1ovs-ofctl(8) Open vSwitch Manual ovs-ofctl(8)
2
3
4
6 ovs-ofctl - administer OpenFlow switches
7
9 ovs-ofctl [options] command [switch] [args...]
10
12 The ovs-ofctl program is a command line tool for monitoring and admin‐
13 istering OpenFlow switches. It can also show the current state of an
14 OpenFlow switch, including features, configuration, and table entries.
15 It should work with any OpenFlow switch, not just Open vSwitch.
16
17 OpenFlow Switch Management Commands
18 These commands allow ovs-ofctl to monitor and administer an OpenFlow
19 switch. It is able to show the current state of a switch, including
20 features, configuration, and table entries.
21
22 Most of these commands take an argument that specifies the method for
23 connecting to an OpenFlow switch. The following connection methods are
24 supported:
25
26 ssl:host[:port]
27 tcp:host[:port]
28 The specified port on the given host, which can be
29 expressed either as a DNS name (if built with unbound
30 library) or an IP address in IPv4 or IPv6 address format.
31 Wrap IPv6 addresses in square brackets, e.g.
32 tcp:[::1]:6653. On Linux, use %device to designate a
33 scope for IPv6 link-level addresses, e.g.
34 tcp:[fe80::1234%eth0]:6653. For ssl, the --private-key,
35 --certificate, and --ca-cert options are mandatory.
36
37 If port is not specified, it defaults to 6653.
38
39 unix:file
40 On POSIX, a Unix domain server socket named file.
41
42 On Windows, connect to a local named pipe that is repre‐
43 sented by a file created in the path file to mimic the
44 behavior of a Unix domain socket.
45
46 file This is short for unix:file, as long as file does not
47 contain a colon.
48
49 bridge This is short for unix:/var/run/openvswitch/bridge.mgmt,
50 as long as bridge does not contain a colon.
51
52 [type@]dp
53 Attempts to look up the bridge associated with dp and
54 open as above. If type is given, it specifies the data‐
55 path provider of dp, otherwise the default provider sys‐
56 tem is assumed.
57
58 show switch
59 Prints to the console information on switch, including informa‐
60 tion on its flow tables and ports.
61
62 dump-tables switch
63 Prints to the console statistics for each of the flow tables
64 used by switch.
65
66 dump-table-features switch
67 Prints to the console features for each of the flow tables used
68 by switch.
69
70 dump-table-desc switch
71 Prints to the console configuration for each of the flow tables
72 used by switch for OpenFlow 1.4+.
73
74 mod-table switch table setting
75 This command configures flow table settings in switch for Open‐
76 Flow table table, which may be expressed as a number or (unless
77 --no-names is specified) a name.
78
79 The available settings depend on the OpenFlow version in use.
80 In OpenFlow 1.1 and 1.2 (which must be enabled with the -O
81 option) only, mod-table configures behavior when no flow is
82 found when a packet is looked up in a flow table. The following
83 setting values are available:
84
85 drop Drop the packet.
86
87 continue
88 Continue to the next table in the pipeline. (This is how
89 an OpenFlow 1.0 switch always handles packets that do not
90 match any flow, in tables other than the last one.)
91
92 controller
93 Send to controller. (This is how an OpenFlow 1.0 switch
94 always handles packets that do not match any flow in the
95 last table.)
96
97 In OpenFlow 1.4 and later (which must be enabled with the -O
98 option) only, mod-table configures the behavior when a con‐
99 troller attempts to add a flow to a flow table that is full.
100 The following setting values are available:
101
102 evict Delete some existing flow from the flow table, according
103 to the algorithm described for the Flow_Table table in
104 ovs-vswitchd.conf.db(5).
105
106 noevict
107 Refuse to add the new flow. (Eviction might still be
108 enabled through the overflow_policy column in the
109 Flow_Table table documented in ovs-vswitchd.conf.db(5).)
110
111 vacancy:low,high
112 Enables sending vacancy events to controllers using TA‐
113 BLE_STATUS messages, based on percentage thresholds low
114 and high.
115
116 novacancy
117 Disables vacancy events.
118
119 dump-ports switch [netdev]
120 Prints to the console statistics for network devices associated
121 with switch. If netdev is specified, only the statistics asso‐
122 ciated with that device will be printed. netdev can be an Open‐
123 Flow assigned port number or device name, e.g. eth0.
124
125 dump-ports-desc switch [port]
126 Prints to the console detailed information about network devices
127 associated with switch. To dump only a specific port, specify
128 its number as port. Otherwise, if port is omitted, or if it is
129 specified as ANY, then all ports are printed. This is a subset
130 of the information provided by the show command.
131
132 If the connection to switch negotiates OpenFlow 1.0, 1.2, or
133 1.2, this command uses an OpenFlow extension only implemented in
134 Open vSwitch (version 1.7 and later).
135
136 Only OpenFlow 1.5 and later support dumping a specific port.
137 Earlier versions of OpenFlow always dump all ports.
138
139 mod-port switch port action
140 Modify characteristics of port port in switch. port may be an
141 OpenFlow port number or name (unless --no-names is specified) or
142 the keyword LOCAL (the preferred way to refer to the OpenFlow
143 local port). The action may be any one of the following:
144 up
145 down Enable or disable the interface. This is equivalent to
146 ip link set up or ip link set down on a Unix system.
147
148 stp
149 no-stp Enable or disable 802.1D spanning tree protocol (STP) on
150 the interface. OpenFlow implementations that don't sup‐
151 port STP will refuse to enable it.
152
153 receive
154 no-receive
155 receive-stp
156 no-receive-stp
157 Enable or disable OpenFlow processing of packets received
158 on this interface. When packet processing is disabled,
159 packets will be dropped instead of being processed
160 through the OpenFlow table. The receive or no-receive
161 setting applies to all packets except 802.1D spanning
162 tree packets, which are separately controlled by
163 receive-stp or no-receive-stp.
164
165 forward
166 no-forward
167 Allow or disallow forwarding of traffic to this inter‐
168 face. By default, forwarding is enabled.
169
170 flood
171 no-flood
172 Controls whether an OpenFlow flood action will send traf‐
173 fic out this interface. By default, flooding is enabled.
174 Disabling flooding is primarily useful to prevent loops
175 when a spanning tree protocol is not in use.
176
177 packet-in
178 no-packet-in
179 Controls whether packets received on this interface that
180 do not match a flow table entry generate a ``packet in''
181 message to the OpenFlow controller. By default, ``packet
182 in'' messages are enabled.
183
184 The show command displays (among other information) the configu‐
185 ration that mod-port changes.
186
187 get-frags switch
188 Prints switch's fragment handling mode. See set-frags, below,
189 for a description of each fragment handling mode.
190
191 The show command also prints the fragment handling mode among
192 its other output.
193
194 set-frags switch frag_mode
195 Configures switch's treatment of IPv4 and IPv6 fragments. The
196 choices for frag_mode are:
197
198 normal Fragments pass through the flow table like non-fragmented
199 packets. The TCP ports, UDP ports, and ICMP type and
200 code fields are always set to 0, even for fragments where
201 that information would otherwise be available (fragments
202 with offset 0). This is the default fragment handling
203 mode for an OpenFlow switch.
204
205 drop Fragments are dropped without passing through the flow
206 table.
207
208 reassemble
209 The switch reassembles fragments into full IP packets
210 before passing them through the flow table. Open vSwitch
211 does not implement this fragment handling mode.
212
213 nx-match
214 Fragments pass through the flow table like non-fragmented
215 packets. The TCP ports, UDP ports, and ICMP type and
216 code fields are available for matching for fragments with
217 offset 0, and set to 0 in fragments with nonzero offset.
218 This mode is a Nicira extension.
219
220 See the description of ip_frag, below, for a way to match on
221 whether a packet is a fragment and on its fragment offset.
222
223 dump-flows switch [flows]
224 Prints to the console all flow entries in switch's tables that
225 match flows. If flows is omitted, all flows in the switch are
226 retrieved. See Flow Syntax, below, for the syntax of flows.
227 The output format is described in Table Entry Output.
228
229 By default, ovs-ofctl prints flow entries in the same order that
230 the switch sends them, which is unlikely to be intuitive or con‐
231 sistent. Use --sort and --rsort to control display order. The
232 --names/--no-names and --stats/--no-stats options also affect
233 output formatting. See the descriptions of these options, under
234 OPTIONS below, for more information
235
236 dump-aggregate switch [flows]
237 Prints to the console aggregate statistics for flows in switch's
238 tables that match flows. If flows is omitted, the statistics
239 are aggregated across all flows in the switch's flow tables.
240 See Flow Syntax, below, for the syntax of flows. The output
241 format is described in Table Entry Output.
242
243 queue-stats switch [port [queue]]
244 Prints to the console statistics for the specified queue on port
245 within switch. port can be an OpenFlow port number or name, the
246 keyword LOCAL (the preferred way to refer to the OpenFlow local
247 port), or the keyword ALL. Either of port or queue or both may
248 be omitted (or equivalently the keyword ALL). If both are omit‐
249 ted, statistics are printed for all queues on all ports. If
250 only queue is omitted, then statistics are printed for all
251 queues on port; if only port is omitted, then statistics are
252 printed for queue on every port where it exists.
253
254 queue-get-config switch [port [queue]]
255 Prints to the console the configuration of queue on port in
256 switch. If port is omitted or ANY, reports queues for all port.
257 If queue is omitted or ANY, reports all queues. For OpenFlow
258 1.3 and earlier, the output always includes all queues, ignoring
259 queue if specified.
260
261 This command has limited usefulness, because ports often have no
262 configured queues and because the OpenFlow protocol provides
263 only very limited information about the configuration of a
264 queue.
265
266 dump-ipfix-bridge switch
267 Prints to the console the statistics of bridge IPFIX for switch.
268 If bridge IPFIX is configured on the switch, IPFIX statistics
269 can be retrieved. Otherwise, error message will be printed.
270
271 This command uses an Open vSwitch extension that is only in Open
272 vSwitch 2.6 and later.
273
274 dump-ipfix-flow switch
275 Prints to the console the statistics of flow-based IPFIX for
276 switch. If flow-based IPFIX is configured on the switch, sta‐
277 tistics of all the collector set ids on the switch will be
278 printed. Otherwise, print error message.
279
280 Refer to ovs-vswitchd.conf.db(5) for more details on configuring
281 flow based IPFIX and collector set ids.
282
283 This command uses an Open vSwitch extension that is only in Open
284 vSwitch 2.6 and later.
285
286 ct-flush-zone switch zone
287 Flushes the connection tracking entries in zone on switch.
288
289 This command uses an Open vSwitch extension that is only in Open
290 vSwitch 2.6 and later.
291
292 OpenFlow Switch Flow Table Commands
293 These commands manage the flow table in an OpenFlow switch. In each
294 case, flow specifies a flow entry in the format described in Flow Syn‐
295 tax, below, file is a text file that contains zero or more flows in the
296 same syntax, one per line, and the optional --bundle option operates
297 the command as a single atomic transation, see option --bundle, below.
298
299 [--bundle] add-flow switch flow
300 [--bundle] add-flow switch - < file
301 [--bundle] add-flows switch file
302 Add each flow entry to switch's tables. Each flow specification
303 (e.g., each line in file) may start with add, modify, delete,
304 modify_strict, or delete_strict keyword to specify whether a
305 flow is to be added, modified, or deleted, and whether the mod‐
306 ify or delete is strict or not. For backwards compatibility a
307 flow specification without one of these keywords is treated as a
308 flow add. All flow mods are executed in the order specified.
309
310 [--bundle] [--strict] mod-flows switch flow
311 [--bundle] [--strict] mod-flows switch - < file
312 Modify the actions in entries from switch's tables that match
313 the specified flows. With --strict, wildcards are not treated
314 as active for matching purposes.
315
316 [--bundle] del-flows switch
317 [--bundle] [--strict] del-flows switch [flow]
318 [--bundle] [--strict] del-flows switch - < file
319 Deletes entries from switch's flow table. With only a switch
320 argument, deletes all flows. Otherwise, deletes flow entries
321 that match the specified flows. With --strict, wildcards are
322 not treated as active for matching purposes.
323
324 [--bundle] [--readd] replace-flows switch file
325 Reads flow entries from file (or stdin if file is -) and queries
326 the flow table from switch. Then it fixes up any differences,
327 adding flows from flow that are missing on switch, deleting
328 flows from switch that are not in file, and updating flows in
329 switch whose actions, cookie, or timeouts differ in file.
330
331 With --readd, ovs-ofctl adds all the flows from file, even those
332 that exist with the same actions, cookie, and timeout in switch.
333 In OpenFlow 1.0 and 1.1, re-adding a flow always resets the
334 flow's packet and byte counters to 0, and in OpenFlow 1.2 and
335 later, it does so only if the reset_counts flag is set.
336
337 diff-flows source1 source2
338 Reads flow entries from source1 and source2 and prints the dif‐
339 ferences. A flow that is in source1 but not in source2 is
340 printed preceded by a -, and a flow that is in source2 but not
341 in source1 is printed preceded by a +. If a flow exists in both
342 source1 and source2 with different actions, cookie, or timeouts,
343 then both versions are printed preceded by - and +, respec‐
344 tively.
345
346 source1 and source2 may each name a file or a switch. If a name
347 begins with / or ., then it is considered to be a file name. A
348 name that contains : is considered to be a switch. Otherwise,
349 it is a file if a file by that name exists, a switch if not.
350
351 For this command, an exit status of 0 means that no differences
352 were found, 1 means that an error occurred, and 2 means that
353 some differences were found.
354
355 packet-out switch packet-out
356 Connects to switch and instructs it to execute the packet-out
357 OpenFlow message, specified as defined in Packet-Out Syntax sec‐
358 tion.
359
360 Group Table Commands
361 These commands manage the group table in an OpenFlow switch. In each
362 case, group specifies a group entry in the format described in Group
363 Syntax, below, and file is a text file that contains zero or more
364 groups in the same syntax, one per line, and the optional --bundle
365 option operates the command as a single atomic transation, see option
366 --bundle, below.
367
368 The group commands work only with switches that support OpenFlow 1.1 or
369 later or the Open vSwitch group extensions to OpenFlow 1.0 (added in
370 Open vSwitch 2.9.90). For OpenFlow 1.1 or later, it is necessary to
371 explicitly enable these protocol versions in ovs-ofctl (using -O). For
372 more information, see ``Q: What versions of OpenFlow does Open vSwitch
373 support?'' in the Open vSwitch FAQ.
374
375 [--bundle] add-group switch group
376 [--bundle] add-group switch - < file
377 [--bundle] add-groups switch file
378 Add each group entry to switch's tables. Each group specifica‐
379 tion (e.g., each line in file) may start with add, modify,
380 add_or_mod, delete, insert_bucket, or remove_bucket keyword to
381 specify whether a flow is to be added, modified, or deleted, or
382 whether a group bucket is to be added or removed. For backwards
383 compatibility a group specification without one of these key‐
384 words is treated as a group add. All group mods are executed in
385 the order specified.
