlow port number or name (e.g. local).

       out_group=port
              If set, a matching flow must include an group action naming group, which must be an
              OpenFlow group number.  This field is supported in Open vSwitch 2.5 and  later  and
              requires OpenFlow 1.1 or later.

   Table Entry Output
       The  dump-tables  and  dump-aggregate  commands  print  information about the entries in a
       datapath's tables.  Each line of output is a flow  entry  as  described  in  Flow  Syntax,
       above, plus some additional fields:

       duration=secs
              The  time, in seconds, that the entry has been in the table.  secs includes as much
              precision as the switch provides, possibly to nanosecond resolution.

       n_packets
              The number of packets that have matched the entry.

       n_bytes
              The total number of bytes from packets that have matched the entry.

       The following additional fields are included only if the switch is  Open  vSwitch  1.6  or
       later and the NXM flow format is used to dump the flow (see the description of the --flow-
       format option below).  The values of these additional fields are approximations  only  and
       in particular idle_age will sometimes become nonzero even for busy flows.

       hard_age=secs
              The  integer  number  of seconds since the flow was added or modified.  hard_age is
              displayed only if it differs from the integer part of duration.  (This is  separate
              from  duration  because  mod-flows  restarts the hard_timeout timer without zeroing
              duration.)

       idle_age=secs
              The integer number of seconds that have passed without any packets passing  through
              the flow.

   Group Syntax
       Some  ovs-ofctl  commands  accept an argument that describes a group or groups.  Such flow
       descriptions comprise a series field=value  assignments,  separated  by  commas  or  white
       space.   (Embedding  spaces  into a group description normally requires quoting to prevent
       the shell from breaking the description into multiple arguments.). Unless noted  otherwise
       only the last instance of each field is honoured.

       group_id=id
              The  integer  group  id  of  group.   When this field is specified in del-groups or
              dump-groups, the keyword "all" may be used to designate all groups.  This field  is
              required.

       type=type
              The  type  of the group.  The add-group, add-groups and mod-groups commands require
              this field.  It is prohibited for other commands. The following keywords designated
              the allowed types:

              all    Execute all buckets in the group.

              select Execute  one  bucket  in  the group.  The switch should select the bucket in
                     such a way that should implement equal load sharing is achieved.  The switch
                     may optionally select the bucket based on bucket weights.

              indirect
                     Executes the one bucket in the group.

              ff
              fast_failover
                     Executes  the first live bucket in the group which is associated with a live
                     port or group.

       command_bucket_id=id
              The bucket to operate on.  The insert-buckets and remove-buckets  commands  require
              this  field.   It is prohibited for other commands.  id may be an integer or one of
              the following keywords:

              all    Operate on all buckets in the group.  Only valid when used with the  remove-
                     buckets  command  in which case the effect is to remove all buckets from the
                     group.

              first  Operate on the first bucket present in  the  group.   In  the  case  of  the
                     insert-buckets  command  the  effect is to insert new bucets just before the
                     first bucket already present in the group; or to replace the buckets of  the
                     group  if there are no buckets already present in the group.  In the case of
                     the remove-buckets command the effect is to remove the first bucket  of  the
                     group; or do nothing if there are no buckets present in the group.

              last   Operate on the last bucket present in the group.  In the case of the insert-
                     buckets command the effect is to insert  new  bucets  just  after  the  last
                     bucket  already present in the group; or to replace the buckets of the group
                     if there are no buckets already present in the group.  In the  case  of  the
                     remove-buckets command the effect is to remove the last bucket of the group;
                     or do nothing if there are no buckets present in the group.

              If id is an integer then it should correspond to the bucket_id of a bucket  present
              in  the  group.   In  case  of  the  insert-buckets command the effect is to insert
              buckets just before the bucket in the group whose bucket_id is id.  In case of  the
              iremove-buckets command the effect is to remove the in the group whose bucket_id is
              id.  It is an error if there is no bucket persent group in whose bucket_id is id.

       selection_method=method
              The selection method used to select a bucket for a select group.  This is a  string
              of  1  to  15  bytes  in  length known to lower layers.  This field is optional for
              add-group, add-groups and mod-group commands on groups of type  select.  Prohibited
              otherwise. The default value is the empty string.

