Provided by: openvswitch-switch_2.9.0-0ubuntu1_amd64 bug


       ovs-dpctl - administer Open vSwitch datapaths


       ovs-dpctl [options] command [switch] [args...]


       The  ovs-dpctl  program  can  create, modify, and delete Open vSwitch datapaths.  A single
       machine may host any number of datapaths.

       This program works only with  datapaths  that  are  implemented  outside  of  ovs-vswitchd
       itself,  such  as  the Linux and Windows kernel-based datapaths.  To manage datapaths that
       are  integrated  into  ovs-vswitchd,  such  as  the  userspace  (netdev)   datapath,   use
       ovs-appctl(8) to invoke the dpctl/* commands, which are documented in ovs-vswitchd(8).

       A  newly  created  datapath  is associated with only one network device, a virtual network
       device sometimes called the datapath's ``local port''.  A newly created datapath  is  not,
       however,  associated  with  any  of  the  host's  other network devices.  To intercept and
       process traffic on a given network device, use the add-if command to explicitly  add  that
       network device to the datapath.

       If ovs-vswitchd(8) is in use, use ovs-vsctl(8) instead of ovs-dpctl.

       Most  ovs-dpctl commands that work with datapaths take an argument that specifies the name
       of the datapath.  Datapath names take the form [type@]name,  where  name  is  the  network
       device  associated  with  the  datapath's  local port.  If type is given, it specifies the
       datapath provider of name, otherwise the default provider system is assumed.

       The following commands manage datapaths.

       add-dp dp [netdev[,option]...]
              Creates datapath dp, with a local port also named dp.  This will fail if a  network
              device dp already exists.

              If  netdevs  are  specified,  ovs-dpctl  adds  them to the new datapath, just as if
              add-if was specified.

       del-dp dp
              Deletes datapath dp.  If dp is  associated  with  any  network  devices,  they  are
              automatically removed.

       add-if dp netdev[,option]...
              Adds  each  netdev  to the set of network devices datapath dp monitors, where dp is
              the name of an existing datapath, and netdev is the  name  of  one  of  the  host's
              network  devices,  e.g.  eth0.  Once a network device has been added to a datapath,
              the datapath has complete ownership of the network device's traffic and the network
              device appears silent to the rest of the system.

              A  netdev  may  be  followed  by  a comma-separated list of options.  The following
              options are currently supported:

                     Specifies the type of port to add.  The default type is system.

                     Requests a specific port number within the datapath.  If this option is  not
                     specified then one will be automatically assigned.

                     Adds an arbitrary key-value option to the port's configuration.

              ovs-vswitchd.conf.db(5) documents the available port types and options.

       set-if dp port[,option]...
              Reconfigures  each  port  in dp as specified.  An option of the form key=value adds
              the specified key-value option to the port or overrides an  existing  key's  value.
              An  option  of the form key=, that is, without a value, deletes the key-value named
              key.  The type and port number of a port cannot be changed, so type and port_no are
              only allowed if they match the existing configuration.

       del-if dp netdev...
              Removes each netdev from the list of network devices datapath dp monitors.

              Prints the name of each configured datapath on a separate line.

       [-s | --statistics] show [dp...]
              Prints  a  summary  of configured datapaths, including their datapath numbers and a
              list of ports connected to each datapath.  (The local port is  identified  as  port
              0.)   If  -s  or  --statistics is specified, then packet and byte counters are also
              printed for each port.

              The datapath numbers consists of flow stats and mega flow mask stats.

              The "lookups" row  displays  three  stats  related  to  flow  lookup  triggered  by
              processing  incoming  packets  in  the  datapath.  "hit" displays number of packets
              matches existing flows. "missed" displays the number of packets  not  matching  any
              existing flow and require user space processing.  "lost" displays number of packets
              destined for user space process but subsequently dropped before reaching userspace.
              The  sum  of  "hit"  and  "miss"  equals  to  the  total number of packets datapath

              The "flows" row displays the number of flows in datapath.

              The "masks" row displays the mega flow mask stats. This row is omitted for datapath
              not  implementing  mega  flow. "hit" displays the total number of masks visited for
              matching incoming packets. "total"  displays  number  of  masks  in  the  datapath.
              "hit/pkt"  displays  the  average  number  of  masks  visited per packet; the ratio
              between "hit" and total number of packets processed by the datapath.

              If one or more datapaths are specified, information on  only  those  datapaths  are
              displayed.    Otherwise,   ovs-dpctl  displays  information  about  all  configured

       The following commands are primarily useful for debugging Open vSwitch.   The  flow  table
       entries  (both  matches  and  actions)  that they work with are not OpenFlow flow entries.
       Instead, they are different and considerably simpler flows maintained by the Open  vSwitch
       kernel module.  Use ovs-ofctl(8), instead, to work with OpenFlow flow entries.

       The dp argument to each of these commands is optional when exactly one datapath exists, in
       which case that datapath is the default.  When multiple datapaths exist, then  a  datapath
       name is required.

