1ovs-ofctl(8) Open vSwitch Manual ovs-ofctl(8)
2
3
4
6 ovs-ofctl - administer OpenFlow switches
7
9 ovs-ofctl [options] command [switch] [args...]
10
12 The ovs-ofctl program is a command line tool for monitoring and admin‐
13 istering OpenFlow switches. It can also show the current state of an
14 OpenFlow switch, including features, configuration, and table entries.
15 It should work with any OpenFlow switch, not just Open vSwitch.
16
17 OpenFlow Switch Management Commands
18 These commands allow ovs-ofctl to monitor and administer an OpenFlow
19 switch. It is able to show the current state of a switch, including
20 features, configuration, and table entries.
21
22 Most of these commands take an argument that specifies the method for
23 connecting to an OpenFlow switch. The following connection methods are
24 supported:
25
26 ssl:host[:port]
27 tcp:host[:port]
28 The specified port on the given host, which can be
29 expressed either as a DNS name (if built with unbound
30 library) or an IP address in IPv4 or IPv6 address format.
31 Wrap IPv6 addresses in square brackets, e.g.
32 tcp:[::1]:6653. On Linux, use %device to designate a
33 scope for IPv6 link-level addresses, e.g.
34 tcp:[fe80::1234%eth0]:6653. For ssl, the --private-key,
35 --certificate, and --ca-cert options are mandatory.
36
37 If port is not specified, it defaults to 6653.
38
39 unix:file
40 On POSIX, a Unix domain server socket named file.
41
42 On Windows, connect to a local named pipe that is repre‐
43 sented by a file created in the path file to mimic the
44 behavior of a Unix domain socket.
45
46 file This is short for unix:file, as long as file does not
47 contain a colon.
48
49 bridge This is short for unix:/var/run/openvswitch/bridge.mgmt,
50 as long as bridge does not contain a colon.
51
52 [type@]dp
53 Attempts to look up the bridge associated with dp and
54 open as above. If type is given, it specifies the data‐
55 path provider of dp, otherwise the default provider sys‐
56 tem is assumed.
57
58 show switch
59 Prints to the console information on switch, including informa‐
60 tion on its flow tables and ports.
61
62 dump-tables switch
63 Prints to the console statistics for each of the flow tables
64 used by switch.
65
66 dump-table-features switch
67 Prints to the console features for each of the flow tables used
68 by switch.
69
70 dump-table-desc switch
71 Prints to the console configuration for each of the flow tables
72 used by switch for OpenFlow 1.4+.
73
74 mod-table switch table setting
75 This command configures flow table settings in switch for Open‐
76 Flow table table, which may be expressed as a number or (unless
77 --no-names is specified) a name.
78
79 The available settings depend on the OpenFlow version in use.
80 In OpenFlow 1.1 and 1.2 (which must be enabled with the -O
81 option) only, mod-table configures behavior when no flow is
82 found when a packet is looked up in a flow table. The following
83 setting values are available:
84
85 drop Drop the packet.
86
87 continue
88 Continue to the next table in the pipeline. (This is how
89 an OpenFlow 1.0 switch always handles packets that do not
90 match any flow, in tables other than the last one.)
91
92 controller
93 Send to controller. (This is how an OpenFlow 1.0 switch
94 always handles packets that do not match any flow in the
95 last table.)
96
97 In OpenFlow 1.3 and later (which must be enabled with the -O
98 option) and Open vSwitch 2.11 and later only, mod-table can
99 change the name of a table:
100
101 name:new-name
102 Changes the name of the table to new-name. Use an empty
103 new-name to clear the name. (This will be ineffective if
104 the name is set via the name column in the Flow_Table ta‐
105 ble in the Open_vSwitch database as described in
106 ovs-vswitchd.conf.db(5).)
107
108 In OpenFlow 1.4 and later (which must be enabled with the -O
109 option) only, mod-table configures the behavior when a con‐
110 troller attempts to add a flow to a flow table that is full.