              Other than the empty string, hash is currently the only defined selection method.

              This  option  will  use a Netronome OpenFlow extension which is only supported when
              using Open vSwitch 2.4 and later with OpenFlow 1.5 and later.

       selection_method_param=param
              64-bit integer parameter to the selection method selected by  the  selection_method
              field.   The  parameter's  use  is  defined  by the lower-layer that implements the
              selection_method.  It is optional if the selection_method field is specified  as  a
              non-empty string.  Prohibited otherwise. The default value is zero.

              This  option  will  use a Netronome OpenFlow extension which is only supported when
              using Open vSwitch 2.4 and later with OpenFlow 1.5 and later.

       fields=field
       fields(field[=mask]...)
              The field parameters to selection method selected by  the  selection_method  field.
              The  syntax  is described in Flow Syntax with the additional restrictions that if a
              value is provided it is treated as a wildcard mask and wildcard masks  following  a
              slash  are  prohibited.  The pre-requisites of fields must be provided by any flows
              that output to the group. The use of the fields is defined by the lower-layer  that
              implements  the  selection_method.  They are optional if the selection_method field
              is specified as a non-empty  string.   Prohibited  otherwise.  The  default  is  no
              fields.

              This  option  will  use a Netronome OpenFlow extension which is only supported when
              using Open vSwitch 2.4 and later with OpenFlow 1.5 and later.

       bucket=bucket_parameters
              The add-group, add-groups and mod-group commands require at least one bucket field.
              Bucket  fields  must  appear  after  all  other  fields.  Multiple bucket fields to
              specify multiple buckets.  The order in which buckets are specified corresponds  to
              their  order  in  the  group.  If the type of the group is "indirect" then only one
              group may be specified.   bucket_parameters  consists  of  a  list  of  field=value
              assignments,  separated by commas or white space followed by a comma-separated list
              of actions.  The fields for bucket_parameters are:

              bucket_id=id
                     The 32-bit integer group id of the bucket.  Values greater  than  0xffffff00
                     are  reserved.  This field was added in Open vSwitch 2.4 to conform with the
                     OpenFlow 1.5 specification. It is not supported  when  earlier  versions  of
                     OpenFlow are used.  Open vSwitch will automatically allocate bucket ids when
                     they are not specified.

              actions=[action][,action...]
                     The syntax of actions are identical to the actions= field described in  Flow
                     Syntax  above.  Specyfing actions= is optional, any unknown bucket parameter
                     will be interpreted as an action.

              weight=value
                     The relative weight of the bucket as an integer. This may  be  used  by  the
                     switch during bucket select for groups whose type is select.

              watch_port=port
                     Port  used to determine liveness of group.  This or the watch_group field is
                     required for groups whose type is ff or fast_failover.

              watch_group=group_id
                     Group identifier of group used to determine liveness of group.  This or  the
                     watch_port field is required for groups whose type is ff or fast_failover.

   Meter Syntax
       The  meter  table  commands  accept  an  argument  that  describes  a  meter.   Such meter
       descriptions comprise a series field=value  assignments,  separated  by  commas  or  white
       space.   (Embedding  spaces  into a group description normally requires quoting to prevent
       the shell from breaking the description into multiple arguments.). Unless noted  otherwise
       only the last instance of each field is honoured.

       meter=id
              The  integer  meter  id  of  the meter.  When this field is specified in del-meter,
              dump-meter, or meter-stats, the keyword "all" may be used to designate all  meters.
              This  field  is  required,  exept  for meter-stats, which dumps all stats when this
              field is not specified.

       kbps
       pktps  The unit for the meter band rate parameters, either kilobits per second, or packets
              per  second,  respectively.   One  of these must be specified.  The burst size unit
              corresponds to the rate unit by dropping the "per second", i.e., burst is in  units
              of kilobits or packets, respectively.

       burst  Specify burst size for all bands, or none of them, if this flag is not given.

       stats  Collect meter and band statistics.

       bands=band_parameters
              The add-meter and mod-meter commands require at least one band specification. Bands
              must appear after all other fields.

              type=type
                     The type of the meter band.  This keyword starts a new  band  specification.
                     Each  band specifies a rate above which the band is to take some action. The
                     action depends on the band type.  If multiple bands' rate is exceeded,  then
                     the  band  with  the highest rate among the exceeded bands is selected.  The
                     following keywords designate the allowed meter band types:

                     drop   Drop packets exceeding the band's rate limit.