       [-m | --more] [--names | --no-names] dump-flows [dp] [filter=filter] [type=type]
              Prints  to the console all flow entries in datapath dp's flow table.  Without -m or
              --more, output omits match fields that  a  flow  wildcards  entirely;  with  -m  or
              --more, output includes all wildcarded fields.

              If  filter=filter  is  specified,  only  displays  the flows that match the filter.
              filter is a flow in the form similiar to that accepted by  ovs-ofctl(8)'s  add-flow
              command.  (This  is  not  an  OpenFlow  flow:  besides  other differences, it never
              contains wildcards.)  The filter is also useful to match wildcarded fields  in  the
              datapath  flow. As an example, filter='tcp,tp_src=100' will match the datapath flow
              containing 'tcp(src=80/0xff00,dst=8080/0xff)'.

              If type=type is specified, only displays flows of a specific  type.   type  can  be
              offloaded  to  display  only  offloaded  rules or OVS to display only non-offloaded
              rules.  By default both offloaded and non-offloaded rules are displayed.

       add-flow [dp] flow actions

       [--clear] [--may-create] [-s | --statistics] mod-flow [dp] flow actions
              Adds or modifies a flow in dp's flow  table  that,  when  a  packet  matching  flow
              arrives, causes actions to be executed.

              The  add-flow  command  succeeds  only  if  flow  does  not  already  exist  in dp.
              Contrariwise, mod-flow without  --may-create  only  modifies  the  actions  for  an
              existing  flow.   With  --may-create,  mod-flow  will  add  a new flow or modify an
              existing one.

              If -s or --statistics is  specified,  then  mod-flow  prints  the  modified  flow's
              statistics.   A  flow's  statistics  are  the number of packets and bytes that have
              passed through the flow, the elapsed time since the flow last  processed  a  packet
              (if  ever),  and  (for  TCP flows) the union of the TCP flags processed through the

              With --clear, mod-flow zeros out the flow's statistics.  The statistics printed  if
              -s  or  --statistics  is  also  specified  are  those from just before clearing the

              NOTE: flow and actions do not match the syntax used  with  ovs-ofctl(8)'s  add-flow

              Usage Examples

              Forward ARP between ports 1 and 2 on datapath myDP:

                     ovs-dpctl add-flow myDP \
                       "in_port(1),eth(),eth_type(0x0806),arp()" 2

                     ovs-dpctl add-flow myDP \
                       "in_port(2),eth(),eth_type(0x0806),arp()" 1

              Forward all IPv4 traffic between two addresses on ports 1 and 2:

                     ovs-dpctl add-flow myDP \
                        ipv4(src=,dst=" 2

                     ovs-dpctl add-flow myDP \
                        ipv4(src=,dst=" 1

       [-s | --statistics] del-flow [dp] flow
              Deletes  the flow from dp's flow table that matches flow.  If -s or --statistics is
              specified, then del-flow prints the deleted flow's statistics.

       [-m | --more] [--names | --no-names] get-flow [dp] ufid:ufid
              Fetches the flow from dp's flow table with unique identifier ufid.   ufid  must  be
              specified as a string of 32 hexadecimal characters.

       del-flows [dp]
              Deletes all flow entries from datapath dp's flow table.

       The  following commands are primarily useful for debugging the connection tracking entries
       in the datapath.

       The dp argument to each of these commands is optional when exactly one datapath exists, in
       which  case  that datapath is the default.  When multiple datapaths exist, then a datapath
       name is required.

       N.B.(Linux specific): the system datapaths (i.e. the  Linux  kernel  module  Open  vSwitch
       datapaths)  share  a  single connection tracking table (which is also used by other kernel
       subsystems, such as iptables, nftables  and  the  regular  host  stack).   Therefore,  the
       following commands do not apply specifically to one datapath.

       [-m | --more] [-s | --statistics] dump-conntrack [dp] [zone=zone]
              Prints  to  the  console  all the connection entries in the tracker used by dp.  If
              zone=zone is specified, only shows the connections  in  zone.   With  --more,  some
              implementation  specific  details  are  included.  With  --statistics  timeouts and
              timestamps are added to the output.

       flush-conntrack [dp] [zone=zone] [ct-tuple]
              Flushes the connection entries in  the  tracker  used  by  dp  based  on  zone  and
              connection  tracking  tuple ct-tuple.  If ct-tuple is not provided, flushes all the
              connection entries.  If zone=zone is specified, only  flushes  the  connections  in

              If  ct-tuple  is  provided,  flushes  the connection entry specified by ct-tuple in
              zone. The zone defaults to 0 if it is not provided.  An example of an IPv4 ICMP ct-


              An example of an IPv6 TCP ct-tuple:


       ct-stats-show [dp] [zone=zone] [verbose]
              Displays the number of connections grouped by protocol used by dp.  If zone=zone is
              specified,  numbers  refer to the connections in zone. The verbose option allows to
              group by connection state for each protocol.