111 The following setting values are available:
112
113 evict Delete some existing flow from the flow table, according
114 to the algorithm described for the Flow_Table table in
115 ovs-vswitchd.conf.db(5).
116
117 noevict
118 Refuse to add the new flow. (Eviction might still be
119 enabled through the overflow_policy column in the
120 Flow_Table table documented in ovs-vswitchd.conf.db(5).)
121
122 vacancy:low,high
123 Enables sending vacancy events to controllers using TA‐
124 BLE_STATUS messages, based on percentage thresholds low
125 and high.
126
127 novacancy
128 Disables vacancy events.
129
130 dump-ports switch [netdev]
131 Prints to the console statistics for network devices associated
132 with switch. If netdev is specified, only the statistics asso‐
133 ciated with that device will be printed. netdev can be an Open‐
134 Flow assigned port number or device name, e.g. eth0.
135
136 dump-ports-desc switch [port]
137 Prints to the console detailed information about network devices
138 associated with switch. To dump only a specific port, specify
139 its number as port. Otherwise, if port is omitted, or if it is
140 specified as ANY, then all ports are printed. This is a subset
141 of the information provided by the show command.
142
143 If the connection to switch negotiates OpenFlow 1.0, 1.2, or
144 1.2, this command uses an OpenFlow extension only implemented in
145 Open vSwitch (version 1.7 and later).
146
147 Only OpenFlow 1.5 and later support dumping a specific port.
148 Earlier versions of OpenFlow always dump all ports.
149
150 mod-port switch port action
151 Modify characteristics of port port in switch. port may be an
152 OpenFlow port number or name (unless --no-names is specified) or
153 the keyword LOCAL (the preferred way to refer to the OpenFlow
154 local port). The action may be any one of the following:
155 up
156 down Enable or disable the interface. This is equivalent to
157 ip link set up or ip link set down on a Unix system.
158
159 stp
160 no-stp Enable or disable 802.1D spanning tree protocol (STP) on
161 the interface. OpenFlow implementations that don't sup‐
162 port STP will refuse to enable it.
163
164 receive
165 no-receive
166 receive-stp
167 no-receive-stp
168 Enable or disable OpenFlow processing of packets received
169 on this interface. When packet processing is disabled,
170 packets will be dropped instead of being processed
171 through the OpenFlow table. The receive or no-receive
172 setting applies to all packets except 802.1D spanning
173 tree packets, which are separately controlled by
174 receive-stp or no-receive-stp.
175
176 forward
177 no-forward
178 Allow or disallow forwarding of traffic to this inter‐
179 face. By default, forwarding is enabled.
180
181 flood
182 no-flood
183 Controls whether an OpenFlow flood action will send traf‐
184 fic out this interface. By default, flooding is enabled.
185 Disabling flooding is primarily useful to prevent loops
186 when a spanning tree protocol is not in use.
187
188 packet-in
189 no-packet-in
190 Controls whether packets received on this interface that
191 do not match a flow table entry generate a ``packet in''
192 message to the OpenFlow controller. By default, ``packet
193 in'' messages are enabled.
194
195 The show command displays (among other information) the configu‐
196 ration that mod-port changes.
197
198 get-frags switch
199 Prints switch's fragment handling mode. See set-frags, below,
200 for a description of each fragment handling mode.
201
202 The show command also prints the fragment handling mode among
203 its other output.
204
205 set-frags switch frag_mode
206 Configures switch's treatment of IPv4 and IPv6 fragments. The
207 choices for frag_mode are:
208
209 normal Fragments pass through the flow table like non-fragmented
210 packets. The TCP ports, UDP ports, and ICMP type and
211 code fields are always set to 0, even for fragments where
212 that information would otherwise be available (fragments
213 with offset 0). This is the default fragment handling
214 mode for an OpenFlow switch.
215
216 drop Fragments are dropped without passing through the flow
217 table.
218
219 reassemble
220 The switch reassembles fragments into full IP packets
221 before passing them through the flow table. Open vSwitch
222 does not implement this fragment handling mode.