              The other band_parameters are:

              rate=value
                     The relative rate limit for this band, in kilobits per second or packets per
                     second, depending on the meter flags defined above.

              burst_size=size
                     The maximum burst allowed for the band.  If pktps is specified, then size is
                     a packet count, otherwise it is in kilobits.  If unspecified, the switch  is
                     free to select some reasonable value depending on its configuration.

OPTIONS

       --strict
              Uses strict matching when running flow modification commands.

       --bundle
              Execute flow mods as an OpenFlow 1.4 atomic bundle transaction.

              ·      Within a bundle, all flow mods are processed in the order they appear and as
                     a single atomic transaction, meaning that if one of them  fails,  the  whole
                     transaction  fails  and  none  of  the changes are made to the switch's flow
                     table, and that each given datapath packet traversing  the  OpenFlow  tables
                     sees the flow tables either as before the transaction, or after all the flow
                     mods in the bundle have been successfully applied.

              ·      The beginning and the end of the  flow  table  modification  commands  in  a
                     bundle  are delimited with OpenFlow 1.4 bundle control messages, which makes
                     it possible to  stream  the  included  commands  without  explicit  OpenFlow
                     barriers,  which  are  otherwise  used  after  each  flow table modification
                     command.  This may make large modifications execute faster as a bundle.

              ·      Bundles require OpenFlow 1.4 or higher.  An explicit -O OpenFlow14 option is
                     not  needed,  but  you  may  need  to enable OpenFlow 1.4 support for OVS by
                     setting the OVSDB protocols column in the bridge table.

       -O [version[,version]...]
       --protocols=[version[,version]...]
              Sets the OpenFlow protocol versions that are allowed when establishing an  OpenFlow
              session.

              The  following versions are considered to be ready for general use.  These protocol
              versions are enabled by default:

              ·      OpenFlow10, for OpenFlow 1.0.

              Support for the following protocol versions is provided for testing and development
              purposes.  They are not enabled by default:

              ·      OpenFlow11, for OpenFlow 1.1.

              ·      OpenFlow12, for OpenFlow 1.2.

              ·      OpenFlow13, for OpenFlow 1.3.

       -F format[,format...]
       --flow-format=format[,format...]
              ovs-ofctl  supports  the following individual flow formats, any number of which may
              be listed as format:

              OpenFlow10-table_id
                     This is the standard OpenFlow 1.0 flow format.  All  OpenFlow  switches  and
                     all versions of Open vSwitch support this flow format.

              OpenFlow10+table_id
                     This  is  the standard OpenFlow 1.0 flow format plus a Nicira extension that
                     allows ovs-ofctl to specify the flow table in which a particular flow should
                     be placed.  Open vSwitch 1.2 and later supports this flow format.

              NXM-table_id (Nicira Extended Match)
                     This  Nicira  extension to OpenFlow is flexible and extensible.  It supports
                     all of the Nicira flow extensions,  such  as  tun_id  and  registers.   Open
                     vSwitch 1.1 and later supports this flow format.

              NXM+table_id (Nicira Extended Match)
                     This  combines  Nicira  Extended match with the ability to place a flow in a
                     specific table.  Open vSwitch 1.2 and later supports this flow format.

              OXM-OpenFlow12
              OXM-OpenFlow13
              OXM-OpenFlow14
                     These are the standard  OXM  (OpenFlow  Extensible  Match)  flow  format  in
                     OpenFlow 1.2, 1.3, and 1.4, respectively.

              ovs-ofctl  also  supports  the  following  abbreviations  for  collections  of flow
              formats:

              any    Any supported flow format.

              OpenFlow10
                     OpenFlow10-table_id or OpenFlow10+table_id.

              NXM    NXM-table_id or NXM+table_id.

              OXM    OXM-OpenFlow12, OXM-OpenFlow13, or OXM-OpenFlow14.