386
387 [--bundle] [--may-create] mod-group switch group
388 [--bundle] [--may-create] mod-group switch - < file
389 Modify the action buckets in entries from switch's tables for
390 each group entry. If a specified group does not already exist,
391 then without --may-create, this command has no effect; with
392 --may-create, it creates a new group. The --may-create option
393 uses an Open vSwitch extension to OpenFlow only implemented in
394 Open vSwitch 2.6 and later.
395
396 [--bundle] del-groups switch
397 [--bundle] del-groups switch [group]
398 [--bundle] del-groups switch - < file
399 Deletes entries from switch's group table. With only a switch
400 argument, deletes all groups. Otherwise, deletes the group for
401 each group entry.
402
403 [--bundle] insert-buckets switch group
404 [--bundle] insert-buckets switch - < file
405 Add buckets to an existing group present in the switch's group
406 table. If no command_bucket_id is present in the group specifi‐
407 cation then all buckets of the group are removed.
408
409 [--bundle] remove-buckets switch group
410 [--bundle] remove-buckets switch - < file
411 Remove buckets to an existing group present in the switch's
412 group table. If no command_bucket_id is present in the group
413 specification then all buckets of the group are removed.
414
415 dump-groups switch [group]
416 Prints group entries in switch's tables to console. To dump
417 only a specific group, specify its number as group. Otherwise,
418 if group is omitted, or if it is specified as ALL, then all
419 groups are printed.
420
421 Only OpenFlow 1.5 and later support dumping a specific group.
422 Earlier versions of OpenFlow always dump all groups.
423
424 dump-group-features switch
425 Prints to the console the group features of the switch.
426
427 dump-group-stats switch [group]
428 Prints to the console statistics for the specified group in
429 switch's tables. If group is omitted then statistics for all
430 groups are printed.
431
432 OpenFlow 1.3+ Switch Meter Table Commands
433 These commands manage the meter table in an OpenFlow switch. In each
434 case, meter specifies a meter entry in the format described in Meter
435 Syntax, below.
436
437 OpenFlow 1.3 introduced support for meters, so these commands only work
438 with switches that support OpenFlow 1.3 or later. It is necessary to
439 explicitly enable these protocol versions in ovs-ofctl (using -O) and
440 in the switch itself (with the protocols column in the Bridge table).
441 For more information, see ``Q: What versions of OpenFlow does Open
442 vSwitch support?'' in the Open vSwitch FAQ.
443
444 add-meter switch meter
445 Add a meter entry to switch's tables. The meter syntax is
446 described in section Meter Syntax, below.
447
448 mod-meter switch meter
449 Modify an existing meter.
450
451 del-meters switch [meter]
452 Delete entries from switch's meter table. To delete only a spe‐
453 cific meter, specify its number as meter. Otherwise, if meter
454 is omitted, or if it is specified as all, then all meters are
455 deleted.
456
457 dump-meters switch [meter]
458 Print entries from switch's meter table. To print only a spe‐
459 cific meter, specify its number as meter. Otherwise, if meter
460 is omitted, or if it is specified as all, then all meters are
461 printed.
462
463 meter-stats switch [meter]
464 Print meter statistics. meter can specify a single meter with
465 syntax meter=id, or all meters with syntax meter=all.
466
467 meter-features switch
468 Print meter features.
469
470 OpenFlow Switch Bundle Command
471 Transactional updates to both flow and group tables can be made with
472 the bundle command. file is a text file that contains zero or more
473 flow mods, group mods, or packet-outs in Flow Syntax, Group Syntax, or
474 Packet-Out Syntax, each line preceded by flow, group, or packet-out
475 keyword, correspondingly. The flow keyword may be optionally followed
476 by one of the keywords add, modify, modify_strict, delete, or
477 delete_strict, of which the add is assumed if a bare flow is given.
478 Similarly, the group keyword may be optionally followed by one of the
479 keywords add, modify, add_or_mod, delete, insert_bucket, or
480 remove_bucket, of which the add is assumed if a bare group is given.
481
482 bundle switch file
483 Execute all flow and group mods in file as a single atomic
484 transaction against switch's tables. All bundled mods are exe‐
485 cuted in the order specified.
486
487 OpenFlow Switch Tunnel TLV Table Commands
488 Open vSwitch maintains a mapping table between tunnel option TLVs
489 (defined by <class, type, length>) and NXM fields tun_metadatan, where
490 n ranges from 0 to 63, that can be operated on for the purposes of
491 matches, actions, etc. This TLV table can be used for Geneve option
492 TLVs or other protocols with options in same TLV format as Geneve
493 options. This mapping must be explicitly specified by the user through
494 the following commands.
495
496 A TLV mapping is specified with the syntax
497 {class=class,type=type,len=length}->tun_metadatan. When an option map‐
498 ping exists for a given tun_metadatan, matching on the defined field
499 becomes possible, e.g.:
500
501 ovs-ofctl add-tlv-map br0
502 "{class=0xffff,type=0,len=4}->tun_metadata0"
503
504 ovs-ofctl add-flow br0 tun_metadata0=1234,actions=controller
505
506 A mapping should not be changed while it is in active use by a flow.
507 The result of doing so is undefined.
508
509 These commands are Nicira extensions to OpenFlow and require Open
510 vSwitch 2.5 or later.
511
512
513 add-tlv-map switch option[,option]...
514 Add each option to switch's tables. Duplicate fields are
515 rejected.
516
517 del-tlv-map switch [option[,option]]...
518 Delete each option from switch's table, or all option TLV map‐
519 ping if no option is specified. Fields that aren't mapped are
520 ignored.
521
522 dump-tlv-map switch
523 Show the currently mapped fields in the switch's option table as
524 well as switch capabilities.
525
526 OpenFlow Switch Monitoring Commands
527 snoop switch
528 Connects to switch and prints to the console all OpenFlow mes‐
529 sages received. Unlike other ovs-ofctl commands, if switch is
530 the name of a bridge, then the snoop command connects to a Unix
531 domain socket named /var/run/openvswitch/switch.snoop.
532 ovs-vswitchd listens on such a socket for each bridge and sends
533 to it all of the OpenFlow messages sent to or received from its
534 configured OpenFlow controller. Thus, this command can be used
535 to view OpenFlow protocol activity between a switch and its con‐
536 troller.
537
538 When a switch has more than one controller configured, only the
539 traffic to and from a single controller is output. If none of
540 the controllers is configured as a master or a slave (using a
541 Nicira extension to OpenFlow 1.0 or 1.1, or a standard request
542 in OpenFlow 1.2 or later), then a controller is chosen arbitrar‐
543 ily among them. If there is a master controller, it is chosen;
544 otherwise, if there are any controllers that are not masters or
545 slaves, one is chosen arbitrarily; otherwise, a slave controller
546 is chosen arbitrarily. This choice is made once at connection
547 time and does not change as controllers reconfigure their roles.
548
549 If a switch has no controller configured, or if the configured
550 controller is disconnected, no traffic is sent, so monitoring
551 will not show any traffic.
552
553 monitor switch [miss-len] [invalid_ttl] [watch:[spec...]]
554 Connects to switch and prints to the console all OpenFlow mes‐
555 sages received. Usually, switch should specify the name of a
556 bridge in the ovs-vswitchd database.
557
558 If miss-len is provided, ovs-ofctl sends an OpenFlow ``set con‐
559 figuration'' message at connection setup time that requests
560 miss-len bytes of each packet that misses the flow table. Open
561 vSwitch does not send these and other asynchronous messages to
562 an ovs-ofctl monitor client connection unless a nonzero value is
563 specified on this argument. (Thus, if miss-len is not speci‐
564 fied, very little traffic will ordinarily be printed.)
565
566 If invalid_ttl is passed, ovs-ofctl sends an OpenFlow ``set con‐
567 figuration'' message at connection setup time that requests
568 INVALID_TTL_TO_CONTROLLER, so that ovs-ofctl monitor can receive
569 ``packet-in'' messages when TTL reaches zero on dec_ttl action.
570 Only OpenFlow 1.1 and 1.2 support invalid_ttl; Open vSwitch also
571 implements it for OpenFlow 1.0 as an extension.
572
573 watch:[spec...] causes ovs-ofctl to send a ``monitor request''
574 Nicira extension message to the switch at connection setup time.
575 This message causes the switch to send information about flow
576 table changes as they occur. The following comma-separated spec
577 syntax is available:
578
579 !initial
580 Do not report the switch's initial flow table contents.
581
582 !add Do not report newly added flows.
583
584 !delete
585 Do not report deleted flows.
586
587 !modify
588 Do not report modifications to existing flows.
589
590 !own Abbreviate changes made to the flow table by ovs-ofctl's
591 own connection to the switch. (These could only occur
592 using the ofctl/send command described below under RUN‐
593 TIME MANAGEMENT COMMANDS.)
594
595 !actions
596 Do not report actions as part of flow updates.
597
598 table=table
599 Limits the monitoring to the table with the given table,
600 which may be expressed as a number between 0 and 254 or
601 (unless --no-names is specified) a name. By default, all
602 tables are monitored.
603
604 out_port=port
605 If set, only flows that output to port are monitored.
606 The port may be an OpenFlow port number or keyword (e.g.
607 LOCAL).
608
609 field=value
610 Monitors only flows that have field specified as the
611 given value. Any syntax valid for matching on dump-flows
612 may be used.
613
614 This command may be useful for debugging switch or controller
615 implementations. With watch:, it is particularly useful for
616 observing how a controller updates flow tables.
617
618 OpenFlow Switch and Controller Commands
619 The following commands, like those in the previous section, may be
620 applied to OpenFlow switches, using any of the connection methods
621 described in that section. Unlike those commands, these may also be
622 applied to OpenFlow controllers.
623
624 probe target
625 Sends a single OpenFlow echo-request message to target and waits
626 for the response. With the -t or --timeout option, this command
627 can test whether an OpenFlow switch or controller is up and run‐
628 ning.
629
630 ping target [n]
631 Sends a series of 10 echo request packets to target and times
632 each reply. The echo request packets consist of an OpenFlow
633 header plus n bytes (default: 64) of randomly generated payload.
634 This measures the latency of individual requests.
635
636 benchmark target n count
637 Sends count echo request packets that each consist of an Open‐
638 Flow header plus n bytes of payload and waits for each response.
639 Reports the total time required. This is a measure of the maxi‐
640 mum bandwidth to target for round-trips of n-byte messages.
641
642 Other Commands
643 ofp-parse file
644 Reads file (or stdin if file is -) as a series of OpenFlow mes‐
645 sages in the binary format used on an OpenFlow connection, and
646 prints them to the console. This can be useful for printing
647 OpenFlow messages captured from a TCP stream.
648
649 ofp-parse-pcap file [port...]
650 Reads file, which must be in the PCAP format used by network
651 capture tools such as tcpdump or wireshark, extracts all the TCP
652 streams for OpenFlow connections, and prints the OpenFlow mes‐
653 sages in those connections in human-readable format on stdout.
654
655 OpenFlow connections are distinguished by TCP port number. Non-
656 OpenFlow packets are ignored. By default, data on TCP ports
657 6633 and 6653 are considered to be OpenFlow. Specify one or
658 more port arguments to override the default.
659
660 This command cannot usefully print SSL encrypted traffic. It
661 does not understand IPv6.
662
663 Flow Syntax
664 Some ovs-ofctl commands accept an argument that describes a flow or
665 flows. Such flow descriptions comprise a series of field=value assign‐
666 ments, separated by commas or white space. (Embedding spaces into a
667 flow description normally requires quoting to prevent the shell from
668 breaking the description into multiple arguments.)
669
670 Flow descriptions should be in normal form. This means that a flow may
671 only specify a value for an L3 field if it also specifies a particular
672 L2 protocol, and that a flow may only specify an L4 field if it also
673 specifies particular L2 and L3 protocol types. For example, if the L2
674 protocol type dl_type is wildcarded, then L3 fields nw_src, nw_dst, and
675 nw_proto must also be wildcarded. Similarly, if dl_type or nw_proto
676 (the L3 protocol type) is wildcarded, so must be the L4 fields tcp_dst
677 and tcp_src. ovs-ofctl will warn about flows not in normal form.
678
679 ovs-fields(7) describes the supported fields and how to match them. In
680 addition to match fields, commands that operate on flows accept a few
681 additional key-value pairs:
682
683 table=table
684 For flow dump commands, limits the flows dumped to those in ta‐
685 ble, which may be expressed as a number between 0 and 255 or
686 (unless --no-names is specified) a name. If not specified (or
687 if 255 is specified as table), then flows in all tables are
688 dumped.
689
690 For flow table modification commands, behavior varies based on
691 the OpenFlow version used to connect to the switch:
692
693 OpenFlow 1.0
694 OpenFlow 1.0 does not support table for modifying flows.
695 ovs-ofctl will exit with an error if table (other than
696 table=255) is specified for a switch that only supports
697 OpenFlow 1.0.
698
699 In OpenFlow 1.0, the switch chooses the table into which
700 to insert a new flow. The Open vSwitch software switch
701 always chooses table 0. Other Open vSwitch datapaths and
702 other OpenFlow implementations may choose different
703 tables.
704
705 The OpenFlow 1.0 behavior in Open vSwitch for modifying
706 or removing flows depends on whether --strict is used.
707 Without --strict, the command applies to matching flows
708 in all tables. With --strict, the command will operate
709 on any single matching flow in any table; it will do
710 nothing if there are matches in more than one table.
711 (The distinction between these behaviors only matters if
712 non-OpenFlow 1.0 commands were also used, because Open‐
713 Flow 1.0 alone cannot add flows with the same matching
714 criteria to multiple tables.)
715
716 OpenFlow 1.0 with table_id extension
717 Open vSwitch implements an OpenFlow extension that allows
718 the controller to specify the table on which to operate.
719 ovs-ofctl automatically enables the extension when table
720 is specified and OpenFlow 1.0 is used. ovs-ofctl auto‐
721 matically detects whether the switch supports the exten‐
722 sion. As of this writing, this extension is only known
723 to be implemented by Open vSwitch.
724
725 With this extension, ovs-ofctl operates on the requested
726 table when table is specified, and acts as described for
727 OpenFlow 1.0 above when no table is specified (or for ta‐
728 ble=255).
729
730 OpenFlow 1.1
731 OpenFlow 1.1 requires flow table modification commands to
732 specify a table. When table is not specified (or ta‐
733 ble=255 is specified), ovs-ofctl defaults to table 0.