223
224 nx-match
225 Fragments pass through the flow table like non-fragmented
226 packets. The TCP ports, UDP ports, and ICMP type and
227 code fields are available for matching for fragments with
228 offset 0, and set to 0 in fragments with nonzero offset.
229 This mode is a Nicira extension.
230
231 See the description of ip_frag, in ovs-fields(7), for a way to
232 match on whether a packet is a fragment and on its fragment off‐
233 set.
234
235 dump-flows switch [flows]
236 Prints to the console all flow entries in switch's tables that
237 match flows. If flows is omitted, all flows in the switch are
238 retrieved. See Flow Syntax, below, for the syntax of flows.
239 The output format is described in Table Entry Output.
240
241 By default, ovs-ofctl prints flow entries in the same order that
242 the switch sends them, which is unlikely to be intuitive or con‐
243 sistent. Use --sort and --rsort to control display order. The
244 --names/--no-names and --stats/--no-stats options also affect
245 output formatting. See the descriptions of these options, under
246 OPTIONS below, for more information
247
248 dump-aggregate switch [flows]
249 Prints to the console aggregate statistics for flows in switch's
250 tables that match flows. If flows is omitted, the statistics
251 are aggregated across all flows in the switch's flow tables.
252 See Flow Syntax, below, for the syntax of flows. The output
253 format is described in Table Entry Output.
254
255 queue-stats switch [port [queue]]
256 Prints to the console statistics for the specified queue on port
257 within switch. port can be an OpenFlow port number or name, the
258 keyword LOCAL (the preferred way to refer to the OpenFlow local
259 port), or the keyword ALL. Either of port or queue or both may
260 be omitted (or equivalently the keyword ALL). If both are omit‐
261 ted, statistics are printed for all queues on all ports. If
262 only queue is omitted, then statistics are printed for all
263 queues on port; if only port is omitted, then statistics are
264 printed for queue on every port where it exists.
265
266 queue-get-config switch [port [queue]]
267 Prints to the console the configuration of queue on port in
268 switch. If port is omitted or ANY, reports queues for all port.
269 If queue is omitted or ANY, reports all queues. For OpenFlow
270 1.3 and earlier, the output always includes all queues, ignoring
271 queue if specified.
272
273 This command has limited usefulness, because ports often have no
274 configured queues and because the OpenFlow protocol provides
275 only very limited information about the configuration of a
276 queue.
277
278 dump-ipfix-bridge switch
279 Prints to the console the statistics of bridge IPFIX for switch.
280 If bridge IPFIX is configured on the switch, IPFIX statistics
281 can be retrieved. Otherwise, error message will be printed.
282
283 This command uses an Open vSwitch extension that is only in Open
284 vSwitch 2.6 and later.
285
286 dump-ipfix-flow switch
287 Prints to the console the statistics of flow-based IPFIX for
288 switch. If flow-based IPFIX is configured on the switch, sta‐
289 tistics of all the collector set ids on the switch will be
290 printed. Otherwise, print error message.
291
292 Refer to ovs-vswitchd.conf.db(5) for more details on configuring
293 flow based IPFIX and collector set ids.
294
295 This command uses an Open vSwitch extension that is only in Open
296 vSwitch 2.6 and later.
297
298 ct-flush-zone switch zone
299 Flushes the connection tracking entries in zone on switch.
300
301 This command uses an Open vSwitch extension that is only in Open
302 vSwitch 2.6 and later.
303
304 OpenFlow Switch Flow Table Commands
305 These commands manage the flow table in an OpenFlow switch. In each
306 case, flow specifies a flow entry in the format described in Flow Syn‐
307 tax, below, file is a text file that contains zero or more flows in the
308 same syntax, one per line, and the optional --bundle option operates
309 the command as a single atomic transation, see option --bundle, below.