              For commands that modify the flow table, ovs-ofctl by default negotiates  the  most
              widely  supported  flow  format  that supports the flows being added.  For commands
              that query the flow table, ovs-ofctl by  default  uses  the  most  advanced  format
              supported by the switch.

              This  option,  where format is a comma-separated list of one or more of the formats
              listed above, limits ovs-ofctl's choice of flow format.  If a command  cannot  work
              as requested using one of the specified flow formats, ovs-ofctl will report a fatal
              error.

       -P format
       --packet-in-format=format
              ovs-ofctl  supports  the  following  packet_in  formats,  in  order  of  increasing
              capability:

              openflow10
                     This  is  the standard OpenFlow 1.0 packet in format. It should be supported
                     by all OpenFlow switches.

              nxm (Nicira Extended Match)
                     This packet_in format includes flow metadata encoded using the NXM format.

              Usually, ovs-ofctl prefers the nxm packet_in format, but will allow the  switch  to
              choose its default if nxm is unsupported.  When format is one of the formats listed
              in the above table, ovs-ofctl will insist on the selected format.   If  the  switch
              does  not  support the requested format, ovs-ofctl will report a fatal error.  This
              option only affects the monitor command.

       --timestamp
              Print a timestamp before each  received  packet.   This  option  only  affects  the
              monitor, snoop, and ofp-parse-pcap commands.

       -m
       --more Increases  the  verbosity  of  OpenFlow  messages  printed  and logged by ovs-ofctl
              commands.  Specify this option more than once to increase verbosity further.

       --sort[=field]
       --rsort[=field]
              Display output sorted by flow field in ascending (--sort) or  descending  (--rsort)
              order,  where  field is any of the fields that are allowed for matching or priority
              to sort by priority.  When field is omitted, the  output  is  sorted  by  priority.
              Specify these options multiple times to sort by multiple fields.

              Any  given  flow  will  not  necessarily  specify  a value for a given field.  This
              requires special treatement:

              ·      A flow that does not specify any part of a field that is used for sorting is
                     sorted  after  all  the  flows  that  do  specify  the  field.  For example,
                     --sort=tcp_src will sort all the flows that specify a  TCP  source  port  in
                     ascending order, followed by the flows that do not specify a TCP source port
                     at all.

              ·      A flow that only specifies some  bits  in  a  field  is  sorted  as  if  the
                     wildcarded  bits  were  zero.   For example, --sort=nw_src would sort a flow
                     that specifies nw_src=192.168.0.0/24 the same as nw_src=192.168.0.0.

              These options currently affect only dump-flows output.  The following  options  are
              valid on POSIX based platforms.

       --pidfile[=pidfile]
              Causes  a  file (by default, ovs-ofctl.pid) to be created indicating the PID of the
              running process.  If the pidfile argument is not specified, or if it does not begin
              with /, then it is created in /var/run/openvswitch.

              If --pidfile is not specified, no pidfile is created.

       --overwrite-pidfile
              By  default,  when  --pidfile is specified and the specified pidfile already exists
              and  is  locked  by  a  running  process,  ovs-ofctl  refuses  to  start.   Specify
              --overwrite-pidfile to cause it to instead overwrite the pidfile.

              When --pidfile is not specified, this option has no effect.

       --detach
              Runs  ovs-ofctl  as  a  background process.  The process forks, and in the child it
              starts a new session, closes the standard file  descriptors  (which  has  the  side
              effect  of  disabling logging to the console), and changes its current directory to
              the  root  (unless  --no-chdir  is  specified).   After  the  child  completes  its
              initialization,  the  parent  exits.   ovs-ofctl  detaches  only when executing the
              monitor or snoop commands.

       --monitor
              Creates an additional process to monitor the ovs-ofctl daemon.  If the daemon  dies
              due  to  a  signal  that  indicates  a programming error (SIGABRT, SIGALRM, SIGBUS,
              SIGFPE, SIGILL, SIGPIPE, SIGSEGV, SIGXCPU, or SIGXFSZ)  then  the  monitor  process
              starts  a  new  copy  of  it.   If the daemon dies or exits for another reason, the
              monitor process exits.