734
735 OpenFlow 1.2 and later
736 OpenFlow 1.2 and later allow flow deletion commands, but
737 not other flow table modification commands, to operate on
738 all flow tables, with the behavior described above for
739 OpenFlow 1.0.
740
741 duration=...
742 n_packet=...
743 n_bytes=...
744 ovs-ofctl ignores assignments to these ``fields'' to allow out‐
745 put from the dump-flows command to be used as input for other
746 commands that parse flows.
747
748 The add-flow, add-flows, and mod-flows commands require an additional
749 field, which must be the final field specified:
750
751 actions=[action][,action...]
752 Specifies a comma-separated list of actions to take on a packet
753 when the flow entry matches. If no action is specified, then
754 packets matching the flow are dropped. The following forms of
755 action are supported:
756
757 port
758 output:port
759 Outputs the packet to OpenFlow port number port. If port
760 is the packet's input port, the packet is not output.
761
762 output:src[start..end]
763 Outputs the packet to the OpenFlow port number read from
764 src, which may be an NXM field name, as described above,
765 or a match field name. output:reg0[16..31] outputs to
766 the OpenFlow port number written in the upper half of
767 register 0. If the port number is the packet's input
768 port, the packet is not output.
769
770 This form of output was added in Open vSwitch 1.3.0.
771 This form of output uses an OpenFlow extension that is
772 not supported by standard OpenFlow switches.
773
774 output(port=port,max_len=nbytes)
775 Outputs the packet to the OpenFlow port number read from
776 port, with maximum packet size set to nbytes. port may
777 be OpenFlow port number, local, or in_port. Patch port
778 is not supported. Packets larger than nbytes will be
779 trimmed to nbytes while packets smaller than nbytes
780 remains the original size.
781
782 group:group_id
783 Outputs the packet to the OpenFlow group group_id. Open‐
784 Flow 1.1 introduced support for groups; Open vSwitch 2.6
785 and later also supports output to groups as an extension
786 to OpenFlow 1.0. See Group Syntax for more details.
787
788 normal Subjects the packet to the device's normal L2/L3 process‐
789 ing. (This action is not implemented by all OpenFlow
790 switches.)
791
792 flood Outputs the packet on all switch physical ports other
793 than the port on which it was received and any ports on
794 which flooding is disabled (typically, these would be
795 ports disabled by the IEEE 802.1D spanning tree proto‐
796 col).
797
798 all Outputs the packet on all switch physical ports other
799 than the port on which it was received.
800
801 local Outputs the packet on the ``local port,'' which corre‐
802 sponds to the network device that has the same name as
803 the bridge.
804
805 in_port
806 Outputs the packet on the port from which it was
807 received.
808
809 controller(key=value...)
810 Sends the packet and its metadata to the OpenFlow con‐
811 troller as a ``packet in'' message. The supported key-
812 value pairs are:
813
814 max_len=nbytes
815 Limit to nbytes the number of bytes of the packet
816 to send to the controller. By default the entire
817 packet is sent.
818
819 reason=reason
820 Specify reason as the reason for sending the mes‐
821 sage in the ``packet in'' message. The supported
822 reasons are action (the default), no_match, and
823 invalid_ttl.
824
825 id=controller-id
826 Specify controller-id, a 16-bit integer, as the
827 connection ID of the OpenFlow controller or con‐
828 trollers to which the ``packet in'' message should
829 be sent. The default is zero. Zero is also the
830 default connection ID for each controller connec‐
831 tion, and a given controller connection will only
832 have a nonzero connection ID if its controller
833 uses the NXT_SET_CONTROLLER_ID Nicira extension to
834 OpenFlow.
835
836 userdata=hh...
837 Supplies the bytes represented as hex digits hh as
838 additional data to the controller in the packet-in
839 message. Pairs of hex digits may be separated by
840 periods for readability.
841
842 pause Causes the switch to freeze the packet's trip
843 through Open vSwitch flow tables and serializes
844 that state into the packet-in message as a ``con‐
845 tinuation,'' an additional property in the
846 NXT_PACKET_IN2 message. The controller can later
847 send the continuation back to the switch in an
848 NXT_RESUME message, which will restart the
849 packet's traversal from the point where it was
850 interrupted. This permits an OpenFlow controller
851 to interpose on a packet midway through processing
852 in Open vSwitch.
853
854 meter_id=id
855 Use meter id to rate-limit the OpenFlow packet-in
856 messages that this action sends to the controller.
857 By default, packets sent to the controller are
858 associated with the "controller" virtual meter, if
859 one was configured.
860
861 If any reason other than action or any nonzero con‐
862 troller-id is supplied, Open vSwitch extension NXAST_CON‐
863 TROLLER, supported by Open vSwitch 1.6 and later, is
864 used. If userdata is supplied, then NXAST_CONTROLLER2,
865 supported by Open vSwitch 2.6 and later, is used.
866
867 controller
868 controller[:nbytes]
869 Shorthand for controller() or controller(max_len=nbytes),
870 respectively.
871
872 enqueue(port,queue)
873 Enqueues the packet on the specified queue within port
874 port, which must be an OpenFlow port number or keyword
875 (e.g. LOCAL). The number of supported queues depends on
876 the switch; some OpenFlow implementations do not support
877 queuing at all.
878
879 drop Discards the packet, so no further processing or forward‐
880 ing takes place. If a drop action is used, no other
881 actions may be specified.
882
883 mod_vlan_vid:vlan_vid
884 Modifies the VLAN id on a packet. The VLAN tag is added
885 or modified as necessary to match the value specified.
886 If the VLAN tag is added, a priority of zero is used (see
887 the mod_vlan_pcp action to set this).
888
889 mod_vlan_pcp:vlan_pcp
890 Modifies the VLAN priority on a packet. The VLAN tag is
891 added or modified as necessary to match the value speci‐
892 fied. Valid values are between 0 (lowest) and 7 (high‐
893 est). If the VLAN tag is added, a vid of zero is used
894 (see the mod_vlan_vid action to set this).
895
896 strip_vlan
897 Strips the VLAN tag from a packet if it is present.
898
899 push_vlan:ethertype
900 Push a new VLAN tag onto the packet. Ethertype is used
901 as the Ethertype for the tag. Only ethertype 0x8100
902 should be used. (0x88a8 which the spec allows isn't sup‐
903 ported at the moment.) A priority of zero and the tag of
904 zero are used for the new tag.
905
906 push_mpls:ethertype
907 Changes the packet's Ethertype to ethertype, which must
908 be either 0x8847 or 0x8848, and pushes an MPLS LSE.
909
910 If the packet does not already contain any MPLS labels
911 then an initial label stack entry is pushed. The label
912 stack entry's label is 2 if the packet contains IPv6 and
913 0 otherwise, its default traffic control value is the low
914 3 bits of the packet's DSCP value (0 if the packet is not
915 IP), and its TTL is copied from the IP TTL (64 if the
916 packet is not IP).
917
918 If the packet does already contain an MPLS label, pushes
919 a new outermost label as a copy of the existing outermost
920 label.
921
922 A limitation of the implementation is that processing of
923 actions will stop if push_mpls follows another push_mpls
924 unless there is a pop_mpls in between.
925
926 pop_mpls:ethertype
927 Strips the outermost MPLS label stack entry. Currently
928 the implementation restricts ethertype to a non-MPLS
929 Ethertype and thus pop_mpls should only be applied to
930 packets with an MPLS label stack depth of one. A further
931 limitation is that processing of actions will stop if
932 pop_mpls follows another pop_mpls unless there is a
933 push_mpls in between.
934
935 mod_dl_src:mac
936 Sets the source Ethernet address to mac.
937
938 mod_dl_dst:mac
939 Sets the destination Ethernet address to mac.
940
941 mod_nw_src:ip
942 Sets the IPv4 source address to ip.
943
944 mod_nw_dst:ip
945 Sets the IPv4 destination address to ip.
946
947 mod_tp_src:port
948 Sets the TCP or UDP or SCTP source port to port.
949
950 mod_tp_dst:port
951 Sets the TCP or UDP or SCTP destination port to port.
952
953 mod_nw_tos:tos
954 Sets the DSCP bits in the IPv4 ToS/DSCP or IPv6 traffic
955 class field to tos, which must be a multiple of 4 between
956 0 and 255. This action does not modify the two least
957 significant bits of the ToS field (the ECN bits).
958
959 mod_nw_ecn:ecn
960 Sets the ECN bits in the IPv4 ToS or IPv6 traffic class
961 field to ecn, which must be a value between 0 and 3,
962 inclusive. This action does not modify the six most sig‐
963 nificant bits of the field (the DSCP bits).
964
965 Requires OpenFlow 1.1 or later.
966
967 mod_nw_ttl:ttl
968 Sets the IPv4 TTL or IPv6 hop limit field to ttl, which
969 is specified as a decimal number between 0 and 255,
970 inclusive. Switch behavior when setting ttl to zero is
971 not well specified, though.
972
973 Requires OpenFlow 1.1 or later.
974
975 The following actions are Nicira vendor extensions that, as of
976 this writing, are only known to be implemented by Open vSwitch:
977
978 resubmit:port
979 resubmit([port],[table])
980 resubmit([port],[table],ct)
981 Re-searches this OpenFlow flow table (or table table, if
982 specified) with the in_port field replaced by port (if
983 port is specified) and the packet 5-tuple fields swapped
984 with the corresponding conntrack original direction tuple
985 fields (if ct is specified, see ct_nw_src above), and
986 executes the actions found, if any, in addition to any
987 other actions in this flow entry. The in_port and
988 swapped 5-tuple fields are restored immediately after the
989 search, before any actions are executed.
990
991 The table may be expressed as a number between 0 and 254
992 or (unless --no-names is specified) a name.
993
994 The ct option requires a valid connection tracking state
995 as a match prerequisite in the flow where this action is
996 placed. Examples of valid connection tracking state
997 matches include ct_state=+new, ct_state=+est,
998 ct_state=+rel, and ct_state=+trk-inv.
999
1000 Recursive resubmit actions are obeyed up to implementa‐
1001 tion-defined limits:
1002
1003 · Open vSwitch 1.0.1 and earlier did not support
1004 recursion.
1005
1006 · Open vSwitch 1.0.2 and 1.0.3 limited recursion to
1007 8 levels.
1008
1009 · Open vSwitch 1.1 and 1.2 limited recursion to 16
1010 levels.
1011
1012 · Open vSwitch 1.2 through 1.8 limited recursion to
1013 32 levels.
1014
1015 · Open vSwitch 1.9 through 2.0 limited recursion to
1016 64 levels.
1017
1018 · Open vSwitch 2.1 through 2.5 limited recursion to
1019 64 levels and impose a total limit of 4,096 resub‐
1020 mits per flow translation (earlier versions did
1021 not impose any total limit).
1022
1023 · Open vSwitch 2.6 and later imposes the same limits
1024 as 2.5, with one exception: resubmit from table x
1025 to any table y > x does not count against the
1026 recursion limit.
1027
1028 Open vSwitch before 1.2.90 did not support table. Open
1029 vSwitch before 2.7 did not support ct.
1030
1031 set_tunnel:id
1032 set_tunnel64:id
1033 If outputting to a port that encapsulates the packet in a
1034 tunnel and supports an identifier (such as GRE), sets the
1035 identifier to id. If the set_tunnel form is used and id
1036 fits in 32 bits, then this uses an action extension that
1037 is supported by Open vSwitch 1.0 and later. Otherwise,
1038 if id is a 64-bit value, it requires Open vSwitch 1.1 or
1039 later.
1040
1041 set_queue:queue
1042 Sets the queue that should be used to queue when packets
1043 are output. The number of supported queues depends on
1044 the switch; some OpenFlow implementations do not support
1045 queuing at all.
1046
1047 pop_queue
1048 Restores the queue to the value it was before any
1049 set_queue actions were applied.
1050
1051 ct
1052 ct([argument][,argument...])
1053 Send the packet through the connection tracker. Refer to
1054 the ct_state documentation above for possible packet and
1055 connection states. A ct action always sets the packet to
1056 an untracked state and clears out the ct_state fields for
1057 the current processing path. Those fields are only
1058 available for the processing path pointed to by the table
1059 argument. The following arguments are supported:
1060
1061 commit
1062 Commit the connection to the connection tracking
1063 module. Information about the connection will be
1064 stored beyond the lifetime of the packet in the
1065 pipeline. Some ct_state flags are only available
1066 for committed connections.
1067
1068 force
1069 A committed connection always has the directional‐
1070 ity of the packet that caused the connection to be
1071 committed in the first place. This is the ``orig‐
1072 inal direction'' of the connection, and the oppo‐
1073 site direction is the ``reply direction''. If a
1074 connection is already committed, but it is in the
1075 wrong direction, force flag may be used in addi‐
1076 tion to commit flag to effectively terminate the
1077 existing connection and start a new one in the
1078 current direction. This flag has no effect if the
1079 original direction of the connection is already
1080 the same as that of the current packet.
1081
1082 table=table
1083 Fork pipeline processing in two. The original
1084 instance of the packet will continue processing
1085 the current actions list as an untracked packet.
1086 An additional instance of the packet will be sent
1087 to the connection tracker, which will be re-
1088 injected into the OpenFlow pipeline to resume pro‐
1089 cessing in table number (which may be specified as
1090 a number between 0 and 254 or, unless --no-names
1091 is specified, a name), with the ct_state and other
1092 ct match fields set. If table is not specified,
1093 then the packet which is submitted to the connec‐
1094 tion tracker is not re-injected into the OpenFlow
1095 pipeline. It is strongly recommended to specify a
1096 table later than the current table to prevent
1097 loops.
1098
1099 zone=value
1100 zone=src[start..end]
1101 A 16-bit context id that can be used to isolate
1102 connections into separate domains, allowing over‐
1103 lapping network addresses in different zones. If a
1104 zone is not provided, then the default is to use
1105 zone zero. The zone may be specified either as an
1106 immediate 16-bit value, or may be provided from an
1107 NXM field src. The start and end pair are inclu‐
1108 sive, and must specify a 16-bit range within the
1109 field. This value is copied to the ct_zone match
1110 field for packets which are re-injected into the
1111 pipeline using the table option.
1112
1113 exec([action][,action...])
1114 Perform actions within the context of connection
1115 tracking. This is a restricted set of actions
1116 which are in the same format as their specifica‐
1117 tions as part of a flow. Only actions which modify
1118 the ct_mark or ct_label fields are accepted within
1119 the exec action, and these fields may only be mod‐
1120 ified with this option. For example:
1121
1122 set_field:value[/mask]->ct_mark
1123 Store a 32-bit metadata value with the con‐
1124 nection. Subsequent lookups for packets in
1125 this connection will populate the ct_mark
1126 flow field when the packet is sent to the
1127 connection tracker with the table speci‐
1128 fied.