310
311 [--bundle] add-flow switch flow
312 [--bundle] add-flow switch - < file
313 [--bundle] add-flows switch file
314 Add each flow entry to switch's tables. Each flow specification
315 (e.g., each line in file) may start with add, modify, delete,
316 modify_strict, or delete_strict keyword to specify whether a
317 flow is to be added, modified, or deleted, and whether the mod‐
318 ify or delete is strict or not. For backwards compatibility a
319 flow specification without one of these keywords is treated as a
320 flow add. All flow mods are executed in the order specified.
321
322 [--bundle] [--strict] mod-flows switch flow
323 [--bundle] [--strict] mod-flows switch - < file
324 Modify the actions in entries from switch's tables that match
325 the specified flows. With --strict, wildcards are not treated
326 as active for matching purposes.
327
328 [--bundle] del-flows switch
329 [--bundle] [--strict] del-flows switch [flow]
330 [--bundle] [--strict] del-flows switch - < file
331 Deletes entries from switch's flow table. With only a switch
332 argument, deletes all flows. Otherwise, deletes flow entries
333 that match the specified flows. With --strict, wildcards are
334 not treated as active for matching purposes.
335
336 [--bundle] [--readd] replace-flows switch file
337 Reads flow entries from file (or stdin if file is -) and queries
338 the flow table from switch. Then it fixes up any differences,
339 adding flows from flow that are missing on switch, deleting
340 flows from switch that are not in file, and updating flows in
341 switch whose actions, cookie, or timeouts differ in file.
342
343 With --readd, ovs-ofctl adds all the flows from file, even those
344 that exist with the same actions, cookie, and timeout in switch.
345 In OpenFlow 1.0 and 1.1, re-adding a flow always resets the
346 flow's packet and byte counters to 0, and in OpenFlow 1.2 and
347 later, it does so only if the reset_counts flag is set.
348
349 diff-flows source1 source2
350 Reads flow entries from source1 and source2 and prints the dif‐
351 ferences. A flow that is in source1 but not in source2 is
352 printed preceded by a -, and a flow that is in source2 but not
353 in source1 is printed preceded by a +. If a flow exists in both
354 source1 and source2 with different actions, cookie, or timeouts,
355 then both versions are printed preceded by - and +, respec‐
356 tively.
357
358 source1 and source2 may each name a file or a switch. If a name
359 begins with / or ., then it is considered to be a file name. A
360 name that contains : is considered to be a switch. Otherwise,
361 it is a file if a file by that name exists, a switch if not.
362
363 For this command, an exit status of 0 means that no differences
364 were found, 1 means that an error occurred, and 2 means that
365 some differences were found.
366
367 packet-out switch packet-out
368 Connects to switch and instructs it to execute the packet-out
369 OpenFlow message, specified as defined in Packet-Out Syntax sec‐
370 tion.
371
372 Group Table Commands
373 These commands manage the group table in an OpenFlow switch. In each
374 case, group specifies a group entry in the format described in Group
375 Syntax, below, and file is a text file that contains zero or more
376 groups in the same syntax, one per line, and the optional --bundle
377 option operates the command as a single atomic transation, see option
378 --bundle, below.
379
380 The group commands work only with switches that support OpenFlow 1.1 or
381 later or the Open vSwitch group extensions to OpenFlow 1.0 (added in
382 Open vSwitch 2.9.90). For OpenFlow 1.1 or later, it is necessary to
383 explicitly enable these protocol versions in ovs-ofctl (using -O). For
384 more information, see ``Q: What versions of OpenFlow does Open vSwitch
385 support?'' in the Open vSwitch FAQ.
386
387 [--bundle] add-group switch group
388 [--bundle] add-group switch - < file
389 [--bundle] add-groups switch file
390 Add each group entry to switch's tables. Each group specifica‐
391 tion (e.g., each line in file) may start with add, modify,
392 add_or_mod, delete, insert_bucket, or remove_bucket keyword to
393 specify whether a flow is to be added, modified, or deleted, or
394 whether a group bucket is to be added or removed. For backwards
395 compatibility a group specification without one of these key‐
396 words is treated as a group add. All group mods are executed in
397 the order specified.