              This option is normally used with --detach, but it also functions without it.

       --no-chdir
              By default, when --detach is  specified,  ovs-ofctl  changes  its  current  working
              directory  to  the root directory after it detaches.  Otherwise, invoking ovs-ofctl
              from a carelessly chosen directory would prevent the administrator from  unmounting
              the file system that holds that directory.

              Specifying  --no-chdir suppresses this behavior, preventing ovs-ofctl from changing
              its current working directory.  This may be useful for collecting core files, since
              it  is  common  behavior to write core dumps into the current working directory and
              the root directory is not a good directory to use.

              This option has no effect when --detach is not specified.

       --user Causes ovs-ofctl to run  as  a  different  user  specified  in  "user:group",  thus
              dropping  most  of  the  root  privileges. Short forms "user" and ":group" are also
              allowed, with current user or group are assumed respectively. Only daemons  started
              by the root user accepts this argument.

              On  Linux,  daemons  will  be granted CAP_IPC_LOCK and CAP_NET_BIND_SERVICES before
              dropping root privileges. Daemons interact with  datapath,  such  as  ovs-vswitchd,
              will  be granted two additional capabilities, namely CAP_NET_ADMIN and CAP_NET_RAW.
              The capability change will apply even if new user is "root".

              On  Windows,  this  option  is  not  currently  supported.  For  security  reasons,
              specifying this option will cause the daemon process not to start.

       --unixctl=socket
              Sets  the  name  of  the  control  socket  on  which  ovs-ofctl listens for runtime
              management commands (see RUNTIME MANAGEMENT COMMANDS, below).  If socket  does  not
              begin  with /, it is interpreted as relative to /var/run/openvswitch.  If --unixctl
              is not used at all, the default socket  is  /var/run/openvswitch/ovs-ofctl.pid.ctl,
              where pid is ovs-ofctl's process ID.

              On  Windows,  uses  a kernel chosen TCP port on the localhost to listen for runtime
              management commands.  The kernel chosen TCP port value is written in a  file  whose
              absolute  path  is  pointed by socket. If --unixctl is not used at all, the file is
              created as ovs-ofctl.ctl in the configured OVS_RUNDIR directory.

              Specifying none for socket disables the control socket feature.

   Public Key Infrastructure Options
       -p privkey.pem
       --private-key=privkey.pem
              Specifies a PEM file containing the private key used as  ovs-ofctl's  identity  for
              outgoing SSL connections.

       -c cert.pem
       --certificate=cert.pem
              Specifies  a  PEM  file  containing  a  certificate  that certifies the private key
              specified on -p or --private-key to be trustworthy.  The certificate must be signed
              by  the  certificate  authority  (CA)  that the peer in SSL connections will use to
              verify it.

       -C cacert.pem
       --ca-cert=cacert.pem
              Specifies a PEM file containing the CA certificate that  ovs-ofctl  should  use  to
              verify  certificates  presented  to  it  by  SSL  peers.   (This  may  be  the same
              certificate that SSL peers use  to  verify  the  certificate  specified  on  -c  or
              --certificate, or it may be a different one, depending on the PKI design in use.)

       -C none
       --ca-cert=none
              Disables  verification  of  certificates presented by SSL peers.  This introduces a
              security risk, because it means that certificates cannot be verified to be those of
              known trusted hosts.

       -v[spec]
       --verbose=[spec]
              Sets  logging  levels.   Without  any spec, sets the log level for every module and
              destination to dbg.  Otherwise, spec is a list of  words  separated  by  spaces  or
              commas or colons, up to one from each category below:

              ·      A valid module name, as displayed by the vlog/list command on ovs-appctl(8),
                     limits the log level change to the specified module.

              ·      syslog, console, or file, to limit the log  level  change  to  only  to  the
                     system  log,  to  the  console, or to a file, respectively.  (If --detach is
                     specified, ovs-ofctl closes its standard file descriptors, so logging to the
                     console will have no effect.)

                     On  Windows  platform, syslog is accepted as a word and is only useful along
                     with the --syslog-target option (the word has no effect otherwise).