1129
1130 set_field:value[/mask]->ct_label
1131 Store a 128-bit metadata value with the
1132 connection. Subsequent lookups for packets
1133 in this connection will populate the
1134 ct_label flow field when the packet is sent
1135 to the connection tracker with the table
1136 specified.
1137
1138 The commit parameter must be specified to use
1139 exec(...).
1140
1141 alg=alg
1142 Specify application layer gateway alg to track
1143 specific connection types. If subsequent related
1144 connections are sent through the ct action, then
1145 the rel flag in the ct_state field will be set.
1146 Supported types include:
1147
1148 ftp Look for negotiation of FTP data connec‐
1149 tions. Specify this option for FTP control
1150 connections to detect related data connec‐
1151 tions and populate the rel flag for the
1152 data connections.
1153
1154 tftp Look for negotiation of TFTP data connec‐
1155 tions. Specify this option for TFTP control
1156 connections to detect related data connec‐
1157 tions and populate the rel flag for the
1158 data connections.
1159
1160 The commit parameter must be specified to use
1161 alg=alg.
1162
1163 When committing related connections, the ct_mark
1164 for that connection is inherited from the current
1165 ct_mark stored with the original connection (ie,
1166 the connection created by ct(alg=...)).
1167
1168 Note that with the Linux datapath, global sysctl
1169 options affect the usage of the ct action. In par‐
1170 ticular, if net.netfilter.nf_conntrack_helper is
1171 enabled then application layer gateway helpers may
1172 be executed even if the alg option is not speci‐
1173 fied. This is the default setting until Linux 4.7.
1174 For security reasons, the netfilter team recom‐
1175 mends users to disable this option. See this blog
1176 post for further details: http://www.netfil‐
1177 ter.org/news.html#2012-04-03
1178
1179 nat[((src|dst)=addr1[-addr2][:port1[-port2]][,flags])]
1180 Specify address and port translation for the con‐
1181 nection being tracked. For new connections either
1182 src or dst argument must be provided to set up
1183 either source address/port translation (SNAT) or
1184 destination address/port translation (DNAT),
1185 respectively. Setting up address translation for
1186 a new connection takes effect only if the commit
1187 flag is also provided for the enclosing ct action.
1188 A bare nat action will only translate the packet
1189 being processed in the way the connection has been
1190 set up with an earlier ct action. Also a nat
1191 action with src or dst, when applied to a packet
1192 belonging to an established (rather than new) con‐
1193 nection, will behave the same as a bare nat.
1194
1195 src and dst options take the following arguments:
1196
1197 addr1[-addr2]
1198 The address range from which the translated
1199 address should be selected. If only one
1200 address is given, then that address will
1201 always be selected, otherwise the address
1202 selection can be informed by the optional
1203 persistent flag as described below. Either
1204 IPv4 or IPv6 addresses can be provided, but
1205 both addresses must be of the same type,
1206 and the datapath behavior is undefined in
1207 case of providing IPv4 address range for an
1208 IPv6 packet, or IPv6 address range for an
1209 IPv4 packet. IPv6 addresses must be brack‐
1210 eted with '[' and ']' if a port range is
1211 also given.
1212
1213 port1[-port2]
1214 The port range from which the translated
1215 port should be selected. If only one port
1216 number is provided, then that should be
1217 selected. In case of a mapping conflict
1218 the datapath may choose any other non-con‐
1219 flicting port number instead, even when no
1220 port range is specified. The port number
1221 selection can be informed by the optional
1222 random and hash flags as described below.
1223
1224 The optional flags are:
1225
1226 random The selection of the port from the given
1227 range should be done using a fresh random
1228 number. This flag is mutually exclusive
1229 with hash.
1230
1231 hash The selection of the port from the given
1232 range should be done using a datapath spe‐
1233 cific hash of the packet's IP addresses and
1234 the other, non-mapped port number. This
1235 flag is mutually exclusive with random.
1236
1237 persistent
1238 The selection of the IP address from the
1239 given range should be done so that the same
1240 mapping can be provided after the system
1241 restarts.
1242
1243 If an alg is specified for the committing ct
1244 action that also includes nat with a src or dst
1245 attribute, then the datapath tries to set up the
1246 helper to be NAT aware. This functionality is
1247 datapath specific and may not be supported by all
1248 datapaths.
1249
1250 nat was introduced in Open vSwitch 2.6. The first
1251 datapath that implements ct nat support is the one
1252 that ships with Linux 4.6.
1253
1254 The ct action may be used as a primitive to construct
1255 stateful firewalls by selectively committing some traf‐
1256 fic, then matching the ct_state to allow established con‐
1257 nections while denying new connections. The following
1258 flows provide an example of how to implement a simple
1259 firewall that allows new connections from port 1 to port
1260 2, and only allows established connections to send traf‐
1261 fic from port 2 to port 1:
1262 table=0,priority=1,action=drop
1263 table=0,priority=10,arp,action=normal
1264 table=0,priority=100,ip,ct_state=-trk,action=ct(ta‐
1265 ble=1)
1266 table=1,in_port=1,ip,ct_state=+trk+new,action=ct(com‐
1267 mit),2
1268 table=1,in_port=1,ip,ct_state=+trk+est,action=2
1269 table=1,in_port=2,ip,ct_state=+trk+new,action=drop
1270 table=1,in_port=2,ip,ct_state=+trk+est,action=1
1271
1272 If ct is executed on IP (or IPv6) fragments, then the
1273 message is implicitly reassembled before sending to the
1274 connection tracker and refragmented upon output, to the
1275 original maximum received fragment size. Reassembly
1276 occurs within the context of the zone, meaning that IP
1277 fragments in different zones are not assembled together.
1278 Pipeline processing for the initial fragments is halted;
1279 When the final fragment is received, the message is
1280 assembled and pipeline processing will continue for that
1281 flow. Because packet ordering is not guaranteed by IP
1282 protocols, it is not possible to determine which IP frag‐
1283 ment will cause message reassembly (and therefore con‐
1284 tinue pipeline processing). As such, it is strongly rec‐
1285 ommended that multiple flows should not execute ct to
1286 reassemble fragments from the same IP message.
1287
1288 The ct action was introduced in Open vSwitch 2.5.
1289
1290 ct_clear
1291 Clears connection tracking state from the flow, zeroing
1292 ct_state, ct_zone, ct_mark, and ct_label.
1293
1294 This action was introduced in Open vSwitch 2.6.90.
1295
1296 dec_ttl
1297 dec_ttl(id1[,id2]...)
1298 Decrement TTL of IPv4 packet or hop limit of IPv6 packet.
1299 If the TTL or hop limit is initially zero or decrementing
1300 would make it so, no decrement occurs, as packets reach‐
1301 ing TTL zero must be rejected. Instead, a ``packet-in''
1302 message with reason code OFPR_INVALID_TTL is sent to each
1303 connected controller that has enabled receiving them, if
1304 any. Processing the current set of actions then stops.
1305 However, if the current set of actions was reached
1306 through ``resubmit'' then remaining actions in outer lev‐
1307 els resume processing.
1308
1309 This action also optionally supports the ability to spec‐
1310 ify a list of valid controller ids. Each of the con‐
1311 trollers in the list will receive the ``packet_in'' mes‐
1312 sage only if they have registered to receive the invalid
1313 ttl packets. If controller ids are not specified, the
1314 ``packet_in'' message will be sent only to the con‐
1315 trollers having controller id zero which have registered
1316 for the invalid ttl packets.
1317
1318 set_mpls_label:label
1319 Set the label of the outer MPLS label stack entry of a
1320 packet. label should be a 20-bit value that is decimal
1321 by default; use a 0x prefix to specify them in hexadeci‐
1322 mal.
1323
1324 set_mpls_tc:tc
1325 Set the traffic-class of the outer MPLS label stack entry
1326 of a packet. tc should be a in the range 0 to 7 inclu‐
1327 sive.
1328
1329 set_mpls_ttl:ttl
1330 Set the TTL of the outer MPLS label stack entry of a
1331 packet. ttl should be in the range 0 to 255 inclusive.
1332
1333 dec_mpls_ttl
1334 Decrement TTL of the outer MPLS label stack entry of a
1335 packet. If the TTL is initially zero or decrementing
1336 would make it so, no decrement occurs. Instead, a
1337 ``packet-in'' message with reason code OFPR_INVALID_TTL
1338 is sent to the main controller (id zero), if it has
1339 enabled receiving them. Processing the current set of
1340 actions then stops. However, if the current set of
1341 actions was reached through ``resubmit'' then remaining
1342 actions in outer levels resume processing.
1343
1344 dec_nsh_ttl
1345 Decrement TTL of the outer NSH header of a packet. If
1346 the TTL is initially zero or decrementing would make it
1347 so, no decrement occurs. Instead, a ``packet-in'' mes‐
1348 sage with reason code OFPR_INVALID_TTL is sent to the
1349 main controller (id zero), if it has enabled receiving
1350 them. Processing the current set of actions then stops.
1351 However, if the current set of actions was reached
1352 through ``resubmit'' then remaining actions in outer lev‐
1353 els resume processing.
1354
1355 note:[hh]...
1356 Does nothing at all. Any number of bytes represented as
1357 hex digits hh may be included. Pairs of hex digits may
1358 be separated by periods for readability. The note
1359 action's format doesn't include an exact length for its
1360 payload, so the provided bytes will be padded on the
1361 right by enough bytes with value 0 to make the total num‐
1362 ber 6 more than a multiple of 8.
1363
1364 move:src[start..end]->dst[start..end]
1365 Copies the named bits from field src to field dst. src
1366 and dst may be NXM field names as defined in
1367 nicira-ext.h, e.g. NXM_OF_UDP_SRC or NXM_NX_REG0, or a
1368 match field name, e.g. reg0. Each start and end pair,
1369 which are inclusive, must specify the same number of bits
1370 and must fit within its respective field. Shorthands for
1371 [start..end] exist: use [bit] to specify a single bit or
1372 [] to specify an entire field (in the latter case the
1373 brackets can also be left off).
1374
1375 Examples: move:NXM_NX_REG0[0..5]->NXM_NX_REG1[26..31]
1376 copies the six bits numbered 0 through 5, inclusive, in
1377 register 0 into bits 26 through 31, inclusive;
1378 move:reg0[0..15]->vlan_tci copies the least significant
1379 16 bits of register 0 into the VLAN TCI field.
1380
1381 In OpenFlow 1.0 through 1.4, move ordinarily uses an Open
1382 vSwitch extension to OpenFlow. In OpenFlow 1.5, move
1383 uses the OpenFlow 1.5 standard copy_field action. The
1384 ONF has also made copy_field available as an extension to
1385 OpenFlow 1.3. Open vSwitch 2.4 and later understands
1386 this extension and uses it if a controller uses it, but
1387 for backward compatibility with older versions of Open
1388 vSwitch, ovs-ofctl does not use it.
1389
1390 set_field:value[/mask]->dst
1391 load:value->dst[start..end]
1392 Loads a literal value into a field or part of a field.
1393 With set_field, value and the optional mask are given in
1394 the customary syntax for field dst, which is expressed as
1395 a field name. For example,
1396 set_field:00:11:22:33:44:55->eth_src sets the Ethernet
1397 source address to 00:11:22:33:44:55. With load, value
1398 must be an integer value (in decimal or prefixed by 0x
1399 for hexadecimal) and dst can also be the NXM or OXM name
1400 for the field. For example,
1401 load:0x001122334455->OXM_OF_ETH_SRC[] has the same effect
1402 as the prior set_field example.
1403
1404 The two forms exist for historical reasons. Open vSwitch
1405 1.1 introduced NXAST_REG_LOAD as a Nicira extension to
1406 OpenFlow 1.0 and used load to express it. Later, Open‐
1407 Flow 1.2 introduced a standard OFPAT_SET_FIELD action
1408 that was restricted to loading entire fields, so Open
1409 vSwitch added the form set_field with this restriction.
1410 OpenFlow 1.5 extended OFPAT_SET_FIELD to the point that
1411 it became a superset of NXAST_REG_LOAD. Open vSwitch
1412 translates either syntax as necessary for the OpenFlow
1413 version in use: in OpenFlow 1.0 and 1.1, NXAST_REG_LOAD;
1414 in OpenFlow 1.2, 1.3, and 1.4, NXAST_REG_LOAD for load or
1415 for loading a subfield, OFPAT_SET_FIELD otherwise; and
1416 OpenFlow 1.5 and later, OFPAT_SET_FIELD.
1417
1418 push:src[start..end]
1419 pop:dst[start..end]
1420 These Open vSwitch extension actions act on bits start to
1421 end, inclusive, in the named field, pushing or popping
1422 the bits on a general-purpose stack of fields or sub‐
1423 fields. Controllers can use this stack for saving and
1424 restoring data or metadata around resubmit actions, for
1425 swapping or rearranging data and metadata, or for other
1426 purposes. Any data or metadata field, or part of one,
1427 may be pushed, and any modifiable field or subfield may
1428 be popped.
1429
1430 The number of bits pushed in a stack entry do not have to
1431 match the number of bits later popped from that entry.
1432 If more bits are popped from an entry than were pushed,
1433 then the entry is conceptually left-padded with 0-bits as
1434 needed. If fewer bits are popped than pushed, then bits
1435 are conceptually trimmed from the left side of the entry.
1436
1437 The stack's size is intended to have a large enough limit
1438 that ``normal'' use will not pose problems. Stack over‐
1439 flow or underflow is an error that causes action execu‐
1440 tion to stop.
1441
1442 Example: push:NXM_NX_REG2[0..5] or push:reg2[0..5] push
1443 the value stored in register 2 bits 0 through 5, inclu‐
1444 sive, on the internal stack, and pop:NXM_NX_REG2[0..5] or
1445 pop:reg2[0..5] pops the value from top of the stack and
1446 sets register 2 bits 0 through 5, inclusive, based on
1447 bits 0 through 5 from the value just popped.
1448
1449 multipath(fields, basis, algorithm, n_links, arg,
1450 dst[start..end])
1451 Hashes fields using basis as a universal hash parameter,
1452 then the applies multipath link selection algorithm (with
1453 parameter arg) to choose one of n_links output links num‐
1454 bered 0 through n_links minus 1, and stores the link into
1455 dst[start..end], which must be an NXM field as described
1456 above.
1457
1458 fields must be one of the following:
1459
1460 eth_src
1461 Hashes Ethernet source address only.
1462
1463 symmetric_l4
1464 Hashes Ethernet source, destination, and type,
1465 VLAN ID, IPv4/IPv6 source, destination, and proto‐
1466 col, and TCP or SCTP (but not UDP) ports. The
1467 hash is computed so that pairs of corresponding
1468 flows in each direction hash to the same value, in
1469 environments where L2 paths are the same in each
1470 direction. UDP ports are not included in the hash
1471 to support protocols such as VXLAN that use asym‐
1472 metric ports in each direction.