       ct-bkts [dp] [gt=Threshold]
              For each ConnTracker bucket, displays the number of connections  used  by  dp.   If
              gt=Threshold  is  specified,  bucket  numbers  are  displayed  when  the  number of
              connections in a bucket is greater than Threshold.

       ct-set-maxconns [dp] param
              Set the maximum limit of connection tracker connections.  Can be used to reduce the
              processing  load  on  the  system  due  to  connection  tracking or simply limiting
              connection tracking.  If the number  of  connections  is  already  beyond  the  new
              maximum limit request for the number of connections then the new maximum limit will
              be enforced when the number of connections decreases to that limit, which  normally
              happens due to connection expiry.  Only supported for userspace datapath.

       ct-get-maxconns [dp]
              Read  the  maximum  limit  of  connection  tracker connections.  Only supported for
              userspace datapath.

       ct-get-nconns [dp]
              Read the current number of connection  tracker  connections.   Only  supported  for
              userspace datapath.


              Causes  the show command to print packet and byte counters for each port within the
              datapaths that it shows.

       --more Increases verbosity of output for dump-flows and get-flow.

              Enables or disables showing port names in place of numbers in output for dump-flows
              and  get-flow.   By  default,  names  are  shown  if  at  least one -m or --more is

              Limits ovs-dpctl runtime to approximately secs seconds.  If  the  timeout  expires,
              ovs-dpctl will exit with a SIGALRM signal.

              Sets  logging  levels.   Without  any spec, sets the log level for every module and
              destination to dbg.  Otherwise, spec is a list of  words  separated  by  spaces  or
              commas or colons, up to one from each category below:

              ·      A valid module name, as displayed by the vlog/list command on ovs-appctl(8),
                     limits the log level change to the specified module.

              ·      syslog, console, or file, to limit the log  level  change  to  only  to  the
                     system  log,  to  the  console, or to a file, respectively.  (If --detach is
                     specified, ovs-dpctl closes its standard file descriptors, so logging to the
                     console will have no effect.)

                     On  Windows  platform, syslog is accepted as a word and is only useful along
                     with the --syslog-target option (the word has no effect otherwise).

              ·      off, emer, err, warn, info, or dbg, to control the log level.   Messages  of
                     the  given severity or higher will be logged, and messages of lower severity
                     will be filtered out.  off filters out all messages.  See ovs-appctl(8)  for
                     a definition of each log level.

              Case is not significant within spec.

              Regardless  of  the  log levels set for file, logging to a file will not take place
              unless --log-file is also specified (see below).

              For compatibility with older versions of OVS, any is accepted as a word but has  no

              Sets the maximum logging verbosity level, equivalent to --verbose=dbg.

              Sets  the  log  pattern  for  destination to pattern.  Refer to ovs-appctl(8) for a
              description of the valid syntax for pattern.

              Sets the RFC5424 facility of the log message. facility can be one  of  kern,  user,
              mail, daemon, auth, syslog, lpr, news, uucp, clock, ftp, ntp, audit, alert, clock2,
              local0, local1, local2, local3, local4, local5, local6 or local7. If this option is
              not specified, daemon is used as the default for the local system syslog and local0
              is used while sending a message to the  target  provided  via  the  --syslog-target

              Enables logging to a file.  If file is specified, then it is used as the exact name
              for the log  file.   The  default  log  file  name  used  if  file  is  omitted  is

              Send  syslog  messages  to UDP port on host, in addition to the system syslog.  The
              host must be a numerical IP address, not a hostname.

              Specify method how syslog messages should be  sent  to  syslog  daemon.   Following
              forms are supported:

              ·      libc,  use  libc syslog() function.  This is the default behavior.  Downside
                     of using this options is that libc adds fixed prefix to every message before
                     it is actually sent to the syslog daemon over /dev/log UNIX domain socket.

              ·      unix:file,  use  UNIX  domain  socket  directly.   It is possible to specify
                     arbitrary message format with this option.  However, rsyslogd 8.9 and  older
                     versions  use  hard  coded  parser  function  anyway that limits UNIX domain
                     socket use.  If you want to use arbitrary message format with older rsyslogd
                     versions, then use UDP socket to localhost IP address instead.

              ·      udp:ip:port,  use  UDP  socket.   With  this  method  it  is possible to use
                     arbitrary message format also with  older  rsyslogd.   When  sending  syslog
                     messages  over  UDP  socket extra precaution needs to be taken into account,
                     for example, syslog daemon needs to be configured to listen on the specified
                     UDP  port,  accidental iptables rules could be interfering with local syslog
                     traffic and there  are  some  security  considerations  that  apply  to  UDP
                     sockets, but do not apply to UNIX domain sockets.

       --help Prints a brief help message to the console.

              Prints version information to the console.


       ovs-appctl(8), ovs-vswitchd(8)