              ·      off, emer, err, warn, info, or dbg, to control the log level.   Messages  of
                     the  given severity or higher will be logged, and messages of lower severity
                     will be filtered out.  off filters out all messages.  See ovs-appctl(8)  for
                     a definition of each log level.

              Case is not significant within spec.

              Regardless  of  the  log levels set for file, logging to a file will not take place
              unless --log-file is also specified (see below).

              For compatibility with older versions of OVS, any is accepted as a word but has  no
              effect.

       -v
       --verbose
              Sets the maximum logging verbosity level, equivalent to --verbose=dbg.

       -vPATTERN:destination:pattern
       --verbose=PATTERN:destination:pattern
              Sets  the  log  pattern  for  destination to pattern.  Refer to ovs-appctl(8) for a
              description of the valid syntax for pattern.

       -vFACILITY:facility
       --verbose=FACILITY:facility
              Sets the RFC5424 facility of the log message. facility can be one  of  kern,  user,
              mail, daemon, auth, syslog, lpr, news, uucp, clock, ftp, ntp, audit, alert, clock2,
              local0, local1, local2, local3, local4, local5, local6 or local7. If this option is
              not specified, daemon is used as the default for the local system syslog and local0
              is used while sending a message to the  target  provided  via  the  --syslog-target
              option.

       --log-file[=file]
              Enables logging to a file.  If file is specified, then it is used as the exact name
              for the log  file.   The  default  log  file  name  used  if  file  is  omitted  is
              /var/log/openvswitch/ovs-ofctl.log.

       --syslog-target=host:port
              Send  syslog  messages  to UDP port on host, in addition to the system syslog.  The
              host must be a numerical IP address, not a hostname.

       --syslog-method=method
              Specify method how syslog messages should be  sent  to  syslog  daemon.   Following
              forms are supported:

              ·      libc,  use  libc syslog() function.  This is the default behavior.  Downside
                     of using this options is that libc adds fixed prefix to every message before
                     it is actually sent to the syslog daemon over /dev/log UNIX domain socket.

              ·      unix:file,  use  UNIX  domain  socket  directly.   It is possible to specify
                     arbitrary message format with this option.  However, rsyslogd 8.9 and  older
                     versions  use  hard  coded  parser  function  anyway that limits UNIX domain
                     socket use.  If you want to use arbitrary message format with older rsyslogd
                     versions, then use UDP socket to localhost IP address instead.

              ·      udp:ip:port,  use  UDP  socket.   With  this  method  it  is possible to use
                     arbitrary message format also with  older  rsyslogd.   When  sending  syslog
                     messages  over  UDP  socket extra precaution needs to be taken into account,
                     for example, syslog daemon needs to be configured to listen on the specified
                     UDP  port,  accidental iptables rules could be interfering with local syslog
                     traffic and there  are  some  security  considerations  that  apply  to  UDP
                     sockets, but do not apply to UNIX domain sockets.

       -h
       --help Prints a brief help message to the console.

       -V
       --version
              Prints version information to the console.

RUNTIME MANAGEMENT COMMANDS

       ovs-appctl(8)  can  send  commands to a running ovs-ofctl process.  The supported commands
       are listed below.

       exit   Causes ovs-ofctl to gracefully terminate.  This command applies only when executing
              the monitor or snoop commands.

       ofctl/set-output-file file
              Causes all subsequent output to go to file instead of stderr.  This command applies
              only when executing the monitor or snoop commands.

       ofctl/send ofmsg...
              Sends each ofmsg, specified as a sequence of hex digits that  express  an  OpenFlow
              message,  on  the  OpenFlow connection.  This command is useful only when executing
              the monitor command.

       ofctl/barrier
              Sends an OpenFlow barrier request on the OpenFlow connection and waits for a reply.
              This command is useful only for the monitor command.

EXAMPLES

       The following examples assume that ovs-vswitchd has a bridge named br0 configured.

       ovs-ofctl dump-tables br0
              Prints  out the switch's table stats.  (This is more interesting after some traffic
              has passed through.)

       ovs-ofctl dump-flows br0
              Prints the flow entries in the switch.

SEE ALSO

       ovs-appctl(8), ovs-vswitchd(8) ovs-vswitchd.conf.db(8)