1473
1474 symmetric_l3l4
1475 Hashes IPv4/IPv6 source, destination, and proto‐
1476 col, and TCP or SCTP (but not UDP) ports. Like
1477 symmetric_l4, this is a symmetric hash, but by
1478 excluding L2 headers it is more effective in envi‐
1479 ronments with asymmetric L2 paths (e.g. paths
1480 involving VRRP IP addresses on a router). Not an
1481 effective hash function for protocols other than
1482 IPv4 and IPv6, which hash to a constant zero.
1483
1484 symmetric_l3l4+udp
1485 Like symmetric_l3l4+udp, but UDP ports are
1486 included in the hash. This is a more effective
1487 hash when asymmetric UDP protocols such as VXLAN
1488 are not a consideration.
1489
1490 nw_src Hashes Network source address only.
1491
1492 nw_dst Hashes Network destination address only.
1493
1494 algorithm must be one of modulo_n, hash_threshold, hrw,
1495 and iter_hash. Only the iter_hash algorithm uses arg.
1496
1497 Refer to nicira-ext.h for more details.
1498
1499 bundle(fields, basis, algorithm, slave_type, slaves:[s1, s2,
1500 ...])
1501 Hashes fields using basis as a universal hash parameter,
1502 then applies the bundle link selection algorithm to
1503 choose one of the listed slaves represented as
1504 slave_type. Currently the only supported slave_type is
1505 ofport. Thus, each s1 through sN should be an OpenFlow
1506 port number. Outputs to the selected slave.
1507
1508 Currently, fields must be either eth_src, symmetric_l4,
1509 symmetric_l3l4, symmetric_l3l4+udp, nw_src, or nw_dst,
1510 and algorithm must be one of hrw and active_backup.
1511
1512 Example: bundle(eth_src,0,hrw,ofport,slaves:4,8) uses an
1513 Ethernet source hash with basis 0, to select between
1514 OpenFlow ports 4 and 8 using the Highest Random Weight
1515 algorithm.
1516
1517 Refer to nicira-ext.h for more details.
1518
1519 bundle_load(fields, basis, algorithm, slave_type,
1520 dst[start..end], slaves:[s1, s2, ...])
1521 Has the same behavior as the bundle action, with one
1522 exception. Instead of outputting to the selected slave,
1523 it writes its selection to dst[start..end], which must be
1524 an NXM field as described above.
1525
1526 Example: bundle_load(eth_src, 0, hrw, ofport,
1527 NXM_NX_REG0[], slaves:4, 8) uses an Ethernet source hash
1528 with basis 0, to select between OpenFlow ports 4 and 8
1529 using the Highest Random Weight algorithm, and writes the
1530 selection to NXM_NX_REG0[]. Also the match field name
1531 can be used, for example, instead of 'NXM_NX_REG0' the
1532 name 'reg0' can be used. When the while field is indi‐
1533 cated the empty brackets can also be left off.
1534
1535 Refer to nicira-ext.h for more details.
1536
1537 learn(argument[,argument]...)
1538 This action adds or modifies a flow in an OpenFlow table,
1539 similar to ovs-ofctl --strict mod-flows. The arguments
1540 specify the flow's match fields, actions, and other prop‐
1541 erties, as follows. At least one match criterion and one
1542 action argument should ordinarily be specified.
1543
1544 idle_timeout=seconds
1545 hard_timeout=seconds
1546 priority=value
1547 cookie=value
1548 send_flow_rem
1549 These arguments have the same meaning as in the
1550 usual ovs-ofctl flow syntax.
1551
1552 fin_idle_timeout=seconds
1553 fin_hard_timeout=seconds
1554 Adds a fin_timeout action with the specified argu‐
1555 ments to the new flow. This feature was added in
1556 Open vSwitch 1.5.90.
1557
1558 table=table
1559 The table in which the new flow should be
1560 inserted. Specify a decimal number between 0 and
1561 254 or (unless --no-names is specified) a name.
1562 The default, if table is unspecified, is table 1.
1563
1564 delete_learned
1565 This flag enables deletion of the learned flows
1566 when the flow with the learn action is removed.
1567 Specifically, when the last learn action with this
1568 flag and particular table and cookie values is
1569 removed, the switch deletes all of the flows in
1570 the specified table with the specified cookie.
1571
1572 This flag was added in Open vSwitch 2.4.
1573
1574 limit=number
1575 If the number of flows in table table with cookie
1576 id cookie exceeds number, a new flow will not be
1577 learned by this action. By default there's no
1578 limit. limit=0 is a long-hand for no limit.
1579
1580 This flag was added in Open vSwitch 2.8.
1581
1582 result_dst=field[bit]
1583 If learning failed (because the number of flows
1584 exceeds limit), the action sets field[bit] to 0,
1585 otherwise it will be set to 1. field[bit] must be
1586 a single bit.
1587
1588 This flag was added in Open vSwitch 2.8.
1589
1590 field=value
1591 field[start..end]=src[start..end]
1592 field[start..end]
1593 Adds a match criterion to the new flow.
1594
1595 The first form specifies that field must match the
1596 literal value, e.g. dl_type=0x0800. All of the
1597 fields and values for ovs-ofctl flow syntax are
1598 available with their usual meanings. Shorthand
1599 notation matchers (e.g. ip in place of
1600 dl_type=0x0800) are not currently implemented.
1601
1602 The second form specifies that field[start..end]
1603 in the new flow must match src[start..end] taken
1604 from the flow currently being processed. For
1605 example, NXM_OF_UDP_DST[]=NXM_OF_UDP_SRC[] on a
1606 TCP packet for which the UDP src port is 53, cre‐
1607 ates a flow which matches NXM_OF_UDP_DST[]=53.
1608
1609 The third form is a shorthand for the second form.
1610 It specifies that field[start..end] in the new
1611 flow must match the same field[start..end] taken
1612 from the flow currently being processed. For
1613 example, NXM_OF_TCP_DST[] on a TCP packet for
1614 which the TCP dst port is 80, creates a flow which
1615 matches NXM_OF_TCP_DST[]=80.
1616
1617 load:value->dst[start..end]
1618 load:src[start..end]->dst[start..end]
1619 Adds a load action to the new flow.
1620
1621 The first form loads the literal value into bits
1622 start through end, inclusive, in field dst. Its
1623 syntax is the same as the load action described
1624 earlier in this section.
1625
1626 The second form loads src[start..end], a value
1627 from the flow currently being processed, into bits
1628 start through end, inclusive, in field dst.
1629
1630 output:field[start..end]
1631 Add an output action to the new flow's actions,
1632 that outputs to the OpenFlow port taken from
1633 field[start..end], which must be an NXM field as
1634 described above.
1635
1636 clear_actions
1637 Clears all the actions in the action set immediately.
1638
1639 write_actions([action][,action...])
1640 Add the specific actions to the action set. The syntax
1641 of actions is the same as in the actions= field. The
1642 action set is carried between flow tables and then exe‐
1643 cuted at the end of the pipeline.
1644
1645 The actions in the action set are applied in the follow‐
1646 ing order, as required by the OpenFlow specification,
1647 regardless of the order in which they were added to the
1648 action set. Except as specified otherwise below, the
1649 action set only holds at most a single action of each
1650 type. When more than one action of a single type is
1651 written to the action set, the one written later replaces
1652 the earlier action:
1653
1654 1. strip_vlan
1655 pop_mpls
1656
1657 2. decap
1658
1659 3. encap
1660
1661 4. push_mpls
1662
1663 5. push_vlan
1664
1665 6. dec_ttl
1666 dec_mpls_ttl
1667 dec_nsh_ttl
1668
1669 7. load
1670 move
1671 mod_dl_dst
1672 mod_dl_src
1673 mod_nw_dst
1674 mod_nw_src
1675 mod_nw_tos
1676 mod_nw_ecn
1677 mod_nw_ttl
1678 mod_tp_dst
1679 mod_tp_src
1680 mod_vlan_pcp
1681 mod_vlan_vid
1682 set_field
1683 set_tunnel
1684 set_tunnel64
1685 The action set can contain any number of these
1686 actions, with cumulative effect. They will be
1687 applied in the order as added. That is, when mul‐
1688 tiple actions modify the same part of a field, the
1689 later modification takes effect, and when they
1690 modify different parts of a field (or different
1691 fields), then both modifications are applied.
1692
1693 8. set_queue
1694
1695 9. group
1696 output
1697 resubmit
1698 If more than one of these actions is present, then
1699 the one listed earliest above is executed and the
1700 others are ignored, regardless of the order in
1701 which they were added to the action set. (If none
1702 of these actions is present, the action set has no
1703 real effect, because the modified packet is not
1704 sent anywhere and thus the modifications are not
1705 visible.)
1706
1707 Only the actions listed above may be written to the
1708 action set. encap, decap and dec_nsh_ttl actions are
1709 nonstandard.
1710
1711 write_metadata:value[/mask]
1712 Updates the metadata field for the flow. If mask is omit‐
1713 ted, the metadata field is set exactly to value; if mask
1714 is specified, then a 1-bit in mask indicates that the
1715 corresponding bit in the metadata field will be replaced
1716 with the corresponding bit from value. Both value and
1717 mask are 64-bit values that are decimal by default; use a
1718 0x prefix to specify them in hexadecimal.
1719
1720 meter:meter_id
1721 Apply the meter_id before any other actions. If a meter
1722 band rate is exceeded, the packet may be dropped, or mod‐
1723 ified, depending on the meter band type. See the descrip‐
1724 tion of the Meter Table Commands, above, for more
1725 details.
1726
1727 goto_table:table
1728 Jumps to table as the next table in the process pipeline.
1729 The table may be a number between 0 and 254 or (unless
1730 --no-names is specified) a name.
1731
1732 fin_timeout(argument[,argument])
1733 This action changes the idle timeout or hard timeout, or
1734 both, of this OpenFlow rule when the rule matches a TCP
1735 packet with the FIN or RST flag. When such a packet is
1736 observed, the action reduces the rule's timeouts to those
1737 specified on the action. If the rule's existing timeout
1738 is already shorter than the one that the action speci‐
1739 fies, then that timeout is unaffected.
1740
1741 argument takes the following forms:
1742
1743 idle_timeout=seconds
1744 Causes the flow to expire after the given number
1745 of seconds of inactivity.
1746
1747 hard_timeout=seconds
1748 Causes the flow to expire after the given number
1749 of seconds, regardless of activity. (seconds
1750 specifies time since the flow's creation, not
1751 since the receipt of the FIN or RST.)
1752
1753 This action was added in Open vSwitch 1.5.90.
1754
1755 sample(argument[,argument]...)
1756 Samples packets and sends one sample for every sampled
1757 packet.
1758
1759 argument takes the following forms:
1760
1761 probability=packets
1762 The number of sampled packets out of 65535. Must
1763 be greater or equal to 1.
1764
1765 collector_set_id=id
1766 The unsigned 32-bit integer identifier of the set
1767 of sample collectors to send sampled packets to.
1768 Defaults to 0.
1769
1770 obs_domain_id=id
1771 When sending samples to IPFIX collectors, the
1772 unsigned 32-bit integer Observation Domain ID sent
1773 in every IPFIX flow record. Defaults to 0.
1774
1775 obs_point_id=id
1776 When sending samples to IPFIX collectors, the
1777 unsigned 32-bit integer Observation Point ID sent
1778 in every IPFIX flow record. Defaults to 0.
1779
1780 sampling_port=port
1781 Sample packets on port, which should be the
1782 ingress or egress port. This option, which was
1783 added in Open vSwitch 2.5.90, allows the IPFIX
1784 implementation to export egress tunnel informa‐
1785 tion.
1786
1787 ingress
1788 egress Specifies explicitly that the packet is being sam‐
1789 pled on ingress to or egress from the switch.
1790 IPFIX reports sent by Open vSwitch before version
1791 2.5.90 did not include a direction. From 2.5.90
1792 until 2.6.90, IPFIX reports inferred a direction
1793 from sampling_port: if it was the packet's output
1794 port, then the direction was reported as egress,
1795 otherwise as ingress. Open vSwitch 2.6.90 intro‐
1796 duced these options, which allow the inferred
1797 direction to be overridden. This is particularly
1798 useful when the ingress (or egress) port is not a
1799 tunnel.
1800
1801 Refer to ovs-vswitchd.conf.db(5) for more details on con‐
1802 figuring sample collector sets.
1803
1804 This action was added in Open vSwitch 1.10.90.
1805
1806 exit This action causes Open vSwitch to immediately halt exe‐
1807 cution of further actions. Those actions which have
1808 already been executed are unaffected. Any further
1809 actions, including those which may be in other tables, or
1810 different levels of the resubmit call stack, are ignored.
1811 Actions in the action set is still executed (specify
1812 clear_actions before exit to discard them).
1813
1814 conjunction(id, k/n)
1815 This action allows for sophisticated ``conjunctive
1816 match'' flows. Refer to CONJUNCTIVE MATCH FIELDS in
1817 ovs-fields(7) for details.
1818
1819 The conjunction action and conj_id field were introduced
1820 in Open vSwitch 2.4.
1821
1822 clone([action][,action...])
1823 Executes each nested action, saving much of the packet
1824 and pipeline state beforehand and then restoring it
1825 afterward. The state that is saved and restored includes
1826 all flow data and metadata (including, for example,
1827 ct_state), the stack accessed by push and pop actions,
1828 and the OpenFlow action set.
1829
1830 This action was added in Open vSwitch 2.6.90.
1831
1832 encap(header[(prop=value,tlv(class,type,value),...)])
1833 Encapsulates the packet with a new packet header, e.g.,
1834 ethernet or nsh.
1835
1836 header Used to specify encapsulation header type.
1837
1838 prop=value
1839 Used to specify the initial value for the property
1840 in the encapsulation header.
1841
1842 tlv(class,type,value)
1843 Used to specify the initial value for the TLV
1844 (Type Length Value) in the encapsulation header.
1845
1846 For example, encap(ethernet) will encapsulate the L3
1847 packet with Ethernet header.
1848
1849 encap(nsh(md_type=1)) will encapsulate the packet with
1850 nsh header and nsh metadata type 1.
1851
1852 encap(nsh(md_type=2,tlv(0x1000,10,0x12345678))) will
1853 encapsulate the packet with nsh header and nsh metadata
1854 type 2, and the nsh TLV with class 0x1000 and type 10 is
1855 set to 0x12345678.
1856
1857 prop=value is just used to set some necessary fields for
1858 encapsulation header initialization. Other fields in the
1859 encapsulation header must be set by set_field action. New
1860 encapsulation header implementation must add new match
1861 fields and corresponding set action in order that
1862 set_field action can change the fields in the encapsula‐
1863 tion header on demand.
1864
1865 encap(nsh(md_type=1)),
1866 set_field:0x1234->nsh_spi,set_field:0x11223344->nsh_c1 is
1867 an example to encapsulate nsh header and set nsh spi and
1868 c1.