398
399 [--bundle] [--may-create] mod-group switch group
400 [--bundle] [--may-create] mod-group switch - < file
401 Modify the action buckets in entries from switch's tables for
402 each group entry. If a specified group does not already exist,
403 then without --may-create, this command has no effect; with
404 --may-create, it creates a new group. The --may-create option
405 uses an Open vSwitch extension to OpenFlow only implemented in
406 Open vSwitch 2.6 and later.
407
408 [--bundle] del-groups switch
409 [--bundle] del-groups switch [group]
410 [--bundle] del-groups switch - < file
411 Deletes entries from switch's group table. With only a switch
412 argument, deletes all groups. Otherwise, deletes the group for
413 each group entry.
414
415 [--bundle] insert-buckets switch group
416 [--bundle] insert-buckets switch - < file
417 Add buckets to an existing group present in the switch's group
418 table. If no command_bucket_id is present in the group specifi‐
419 cation then all buckets of the group are removed.
420
421 [--bundle] remove-buckets switch group
422 [--bundle] remove-buckets switch - < file
423 Remove buckets to an existing group present in the switch's
424 group table. If no command_bucket_id is present in the group
425 specification then all buckets of the group are removed.
426
427 dump-groups switch [group]
428 Prints group entries in switch's tables to console. To dump
429 only a specific group, specify its number as group. Otherwise,
430 if group is omitted, or if it is specified as ALL, then all
431 groups are printed.
432
433 Only OpenFlow 1.5 and later support dumping a specific group.
434 Earlier versions of OpenFlow always dump all groups.
435
436 dump-group-features switch
437 Prints to the console the group features of the switch.
438
439 dump-group-stats switch [group]
440 Prints to the console statistics for the specified group in
441 switch's tables. If group is omitted then statistics for all
442 groups are printed.
443
444 OpenFlow 1.3+ Switch Meter Table Commands
445 These commands manage the meter table in an OpenFlow switch. In each
446 case, meter specifies a meter entry in the format described in Meter
447 Syntax, below.
448
449 OpenFlow 1.3 introduced support for meters, so these commands only work
450 with switches that support OpenFlow 1.3 or later. It is necessary to
451 explicitly enable these protocol versions in ovs-ofctl (using -O) and
452 in the switch itself (with the protocols column in the Bridge table).
453 For more information, see ``Q: What versions of OpenFlow does Open
454 vSwitch support?'' in the Open vSwitch FAQ.
455
456 add-meter switch meter
457 Add a meter entry to switch's tables. The meter syntax is
458 described in section Meter Syntax, below.
459
460 mod-meter switch meter
461 Modify an existing meter.
462
463 del-meters switch [meter]
464 Delete entries from switch's meter table. To delete only a spe‐
465 cific meter, specify its number as meter. Otherwise, if meter
466 is omitted, or if it is specified as all, then all meters are
467 deleted.
468
469 dump-meters switch [meter]
470 Print entries from switch's meter table. To print only a spe‐
471 cific meter, specify its number as meter. Otherwise, if meter
472 is omitted, or if it is specified as all, then all meters are
473 printed.
474
475 meter-stats switch [meter]
476 Print meter statistics. meter can specify a single meter with
477 syntax meter=id, or all meters with syntax meter=all.
478
479 meter-features switch
480 Print meter features.
481
482 OpenFlow Switch Bundle Command
483 Transactional updates to both flow and group tables can be made with
484 the bundle command. file is a text file that contains zero or more
485 flow mods, group mods, or packet-outs in Flow Syntax, Group Syntax, or
486 Packet-Out Syntax, each line preceded by flow, group, or packet-out
487 keyword, correspondingly. The flow keyword may be optionally followed
488 by one of the keywords add, modify, modify_strict, delete, or
489 delete_strict, of which the add is assumed if a bare flow is given.