1869
1870 This action was added in Open vSwitch 2.8.
1871
1872 decap([packet_type(ns=namespace,type=type)])
1873 Decapsulates the outer packet header.
1874
1875 packet_type(ns=namespace,type=type)
1876 It is optional and used to specify the outer
1877 header type of the decapsulated packet. namespace
1878 is 0 for Ethernet packet, 1 for L3 packet, type is
1879 L3 protocol type, e.g., 0x894f for nsh, 0x0 for
1880 Ethernet.
1881
1882 By default, decap() will decapsulate the outer packet
1883 header according to the packet header type, if
1884 packet_type(ns=namespace,type=type) is given, it will
1885 decapsulate the given packet header, it will fail if the
1886 actual outer packet header type is not of
1887 packet_type(ns=namespace,type=type).
1888
1889 This action was added in Open vSwitch 2.8.
1890
1891 An opaque identifier called a cookie can be used as a handle to iden‐
1892 tify a set of flows:
1893
1894 cookie=value
1895 A cookie can be associated with a flow using the add-flow,
1896 add-flows, and mod-flows commands. value can be any 64-bit num‐
1897 ber and need not be unique among flows. If this field is omit‐
1898 ted, a default cookie value of 0 is used.
1899
1900 cookie=value/mask
1901 When using NXM, the cookie can be used as a handle for querying,
1902 modifying, and deleting flows. value and mask may be supplied
1903 for the del-flows, mod-flows, dump-flows, and dump-aggregate
1904 commands to limit matching cookies. A 1-bit in mask indicates
1905 that the corresponding bit in cookie must match exactly, and a
1906 0-bit wildcards that bit. A mask of -1 may be used to exactly
1907 match a cookie.
1908
1909 The mod-flows command can update the cookies of flows that match
1910 a cookie by specifying the cookie field twice (once with a mask
1911 for matching and once without to indicate the new value):
1912
1913 ovs-ofctl mod-flows br0 cookie=1,actions=normal
1914 Change all flows' cookies to 1 and change their actions
1915 to normal.
1916
1917 ovs-ofctl mod-flows br0 cookie=1/-1,cookie=2,actions=normal
1918 Update cookies with a value of 1 to 2 and change their
1919 actions to normal.
1920
1921 The ability to match on cookies was added in Open vSwitch 1.5.0.
1922
1923 The following additional field sets the priority for flows added by the
1924 add-flow and add-flows commands. For mod-flows and del-flows when
1925 --strict is specified, priority must match along with the rest of the
1926 flow specification. For mod-flows without --strict, priority is only
1927 significant if the command creates a new flow, that is, non-strict
1928 mod-flows does not match on priority and will not change the priority
1929 of existing flows. Other commands do not allow priority to be speci‐
1930 fied.
1931
1932 priority=value
1933 The priority at which a wildcarded entry will match in compari‐
1934 son to others. value is a number between 0 and 65535, inclu‐
1935 sive. A higher value will match before a lower one. An exact-
1936 match entry will always have priority over an entry containing
1937 wildcards, so it has an implicit priority value of 65535. When
1938 adding a flow, if the field is not specified, the flow's prior‐
1939 ity will default to 32768.
1940
1941 OpenFlow leaves behavior undefined when two or more flows with
1942 the same priority can match a single packet. Some users expect
1943 ``sensible'' behavior, such as more specific flows taking prece‐
1944 dence over less specific flows, but OpenFlow does not specify
1945 this and Open vSwitch does not implement it. Users should
1946 therefore take care to use priorities to ensure the behavior
1947 that they expect.
1948
1949 The add-flow, add-flows, and mod-flows commands support the following
1950 additional options. These options affect only new flows. Thus, for
1951 add-flow and add-flows, these options are always significant, but for
1952 mod-flows they are significant only if the command creates a new flow,
1953 that is, their values do not update or affect existing flows.
1954
1955 idle_timeout=seconds
1956 Causes the flow to expire after the given number of seconds of
1957 inactivity. A value of 0 (the default) prevents a flow from
1958 expiring due to inactivity.
1959
1960 hard_timeout=seconds
1961 Causes the flow to expire after the given number of seconds,
1962 regardless of activity. A value of 0 (the default) gives the
1963 flow no hard expiration deadline.
1964
1965 importance=value
1966 Sets the importance of a flow. The flow entry eviction mecha‐
1967 nism can use importance as a factor in deciding which flow to
1968 evict. A value of 0 (the default) makes the flow non-evictable
1969 on the basis of importance. Specify a value between 0 and
1970 65535.
1971
1972 Only OpenFlow 1.4 and later support importance.
1973
1974 send_flow_rem
1975 Marks the flow with a flag that causes the switch to generate a
1976 ``flow removed'' message and send it to interested controllers
1977 when the flow later expires or is removed.
1978
1979 check_overlap
1980 Forces the switch to check that the flow match does not overlap
1981 that of any different flow with the same priority in the same
1982 table. (This check is expensive so it is best to avoid it.)
1983
1984 reset_counts
1985 When this flag is specified on a flow being added to a switch,
1986 and the switch already has a flow with an identical match, an
1987 OpenFlow 1.2 (or later) switch resets the flow's packet and byte
1988 counters to 0. Without the flag, the packet and byte counters
1989 are preserved.
1990
1991 OpenFlow 1.0 and 1.1 switches always reset counters in this sit‐
1992 uation, as if reset_counts were always specified.
1993
1994 Open vSwitch 1.10 added support for reset_counts.
1995
1996 no_packet_counts
1997 no_byte_counts
1998 Adding these flags to a flow advises an OpenFlow 1.3 (or later)
1999 switch that the controller does not need packet or byte coun‐
2000 ters, respectively, for the flow. Some switch implementations
2001 might achieve higher performance or reduce resource consumption
2002 when these flags are used. These flags provide no benefit to
2003 the Open vSwitch software switch implementation.
2004
2005 OpenFlow 1.2 and earlier do not support these flags.
2006
2007 Open vSwitch 1.10 added support for no_packet_counts and
2008 no_byte_counts.
2009
2010 The dump-flows, dump-aggregate, del-flow and del-flows commands support
2011 these additional optional fields:
2012
2013 out_port=port
2014 If set, a matching flow must include an output action to port,
2015 which must be an OpenFlow port number or name (e.g. local).
2016
2017 out_group=port
2018 If set, a matching flow must include an group action naming
2019 group, which must be an OpenFlow group number. This field is
2020 supported in Open vSwitch 2.5 and later and requires OpenFlow
2021 1.1 or later.
2022
2023 Table Entry Output
2024 The dump-tables and dump-aggregate commands print information about the
2025 entries in a datapath's tables. Each line of output is a flow entry as
2026 described in Flow Syntax, above, plus some additional fields:
2027
2028 duration=secs
2029 The time, in seconds, that the entry has been in the table.
2030 secs includes as much precision as the switch provides, possibly
2031 to nanosecond resolution.
2032
2033 n_packets
2034 The number of packets that have matched the entry.
2035
2036 n_bytes
2037 The total number of bytes from packets that have matched the
2038 entry.
2039
2040 The following additional fields are included only if the switch is Open
2041 vSwitch 1.6 or later and the NXM flow format is used to dump the flow
2042 (see the description of the --flow-format option below). The values of
2043 these additional fields are approximations only and in particular
2044 idle_age will sometimes become nonzero even for busy flows.
2045
2046 hard_age=secs
2047 The integer number of seconds since the flow was added or modi‐
2048 fied. hard_age is displayed only if it differs from the integer
2049 part of duration. (This is separate from duration because
2050 mod-flows restarts the hard_timeout timer without zeroing dura‐
2051 tion.)
2052
2053 idle_age=secs
2054 The integer number of seconds that have passed without any pack‐
2055 ets passing through the flow.
2056
2057 Packet-Out Syntax
2058 ovs-ofctl bundle command accepts packet-outs to be specified in the
2059 bundle file. Each packet-out comprises of a series of field=value
2060 assignments, separated by commas or white space. (Embedding spaces
2061 into a packet-out description normally requires quoting to prevent the
2062 shell from breaking the description into multiple arguments.). Unless
2063 noted otherwise only the last instance of each field is honoured. This
2064 same syntax is also supported by the ovs-ofctl packet-out command.
2065
2066 in_port=port
2067 The port number to be considered the in_port when processing
2068 actions. This can be any valid OpenFlow port number, or any of
2069 the LOCAL, CONTROLLER, or NONE. This field is required.
2070
2071
2072 pipeline_field=value
2073 Optionally, user can specify a list of pipeline fields for a
2074 packet-out message. The supported pipeline fields includes tun‐
2075 nel fields and register fields as defined in ovs-fields(7).
2076
2077
2078 packet=hex-string
2079 The actual packet to send, expressed as a string of hexadecimal
2080 bytes. This field is required.
2081
2082
2083 actions=[action][,action...]
2084 The syntax of actions are identical to the actions= field
2085 described in Flow Syntax above. Specifying actions= is
2086 optional, but omitting actions is interpreted as a drop, so the
2087 packet will not be sent anywhere from the switch. actions must
2088 be specified at the end of each line, like for flow mods.
2089
2090 Group Syntax
2091 Some ovs-ofctl commands accept an argument that describes a group or
2092 groups. Such flow descriptions comprise a series field=value assign‐
2093 ments, separated by commas or white space. (Embedding spaces into a
2094 group description normally requires quoting to prevent the shell from
2095 breaking the description into multiple arguments.). Unless noted other‐
2096 wise only the last instance of each field is honoured.
2097
2098 group_id=id
2099 The integer group id of group. When this field is specified in
2100 del-groups or dump-groups, the keyword "all" may be used to des‐
2101 ignate all groups. This field is required.
2102
2103
2104
2105 type=type
2106 The type of the group. The add-group, add-groups and mod-groups
2107 commands require this field. It is prohibited for other com‐
2108 mands. The following keywords designated the allowed types:
2109
2110 all Execute all buckets in the group.
2111
2112 select Execute one bucket in the group, balancing across the
2113 buckets according to their weights. To select a bucket,
2114 for each live bucket, Open vSwitch hashes flow data with
2115 the bucket ID and multiplies by the bucket weight to
2116 obtain a ``score,'' and then selects the bucket with the
2117 highest score. Use selection_method to control the flow
2118 data used for selection.
2119
2120 indirect
2121 Executes the one bucket in the group.
2122
2123 ff
2124 fast_failover
2125 Executes the first live bucket in the group which is
2126 associated with a live port or group.
2127
2128
2129 command_bucket_id=id
2130 The bucket to operate on. The insert-buckets and remove-buckets
2131 commands require this field. It is prohibited for other com‐
2132 mands. id may be an integer or one of the following keywords:
2133
2134 all Operate on all buckets in the group. Only valid when
2135 used with the remove-buckets command in which case the
2136 effect is to remove all buckets from the group.
2137
2138 first Operate on the first bucket present in the group. In the
2139 case of the insert-buckets command the effect is to
2140 insert new bucets just before the first bucket already
2141 present in the group; or to replace the buckets of the
2142 group if there are no buckets already present in the
2143 group. In the case of the remove-buckets command the
2144 effect is to remove the first bucket of the group; or do
2145 nothing if there are no buckets present in the group.
2146
2147 last Operate on the last bucket present in the group. In the
2148 case of the insert-buckets command the effect is to
2149 insert new bucets just after the last bucket already
2150 present in the group; or to replace the buckets of the
2151 group if there are no buckets already present in the
2152 group. In the case of the remove-buckets command the
2153 effect is to remove the last bucket of the group; or do
2154 nothing if there are no buckets present in the group.
2155
2156 If id is an integer then it should correspond to the bucket_id
2157 of a bucket present in the group. In case of the insert-buckets
2158 command the effect is to insert buckets just before the bucket
2159 in the group whose bucket_id is id. In case of the iremove-
2160 buckets command the effect is to remove the in the group whose
2161 bucket_id is id. It is an error if there is no bucket persent
2162 group in whose bucket_id is id.
2163
2164
2165 selection_method=method
2166 The selection method used to select a bucket for a select group.
2167 This is a string of 1 to 15 bytes in length known to lower lay‐
2168 ers. This field is optional for add-group, add-groups and
2169 mod-group commands on groups of type select. Prohibited other‐
2170 wise. If no selection method is specified, Open vSwitch up to
2171 release 2.9 applies the hash method with default fields. From
2172 2.10 onwards Open vSwitch defaults to the dp_hash method with
2173 symmetric L3/L4 hash algorithm, unless the weighted group buck‐
2174 ets cannot be mapped to a maximum of 64 dp_hash values with suf‐
2175 ficient accuracy. In those rare cases Open vSwitch 2.10 and
2176 later fall back to the hash method with the default set of hash
2177 fields.
2178
2179 dp_hash
2180 Use a datapath computed hash value. The hash algorithm
2181 varies accross different datapath implementations.
2182 dp_hash uses the upper 32 bits of the selec‐
2183 tion_method_param as the datapath hash algorithm selec‐
2184 tor. The supported values are 0 (corresponding to hash
2185 computation over the IP 5-tuple) and 1 (corresponding to
2186 a symmetric hash computation over the IP 5-tuple).
2187 Selecting specific fields with the fields option is not
2188 supported with dp_hash). The lower 32 bits are used as
2189 the hash basis.
2190
2191 Using dp_hash has the advantage that it does not require
2192 the generated datapath flows to exact match any addi‐
2193 tional packet header fields. For example, even if multi‐
2194 ple TCP connections thus hashed to different select group
2195 buckets have different source port numbers, generally all
2196 of them would be handled with a small set of already
2197 established datapath flows, resulting in less latency for
2198 TCP SYN packets. The downside is that the shared data‐
2199 path flows must match each packet twice, as the datapath
2200 hash value calculation happens only when needed, and a
2201 second match is required to match some bits of its value.
2202 This double-matching incurs a small additional latency
2203 cost for each packet, but this latency is orders of mag‐
2204 nitude less than the latency of creating new datapath
2205 flows for new TCP connections.
2206
2207 hash Use a hash computed over the fields specified with the
2208 fields option, see below. If no hash fields are speci‐
2209 fied, hash defaults to a symmetric hash over the combina‐
2210 tion of MAC addresses, VLAN tags, Ether type, IP
2211 addresses and L4 port numbers. hash uses the selec‐
2212 tion_method_param as the hash basis.
2213
2214 Note that the hashed fields become exact matched by the
2215 datapath flows. For example, if the TCP source port is
2216 hashed, the created datapath flows will match the spe‐
2217 cific TCP source port value present in the packet
2218 received. Since each TCP connection generally has a dif‐
2219 ferent source port value, a separate datapath flow will
2220 be need to be inserted for each TCP connection thus
2221 hashed to a select group bucket.
2222
2223 This option uses a Netronome OpenFlow extension which is only
2224 supported when using Open vSwitch 2.4 and later with OpenFlow
2225 1.5 and later.
2226
2227
2228 selection_method_param=param
2229 64-bit integer parameter to the selection method selected by the
2230 selection_method field. The parameter's use is defined by the
2231 lower-layer that implements the selection_method. It is
2232 optional if the selection_method field is specified as a non-
2233 empty string. Prohibited otherwise. The default value is zero.
2234
2235 This option uses a Netronome OpenFlow extension which is only
2236 supported when using Open vSwitch 2.4 and later with OpenFlow
2237 1.5 and later.
2238
2239
2240 fields=field
2241 fields(field[=mask]...)
2242 The field parameters to selection method selected by the selec‐
2243 tion_method field. The syntax is described in Flow Syntax with
2244 the additional restrictions that if a value is provided it is
2245 treated as a wildcard mask and wildcard masks following a slash
2246 are prohibited. The pre-requisites of fields must be provided by
2247 any flows that output to the group. The use of the fields is
2248 defined by the lower-layer that implements the selection_method.
2249 They are optional if the selection_method field is specified as
2250 ``hash', prohibited otherwise. The default is no fields.
2251
2252 This option will use a Netronome OpenFlow extension which is
2253 only supported when using Open vSwitch 2.4 and later with Open‐
2254 Flow 1.5 and later.
2255
2256
2257 bucket=bucket_parameters
2258 The add-group, add-groups and mod-group commands require at
2259 least one bucket field. Bucket fields must appear after all
2260 other fields. Multiple bucket fields to specify multiple buck‐
2261 ets. The order in which buckets are specified corresponds to
2262 their order in the group. If the type of the group is "indirect"
2263 then only one group may be specified. bucket_parameters con‐
2264 sists of a list of field=value assignments, separated by commas
2265 or white space followed by a comma-separated list of actions.
2266 The fields for bucket_parameters are:
2267
2268 bucket_id=id
2269 The 32-bit integer group id of the bucket. Values
2270 greater than 0xffffff00 are reserved. This field was
2271 added in Open vSwitch 2.4 to conform with the OpenFlow
2272 1.5 specification. It is not supported when earlier ver‐
2273 sions of OpenFlow are used. Open vSwitch will automati‐
2274 cally allocate bucket ids when they are not specified.
2275
2276 actions=[action][,action...]
2277 The syntax of actions are identical to the actions= field
2278 described in Flow Syntax above. Specifying actions= is
2279 optional, any unknown bucket parameter will be inter‐
2280 preted as an action.
2281
2282 weight=value
2283 The relative weight of the bucket as an integer. This may
2284 be used by the switch during bucket select for groups
2285 whose type is select.
2286
2287 watch_port=port
2288 Port used to determine liveness of group. This or the
2289 watch_group field is required for groups whose type is ff
2290 or fast_failover.
2291
2292 watch_group=group_id
2293 Group identifier of group used to determine liveness of
2294 group. This or the watch_port field is required for
2295 groups whose type is ff or fast_failover.
2296
2297 Meter Syntax
2298 The meter table commands accept an argument that describes a meter.
2299 Such meter descriptions comprise a series field=value assignments, sep‐
2300 arated by commas or white space. (Embedding spaces into a group
2301 description normally requires quoting to prevent the shell from break‐
2302 ing the description into multiple arguments.). Unless noted otherwise
2303 only the last instance of each field is honoured.
2304
2305 meter=id
2306 The identifier for the meter. An integer is used to specify a
2307 user-defined meter. In addition, the keywords "all", "con‐
2308 troller", and "slowpath", are also supported as virtual meters.
2309 The "controller" and "slowpath" virtual meters apply to packets
2310 sent to the controller and to the OVS userspace, respectively.
2311
2312 When this field is specified in del-meter, dump-meter, or meter-
2313 stats, the keyword "all" may be used to designate all meters.
2314 This field is required, except for meter-stats, which dumps all
2315 stats when this field is not specified.
2316
2317 kbps
2318 pktps The unit for the rate and burst_size band parameters. kbps
2319 specifies kilobits per second, and pktps specifies packets per
2320 second. A unit is required for the add-meter and mod-meter com‐
2321 mands.
2322
2323
2324 burst If set, enables burst support for meter bands through the
2325 burst_size parameter.
2326
2327
2328 stats If set, enables the collection of meter and band statistics.
2329
2330
2331 bands=band_parameters
2332 The add-meter and mod-meter commands require at least one band
2333 specification. Bands must appear after all other fields.
2334
2335 type=type
2336 The type of the meter band. This keyword starts a new
2337 band specification. Each band specifies a rate above
2338 which the band is to take some action. The action depends
2339 on the band type. If multiple bands' rate is exceeded,
2340 then the band with the highest rate among the exceeded
2341 bands is selected. The following keywords designate the
2342 allowed meter band types:
2343
2344 drop Drop packets exceeding the band's rate limit.
2345
2346 The other band_parameters are:
2347
2348 rate=value
2349 The relative rate limit for this band, in kilobits per
2350 second or packets per second, depending on whether kbps
2351 or pktps was specified.
2352
2353 burst_size=size
2354 If burst is specified for the meter entry, configures the
2355 maximum burst allowed for the band in kilobits or pack‐
2356 ets, depending on whether kbps or pktps was specified.
2357 If unspecified, the switch is free to select some reason‐
2358 able value depending on its configuration.
2359
2361 --strict
2362 Uses strict matching when running flow modification commands.
2363
2364 --names
2365 --no-names
2366 Every OpenFlow port has a name and a number, and every OpenFlow
2367 flow table has a number and sometimes a name. By default,
2368 ovs-ofctl commands accept both port and table names and numbers,
2369 and they display port and table names if ovs-ofctl is running on
2370 an interactive console, numbers otherwise. With --names,
2371 ovs-ofctl commands both accept and display port and table names;
2372 with --no-names, commands neither accept nor display port and
2373 table names.
2374
2375 If a port or table name contains special characters or might be
2376 confused with a keyword within a flow, it may be enclosed in
2377 double quotes (escaped from the shell). If necessary, JSON-
2378 style escape sequences may be used inside quotes, as specified
2379 in RFC 7159. When it displays port and table names, ovs-ofctl
2380 quotes any name that does not start with a letter followed by
2381 letters or digits.
2382
2383 Open vSwitch added support for port names and these options.
2384 Open vSwitch 2.10 added support for table names. Earlier ver‐
2385 sions always behaved as if --no-names were specified.
2386
2387 Open vSwitch does not place its own limit on the length of port
2388 names, but OpenFlow 1.0 to 1.5 limit port names to 15 bytes and
2389 OpenFlow 1.6 limits them to 63 bytes. Because ovs-ofctl uses
2390 OpenFlow to retrieve the mapping between port names and numbers,
2391 names longer than this limit will be truncated for both display
2392 and acceptance. Truncation can also cause long names that are
2393 different to appear to be the same; when a switch has two ports
2394 with the same (truncated) name, ovs-ofctl refuses to display or
2395 accept the name, using the number instead.
2396
2397 OpenFlow and Open vSwitch limit table names to 32 bytes.
2398
2399 --stats
2400 --no-stats
2401 The dump-flows command by default, or with --stats, includes
2402 flow duration, packet and byte counts, and idle and hard age in
2403 its output. With --no-stats, it omits all of these, as well as
2404 cookie values and table IDs if they are zero.
2405
2406 --read-only
2407 Do not execute read/write commands.
2408
2409 --bundle
2410 Execute flow mods as an OpenFlow 1.4 atomic bundle transaction.
2411
2412 · Within a bundle, all flow mods are processed in the order
2413 they appear and as a single atomic transaction, meaning
2414 that if one of them fails, the whole transaction fails
2415 and none of the changes are made to the switch's flow ta‐
2416 ble, and that each given datapath packet traversing the
2417 OpenFlow tables sees the flow tables either as before the
2418 transaction, or after all the flow mods in the bundle
2419 have been successfully applied.
2420
2421 · The beginning and the end of the flow table modification
2422 commands in a bundle are delimited with OpenFlow 1.4 bun‐
2423 dle control messages, which makes it possible to stream
2424 the included commands without explicit OpenFlow barriers,
2425 which are otherwise used after each flow table modifica‐
2426 tion command. This may make large modifications execute
2427 faster as a bundle.
2428
2429 · Bundles require OpenFlow 1.4 or higher. An explicit -O
2430 OpenFlow14 option is not needed, but you may need to
2431 enable OpenFlow 1.4 support for OVS by setting the OVSDB
2432 protocols column in the bridge table.
2433
2434 -O [version[,version]...]
2435 --protocols=[version[,version]...]
2436 Sets the OpenFlow protocol versions that are allowed when estab‐
2437 lishing an OpenFlow session.
2438
2439 These protocol versions are enabled by default:
2440
2441 · OpenFlow10, for OpenFlow 1.0.
2442 The following protocol versions are generally supported, but for com‐
2443 patibility with older versions of Open vSwitch they are not enabled by
2444 default:
2445
2446 · OpenFlow11, for OpenFlow 1.1.
2447
2448 · OpenFlow12, for OpenFlow 1.2.
2449
2450 · OpenFlow13, for OpenFlow 1.3.
2451
2452 · OpenFlow14, for OpenFlow 1.4.
2453
2454 Support for the following protocol versions is provided for
2455 testing and development purposes. They are not enabled by
2456 default:
2457
2458 · OpenFlow15, for OpenFlow 1.5.
2459
2460 · OpenFlow16, for OpenFlow 1.6.
2461
2462 -F format[,format...]
2463 --flow-format=format[,format...]
2464 ovs-ofctl supports the following individual flow formats, any
2465 number of which may be listed as format:
2466
2467 OpenFlow10-table_id
2468 This is the standard OpenFlow 1.0 flow format. All Open‐
2469 Flow switches and all versions of Open vSwitch support
2470 this flow format.
2471
2472 OpenFlow10+table_id
2473 This is the standard OpenFlow 1.0 flow format plus a
2474 Nicira extension that allows ovs-ofctl to specify the
2475 flow table in which a particular flow should be placed.
2476 Open vSwitch 1.2 and later supports this flow format.
2477
2478 NXM-table_id (Nicira Extended Match)
2479 This Nicira extension to OpenFlow is flexible and exten‐
2480 sible. It supports all of the Nicira flow extensions,
2481 such as tun_id and registers. Open vSwitch 1.1 and later
2482 supports this flow format.
2483
2484 NXM+table_id (Nicira Extended Match)
2485 This combines Nicira Extended match with the ability to
2486 place a flow in a specific table. Open vSwitch 1.2 and
2487 later supports this flow format.
2488
2489 OXM-OpenFlow12
2490 OXM-OpenFlow13
2491 OXM-OpenFlow14
2492 OXM-OpenFlow15
2493 OXM-OpenFlow16
2494 These are the standard OXM (OpenFlow Extensible Match)
2495 flow format in OpenFlow 1.2 and later.
2496
2497 ovs-ofctl also supports the following abbreviations for collec‐
2498 tions of flow formats:
2499
2500 any Any supported flow format.
2501
2502 OpenFlow10
2503 OpenFlow10-table_id or OpenFlow10+table_id.
2504
2505 NXM NXM-table_id or NXM+table_id.
2506
2507 OXM OXM-OpenFlow12, OXM-OpenFlow13, or OXM-OpenFlow14.
2508
2509 For commands that modify the flow table, ovs-ofctl by default
2510 negotiates the most widely supported flow format that supports
2511 the flows being added. For commands that query the flow table,
2512 ovs-ofctl by default uses the most advanced format supported by
2513 the switch.
2514
2515 This option, where format is a comma-separated list of one or
2516 more of the formats listed above, limits ovs-ofctl's choice of
2517 flow format. If a command cannot work as requested using one of
2518 the specified flow formats, ovs-ofctl will report a fatal error.
2519
2520 -P format
2521 --packet-in-format=format
2522 ovs-ofctl supports the following ``packet-in'' formats, in order
2523 of increasing capability:
2524
2525 standard
2526 This uses the OFPT_PACKET_IN message, the standard
2527 ``packet-in'' message for any given OpenFlow version.
2528 Every OpenFlow switch that supports a given OpenFlow ver‐
2529 sion supports this format.
2530
2531 nxt_packet_in
2532 This uses the NXT_PACKET_IN message, which adds many of
2533 the capabilities of the OpenFlow 1.1 and later ``packet-
2534 in'' messages before those OpenFlow versions were avail‐
2535 able in Open vSwitch. Open vSwitch 1.1 and later support
2536 this format. Only Open vSwitch 2.6 and later, however,
2537 support it for OpenFlow 1.1 and later (but there is lit‐
2538 tle reason to use it with those versions of OpenFlow).
2539
2540 nxt_packet_in2
2541 This uses the NXT_PACKET_IN2 message, which is extensible
2542 and should avoid the need to define new formats later.
2543 In particular, this format supports passing arbitrary
2544 user-provided data to a controller using the userdata
2545 option on the controller action. Open vSwitch 2.6 and
2546 later support this format.
2547
2548 Without this option, ovs-ofctl prefers nxt_packet_in2 if the
2549 switch supports it. Otherwise, if OpenFlow 1.0 is in use,
2550 ovs-ofctl prefers nxt_packet_in if the switch supports it. Oth‐
2551 erwise, ovs-ofctl falls back to the standard packet-in format.
2552 When this option is specified, ovs-ofctl insists on the selected
2553 format. If the switch does not support the requested format,
2554 ovs-ofctl will report a fatal error.
2555
2556 Before version 2.6, Open vSwitch called standard format open‐
2557 flow10 and nxt_packet_in format nxm, and ovs-ofctl still accepts
2558 these names as synonyms. (The name openflow10 was a misnomer
2559 because this format actually varies from one OpenFlow version to
2560 another; it is not consistently OpenFlow 1.0 format. Similarly,
2561 when nxt_packet_in2 was introduced, the name nxm became confus‐
2562 ing because it also uses OXM/NXM.)
2563
2564 This option affects only the monitor command.
2565
2566 --timestamp
2567 Print a timestamp before each received packet. This option only
2568 affects the monitor, snoop, and ofp-parse-pcap commands.
2569
2570 -m
2571 --more Increases the verbosity of OpenFlow messages printed and logged
2572 by ovs-ofctl commands. Specify this option more than once to
2573 increase verbosity further.
2574
2575 --sort[=field]
2576 --rsort[=field]
2577 Display output sorted by flow field in ascending (--sort) or
2578 descending (--rsort) order, where field is any of the fields
2579 that are allowed for matching or priority to sort by priority.
2580 When field is omitted, the output is sorted by priority. Spec‐
2581 ify these options multiple times to sort by multiple fields.