490 Similarly, the group keyword may be optionally followed by one of the
491 keywords add, modify, add_or_mod, delete, insert_bucket, or
492 remove_bucket, of which the add is assumed if a bare group is given.
493
494 bundle switch file
495 Execute all flow and group mods in file as a single atomic
496 transaction against switch's tables. All bundled mods are exe‐
497 cuted in the order specified.
498
499 OpenFlow Switch Tunnel TLV Table Commands
500 Open vSwitch maintains a mapping table between tunnel option TLVs
501 (defined by <class, type, length>) and NXM fields tun_metadatan, where
502 n ranges from 0 to 63, that can be operated on for the purposes of
503 matches, actions, etc. This TLV table can be used for Geneve option
504 TLVs or other protocols with options in same TLV format as Geneve
505 options. This mapping must be explicitly specified by the user through
506 the following commands.
507
508 A TLV mapping is specified with the syntax
509 {class=class,type=type,len=length}->tun_metadatan. When an option map‐
510 ping exists for a given tun_metadatan, matching on the defined field
511 becomes possible, e.g.:
512
513 ovs-ofctl add-tlv-map br0
514 "{class=0xffff,type=0,len=4}->tun_metadata0"
515
516 ovs-ofctl add-flow br0 tun_metadata0=1234,actions=controller
517
518 A mapping should not be changed while it is in active use by a flow.
519 The result of doing so is undefined.
520
521 These commands are Nicira extensions to OpenFlow and require Open
522 vSwitch 2.5 or later.
523
524
525 add-tlv-map switch option[,option]...
526 Add each option to switch's tables. Duplicate fields are
527 rejected.
528
529 del-tlv-map switch [option[,option]]...
530 Delete each option from switch's table, or all option TLV map‐
531 ping if no option is specified. Fields that aren't mapped are
532 ignored.
533
534 dump-tlv-map switch
535 Show the currently mapped fields in the switch's option table as
536 well as switch capabilities.
537
538 OpenFlow Switch Monitoring Commands
539 snoop switch
540 Connects to switch and prints to the console all OpenFlow mes‐
541 sages received. Unlike other ovs-ofctl commands, if switch is
542 the name of a bridge, then the snoop command connects to a Unix
543 domain socket named /var/run/openvswitch/switch.snoop.
544 ovs-vswitchd listens on such a socket for each bridge and sends
545 to it all of the OpenFlow messages sent to or received from its
546 configured OpenFlow controller. Thus, this command can be used
547 to view OpenFlow protocol activity between a switch and its con‐
548 troller.
549
550 When a switch has more than one controller configured, only the
551 traffic to and from a single controller is output. If none of
552 the controllers is configured as a primary or a secondary (using
553 a Nicira extension to OpenFlow 1.0 or 1.1, or a standard request
554 in OpenFlow 1.2 or later), then a controller is chosen arbitrar‐
555 ily among them. If there is a primary controller, it is chosen;
556 otherwise, if there are any controllers that are not primaries
557 or secondaries, one is chosen arbitrarily; otherwise, a sec‐
558 ondary controller is chosen arbitrarily. This choice is made
559 once at connection time and does not change as controllers
560 reconfigure their roles.
561
562 If a switch has no controller configured, or if the configured
563 controller is disconnected, no traffic is sent, so monitoring
564 will not show any traffic.
565
566 monitor switch [miss-len] [invalid_ttl] [watch:[spec...]]
567 Connects to switch and prints to the console all OpenFlow mes‐
568 sages received. Usually, switch should specify the name of a
569 bridge in the ovs-vswitchd database. This is available only in
570 OpenFlow 1.0 as Nicira extension.
571
572 If miss-len is provided, ovs-ofctl sends an OpenFlow ``set con‐
573 figuration'' message at connection setup time that requests
574 miss-len bytes of each packet that misses the flow table. Open
575 vSwitch does not send these and other asynchronous messages to
576 an ovs-ofctl monitor client connection unless a nonzero value is
577 specified on this argument. (Thus, if miss-len is not speci‐
578 fied, very little traffic will ordinarily be printed.)
579
580 If invalid_ttl is passed, ovs-ofctl sends an OpenFlow ``set con‐
581 figuration'' message at connection setup time that requests
582 INVALID_TTL_TO_CONTROLLER, so that ovs-ofctl monitor can receive
583 ``packet-in'' messages when TTL reaches zero on dec_ttl action.
584 Only OpenFlow 1.1 and 1.2 support invalid_ttl; Open vSwitch also
585 implements it for OpenFlow 1.0 as an extension.
586
587 watch:[spec...] causes ovs-ofctl to send a ``monitor request''
588 Nicira extension message to the switch at connection setup time.
589 This message causes the switch to send information about flow
590 table changes as they occur. The following comma-separated spec
591 syntax is available:
592
593 !initial
594 Do not report the switch's initial flow table contents.
595
596 !add Do not report newly added flows.
597
598 !delete
599 Do not report deleted flows.
600
601 !modify
602 Do not report modifications to existing flows.
603
604 !own Abbreviate changes made to the flow table by ovs-ofctl's
605 own connection to the switch. (These could only occur
606 using the ofctl/send command described below under RUN‐
607 TIME MANAGEMENT COMMANDS.)
608
609 !actions
610 Do not report actions as part of flow updates.
611
612 table=table
613 Limits the monitoring to the table with the given table,
614 which may be expressed as a number between 0 and 254 or
615 (unless --no-names is specified) a name. By default, all
616 tables are monitored.
617
618 out_port=port
619 If set, only flows that output to port are monitored.
620 The port may be an OpenFlow port number or keyword (e.g.
621 LOCAL).
622
623 field=value
624 Monitors only flows that have field specified as the
625 given value. Any syntax valid for matching on dump-flows
626 may be used.
627
628 This command may be useful for debugging switch or controller
629 implementations. With watch:, it is particularly useful for
630 observing how a controller updates flow tables.
631
632 OpenFlow Switch and Controller Commands
633 The following commands, like those in the previous section, may be
634 applied to OpenFlow switches, using any of the connection methods
635 described in that section. Unlike those commands, these may also be
636 applied to OpenFlow controllers.
637
638 probe target
639 Sends a single OpenFlow echo-request message to target and waits
640 for the response. With the -t or --timeout option, this command
641 can test whether an OpenFlow switch or controller is up and run‐
642 ning.
643
644 ping target [n]
645 Sends a series of 10 echo request packets to target and times
646 each reply. The echo request packets consist of an OpenFlow
647 header plus n bytes (default: 64) of randomly generated payload.
648 This measures the latency of individual requests.
649
650 benchmark target n count
651 Sends count echo request packets that each consist of an Open‐
652 Flow header plus n bytes of payload and waits for each response.
653 Reports the total time required. This is a measure of the maxi‐
654 mum bandwidth to target for round-trips of n-byte messages.
655
656 Other Commands
657 ofp-parse file
658 Reads file (or stdin if file is -) as a series of OpenFlow mes‐
659 sages in the binary format used on an OpenFlow connection, and
660 prints them to the console. This can be useful for printing
661 OpenFlow messages captured from a TCP stream.
662
663 ofp-parse-pcap file [port...]
664 Reads file, which must be in the PCAP format used by network
665 capture tools such as tcpdump or wireshark, extracts all the TCP
666 streams for OpenFlow connections, and prints the OpenFlow mes‐
667 sages in those connections in human-readable format on stdout.
668
669 OpenFlow connections are distinguished by TCP port number. Non-
670 OpenFlow packets are ignored. By default, data on TCP ports
671 6633 and 6653 are considered to be OpenFlow. Specify one or
672 more port arguments to override the default.
673
674 This command cannot usefully print SSL encrypted traffic. It
675 does not understand IPv6.
676
677 Flow Syntax
678 Some ovs-ofctl commands accept an argument that describes a flow or
679 flows. Such flow descriptions comprise a series of field=value assign‐
680 ments, separated by commas or white space. (Embedding spaces into a
681 flow description normally requires quoting to prevent the shell from
682 breaking the description into multiple arguments.)