2582
2583 Any given flow will not necessarily specify a value for a given
2584 field. This requires special treatement:
2585
2586 · A flow that does not specify any part of a field that is
2587 used for sorting is sorted after all the flows that do
2588 specify the field. For example, --sort=tcp_src will sort
2589 all the flows that specify a TCP source port in ascending
2590 order, followed by the flows that do not specify a TCP
2591 source port at all.
2592
2593 · A flow that only specifies some bits in a field is sorted
2594 as if the wildcarded bits were zero. For example,
2595 --sort=nw_src would sort a flow that specifies
2596 nw_src=192.168.0.0/24 the same as nw_src=192.168.0.0.
2597
2598 These options currently affect only dump-flows output.
2599
2600 Daemon Options
2601 The following options are valid on POSIX based platforms.
2602
2603 --pidfile[=pidfile]
2604 Causes a file (by default, ovs-ofctl.pid) to be created indicat‐
2605 ing the PID of the running process. If the pidfile argument is
2606 not specified, or if it does not begin with /, then it is cre‐
2607 ated in /var/run/openvswitch.
2608
2609 If --pidfile is not specified, no pidfile is created.
2610
2611 --overwrite-pidfile
2612 By default, when --pidfile is specified and the specified pid‐
2613 file already exists and is locked by a running process,
2614 ovs-ofctl refuses to start. Specify --overwrite-pidfile to
2615 cause it to instead overwrite the pidfile.
2616
2617 When --pidfile is not specified, this option has no effect.
2618
2619 --detach
2620 Runs ovs-ofctl as a background process. The process forks, and
2621 in the child it starts a new session, closes the standard file
2622 descriptors (which has the side effect of disabling logging to
2623 the console), and changes its current directory to the root
2624 (unless --no-chdir is specified). After the child completes its
2625 initialization, the parent exits. ovs-ofctl detaches only when
2626 executing the monitor or snoop commands.
2627
2628 --monitor
2629 Creates an additional process to monitor the ovs-ofctl daemon.
2630 If the daemon dies due to a signal that indicates a programming
2631 error (SIGABRT, SIGALRM, SIGBUS, SIGFPE, SIGILL, SIGPIPE,
2632 SIGSEGV, SIGXCPU, or SIGXFSZ) then the monitor process starts a
2633 new copy of it. If the daemon dies or exits for another reason,
2634 the monitor process exits.
2635
2636 This option is normally used with --detach, but it also func‐
2637 tions without it.
2638
2639 --no-chdir
2640 By default, when --detach is specified, ovs-ofctl changes its
2641 current working directory to the root directory after it
2642 detaches. Otherwise, invoking ovs-ofctl from a carelessly cho‐
2643 sen directory would prevent the administrator from unmounting
2644 the file system that holds that directory.
2645
2646 Specifying --no-chdir suppresses this behavior, preventing
2647 ovs-ofctl from changing its current working directory. This may
2648 be useful for collecting core files, since it is common behavior
2649 to write core dumps into the current working directory and the
2650 root directory is not a good directory to use.
2651
2652 This option has no effect when --detach is not specified.
2653
2654 --no-self-confinement
2655 By default daemon will try to self-confine itself to work with
2656 files under well-know, at build-time whitelisted directories.
2657 It is better to stick with this default behavior and not to use
2658 this flag unless some other Access Control is used to confine
2659 daemon. Note that in contrast to other access control implemen‐
2660 tations that are typically enforced from kernel-space (e.g. DAC
2661 or MAC), self-confinement is imposed from the user-space daemon
2662 itself and hence should not be considered as a full confinement
2663 strategy, but instead should be viewed as an additional layer of
2664 security.
2665
2666 --user Causes ovs-ofctl to run as a different user specified in
2667 "user:group", thus dropping most of the root privileges. Short
2668 forms "user" and ":group" are also allowed, with current user or
2669 group are assumed respectively. Only daemons started by the root
2670 user accepts this argument.
2671
2672 On Linux, daemons will be granted CAP_IPC_LOCK and
2673 CAP_NET_BIND_SERVICES before dropping root privileges. Daemons
2674 that interact with a datapath, such as ovs-vswitchd, will be
2675 granted three additional capabilities, namely CAP_NET_ADMIN,
2676 CAP_NET_BROADCAST and CAP_NET_RAW. The capability change will
2677 apply even if the new user is root.
2678
2679 On Windows, this option is not currently supported. For security
2680 reasons, specifying this option will cause the daemon process
2681 not to start.
2682
2683 --unixctl=socket
2684 Sets the name of the control socket on which ovs-ofctl listens
2685 for runtime management commands (see RUNTIME MANAGEMENT COM‐
2686 MANDS, below). If socket does not begin with /, it is inter‐
2687 preted as relative to /var/run/openvswitch. If --unixctl is not
2688 used at all, the default socket is /var/run/open‐
2689 vswitch/ovs-ofctl.pid.ctl, where pid is ovs-ofctl's process ID.
2690
2691 On Windows a local named pipe is used to listen for runtime man‐
2692 agement commands. A file is created in the absolute path as
2693 pointed by socket or if --unixctl is not used at all, a file is
2694 created as ovs-ofctl.ctl in the configured OVS_RUNDIR directory.
2695 The file exists just to mimic the behavior of a Unix domain
2696 socket.
2697
2698 Specifying none for socket disables the control socket feature.
2699
2700 Public Key Infrastructure Options
2701 -p privkey.pem
2702 --private-key=privkey.pem
2703 Specifies a PEM file containing the private key used as
2704 ovs-ofctl's identity for outgoing SSL connections.
2705
2706 -c cert.pem
2707 --certificate=cert.pem
2708 Specifies a PEM file containing a certificate that certifies the
2709 private key specified on -p or --private-key to be trustworthy.
2710 The certificate must be signed by the certificate authority (CA)
2711 that the peer in SSL connections will use to verify it.
2712
2713 -C cacert.pem
2714 --ca-cert=cacert.pem
2715 Specifies a PEM file containing the CA certificate that
2716 ovs-ofctl should use to verify certificates presented to it by
2717 SSL peers. (This may be the same certificate that SSL peers use
2718 to verify the certificate specified on -c or --certificate, or
2719 it may be a different one, depending on the PKI design in use.)
2720
2721 -C none
2722 --ca-cert=none
2723 Disables verification of certificates presented by SSL peers.
2724 This introduces a security risk, because it means that certifi‐
2725 cates cannot be verified to be those of known trusted hosts.
2726
2727 -v[spec]
2728 --verbose=[spec]
2729 Sets logging levels. Without any spec, sets the log level for
2730 every module and destination to dbg. Otherwise, spec is a list
2731 of words separated by spaces or commas or colons, up to one from
2732 each category below:
2733
2734 · A valid module name, as displayed by the vlog/list com‐
2735 mand on ovs-appctl(8), limits the log level change to the
2736 specified module.
2737
2738 · syslog, console, or file, to limit the log level change
2739 to only to the system log, to the console, or to a file,
2740 respectively. (If --detach is specified, ovs-ofctl
2741 closes its standard file descriptors, so logging to the
2742 console will have no effect.)
2743
2744 On Windows platform, syslog is accepted as a word and is
2745 only useful along with the --syslog-target option (the
2746 word has no effect otherwise).
2747
2748 · off, emer, err, warn, info, or dbg, to control the log
2749 level. Messages of the given severity or higher will be
2750 logged, and messages of lower severity will be filtered
2751 out. off filters out all messages. See ovs-appctl(8)
2752 for a definition of each log level.
2753
2754 Case is not significant within spec.
2755
2756 Regardless of the log levels set for file, logging to a file
2757 will not take place unless --log-file is also specified (see
2758 below).
2759
2760 For compatibility with older versions of OVS, any is accepted as
2761 a word but has no effect.
2762
2763 -v
2764 --verbose
2765 Sets the maximum logging verbosity level, equivalent to --ver‐
2766 bose=dbg.
2767
2768 -vPATTERN:destination:pattern
2769 --verbose=PATTERN:destination:pattern
2770 Sets the log pattern for destination to pattern. Refer to
2771 ovs-appctl(8) for a description of the valid syntax for pattern.
2772
2773 -vFACILITY:facility
2774 --verbose=FACILITY:facility
2775 Sets the RFC5424 facility of the log message. facility can be
2776 one of kern, user, mail, daemon, auth, syslog, lpr, news, uucp,
2777 clock, ftp, ntp, audit, alert, clock2, local0, local1, local2,
2778 local3, local4, local5, local6 or local7. If this option is not
2779 specified, daemon is used as the default for the local system
2780 syslog and local0 is used while sending a message to the target
2781 provided via the --syslog-target option.
2782
2783 --log-file[=file]
2784 Enables logging to a file. If file is specified, then it is
2785 used as the exact name for the log file. The default log file
2786 name used if file is omitted is /var/log/open‐
2787 vswitch/ovs-ofctl.log.
2788
2789 --syslog-target=host:port
2790 Send syslog messages to UDP port on host, in addition to the
2791 system syslog. The host must be a numerical IP address, not a
2792 hostname.
2793
2794 --syslog-method=method
2795 Specify method how syslog messages should be sent to syslog dae‐
2796 mon. Following forms are supported:
2797
2798 · libc, use libc syslog() function. This is the default
2799 behavior. Downside of using this options is that libc
2800 adds fixed prefix to every message before it is actually
2801 sent to the syslog daemon over /dev/log UNIX domain
2802 socket.
2803
2804 · unix:file, use UNIX domain socket directly. It is possi‐
2805 ble to specify arbitrary message format with this option.
2806 However, rsyslogd 8.9 and older versions use hard coded
2807 parser function anyway that limits UNIX domain socket
2808 use. If you want to use arbitrary message format with
2809 older rsyslogd versions, then use UDP socket to localhost
2810 IP address instead.
2811
2812 · udp:ip:port, use UDP socket. With this method it is pos‐
2813 sible to use arbitrary message format also with older
2814 rsyslogd. When sending syslog messages over UDP socket
2815 extra precaution needs to be taken into account, for
2816 example, syslog daemon needs to be configured to listen
2817 on the specified UDP port, accidental iptables rules
2818 could be interfering with local syslog traffic and there
2819 are some security considerations that apply to UDP sock‐
2820 ets, but do not apply to UNIX domain sockets.
2821
2822 --color[=when]
2823 Colorize the output (for some commands); when can be never,
2824 always, or auto (the default).
2825
2826 Only some commands support output coloring. Color names and
2827 default colors may change in future releases.
2828
2829 The environment variable OVS_COLORS can be used to specify user-
2830 defined colors and other attributes used to highlight various
2831 parts of the output. If set, its value is a colon-separated list
2832 of capabilities that defaults to
2833 ac:01;31:dr=34:le=31:pm=36:pr=35:sp=33:vl=32. Supported capabil‐
2834 ities were initially designed for coloring flows from ovs-ofctl
2835 dump-flows switch command, and they are as follows.
2836
2837 ac=01;31
2838 SGR substring for actions= keyword in a flow. The
2839 default is a bold red text foreground.
2840
2841 dr=34 SGR substring for drop keyword. The default is a
2842 dark blue text foreground.
2843
2844 le=31 SGR substring for learn= keyword in a flow. The
2845 default is a red text foreground.
2846
2847 pm=36 SGR substring for flow match attribute names. The
2848 default is a cyan text foreground.
2849
2850 pr=35 SGR substring for keywords in a flow that are fol‐
2851 lowed by arguments inside parenthesis. The
2852 default is a magenta text foreground.
2853
2854 sp=33 SGR substring for some special keywords in a flow,
2855 notably: table=, priority=, load:, output:, move:,
2856 group:, CONTROLLER:, set_field:, resubmit:, exit.
2857 The default is a yellow text foreground.
2858
2859 vl=32 SGR substring for a lone flow match attribute with
2860 no field name. The default is a green text fore‐
2861 ground.
2862
2863 See the Select Graphic Rendition (SGR) section in the documenta‐
2864 tion of the text terminal that is used for permitted values and
2865 their meaning as character attributes.
2866
2867 -h
2868 --help Prints a brief help message to the console.
2869
2870 -V
2871 --version
2872 Prints version information to the console.
2873
2875 ovs-appctl(8) can send commands to a running ovs-ofctl process. The
2876 supported commands are listed below.
2877
2878 exit Causes ovs-ofctl to gracefully terminate. This command applies
2879 only when executing the monitor or snoop commands.
2880
2881 ofctl/set-output-file file
2882 Causes all subsequent output to go to file instead of stderr.
2883 This command applies only when executing the monitor or snoop
2884 commands.
2885
2886 ofctl/send ofmsg...
2887 Sends each ofmsg, specified as a sequence of hex digits that
2888 express an OpenFlow message, on the OpenFlow connection. This
2889 command is useful only when executing the monitor command.
2890
2891 ofctl/packet-out packet-out
2892 Sends an OpenFlow PACKET_OUT message specified in Packet-Out
2893 Syntax, on the OpenFlow connection. See Packet-Out Syntax sec‐
2894 tion for more information. This command is useful only when
2895 executing the monitor command.
2896
2897 ofctl/barrier
2898 Sends an OpenFlow barrier request on the OpenFlow connection and
2899 waits for a reply. This command is useful only for the monitor
2900 command.
2901
2903 The following examples assume that ovs-vswitchd has a bridge named br0
2904 configured.
2905
2906 ovs-ofctl dump-tables br0
2907 Prints out the switch's table stats. (This is more interesting
2908 after some traffic has passed through.)
2909
2910 ovs-ofctl dump-flows br0
2911 Prints the flow entries in the switch.
2912
2913 ovs-ofctl add-flow table=0 actions=learn(table=1,hard_timeout=10,
2914 NXM_OF_VLAN_TCI[0..11],output:NXM_OF_IN_PORT[]), resubmit(,1)
2915 ovs-ofctl add-flow table=1 priority=0 actions=flood Implements
2916 a level 2 MAC learning switch using the learn.
2917
2918 ovs-ofctl add-flow br0 'table=0,priority=0
2919 actions=load:3->NXM_NX_REG0[0..15],learn(table=0,priority=1,idle_time‐
2920 out=10,NXM_OF_ETH_SRC[],NXM_OF_VLAN_TCI[0..11],out‐
2921 put:NXM_NX_REG0[0..15]),output:2
2922 In this use of a learn action, the first packet from each source
2923 MAC will be sent to port 2. Subsequent packets will be output to
2924 port 3, with an idle timeout of 10 seconds. NXM field names and
2925 match field names are both accepted, e.g. NXM_NX_REG0 or reg0
2926 for the first register, and empty brackets may be omitted.
2927
2928 Additional examples may be found documented as part of related
2929 sections.
2930
2932 ovs-fields(7), ovs-appctl(8), ovs-vswitchd(8), ovs-vswitchd.conf.db(8)
2933
2934
2935
2936Open vSwitch 2.10.0 ovs-ofctl(8)