683
684 Flow descriptions should be in normal form. This means that a flow may
685 only specify a value for an L3 field if it also specifies a particular
686 L2 protocol, and that a flow may only specify an L4 field if it also
687 specifies particular L2 and L3 protocol types. For example, if the L2
688 protocol type dl_type is wildcarded, then L3 fields nw_src, nw_dst, and
689 nw_proto must also be wildcarded. Similarly, if dl_type or nw_proto
690 (the L3 protocol type) is wildcarded, so must be the L4 fields tcp_dst
691 and tcp_src. ovs-ofctl will warn about flows not in normal form.
692
693 ovs-fields(7) describes the supported fields and how to match them. In
694 addition to match fields, commands that operate on flows accept a few
695 additional key-value pairs:
696
697 table=table
698 For flow dump commands, limits the flows dumped to those in ta‐
699 ble, which may be expressed as a number between 0 and 255 or
700 (unless --no-names is specified) a name. If not specified (or
701 if 255 is specified as table), then flows in all tables are
702 dumped.
703
704 For flow table modification commands, behavior varies based on
705 the OpenFlow version used to connect to the switch:
706
707 OpenFlow 1.0
708 OpenFlow 1.0 does not support table for modifying flows.
709 ovs-ofctl will exit with an error if table (other than
710 table=255) is specified for a switch that only supports
711 OpenFlow 1.0.
712
713 In OpenFlow 1.0, the switch chooses the table into which
714 to insert a new flow. The Open vSwitch software switch
715 always chooses table 0. Other Open vSwitch datapaths and
716 other OpenFlow implementations may choose different
717 tables.
718
719 The OpenFlow 1.0 behavior in Open vSwitch for modifying
720 or removing flows depends on whether --strict is used.
721 Without --strict, the command applies to matching flows
722 in all tables. With --strict, the command will operate
723 on any single matching flow in any table; it will do
724 nothing if there are matches in more than one table.
725 (The distinction between these behaviors only matters if
726 non-OpenFlow 1.0 commands were also used, because Open‐
727 Flow 1.0 alone cannot add flows with the same matching
728 criteria to multiple tables.)
729
730 OpenFlow 1.0 with table_id extension
731 Open vSwitch implements an OpenFlow extension that allows
732 the controller to specify the table on which to operate.
733 ovs-ofctl automatically enables the extension when table
734 is specified and OpenFlow 1.0 is used. ovs-ofctl auto‐
735 matically detects whether the switch supports the exten‐
736 sion. As of this writing, this extension is only known
737 to be implemented by Open vSwitch.
738
739 With this extension, ovs-ofctl operates on the requested
740 table when table is specified, and acts as described for
741 OpenFlow 1.0 above when no table is specified (or for ta‐
742 ble=255).
743
744 OpenFlow 1.1
745 OpenFlow 1.1 requires flow table modification commands to
746 specify a table. When table is not specified (or ta‐
747 ble=255 is specified), ovs-ofctl defaults to table 0.
748
749 OpenFlow 1.2 and later
750 OpenFlow 1.2 and later allow flow deletion commands, but
751 not other flow table modification commands, to operate on
752 all flow tables, with the behavior described above for
753 OpenFlow 1.0.
754
755 duration=...
756 n_packet=...
757 n_bytes=...
758 ovs-ofctl ignores assignments to these ``fields'' to allow out‐
759 put from the dump-flows command to be used as input for other
760 commands that parse flows.
761
762 The add-flow, add-flows, and mod-flows commands require an additional
763 field, which must be the final field specified:
764
765 actions=[action][,action...]
766 Specifies a comma-separated list of actions to take on a packet
767 when the flow entry matches. If no action is specified, then
768 packets matching the flow are dropped. See ovs-actions(7) for
769 details on the syntax and semantics of actions. K
770
771 An opaque identifier called a cookie can be used as a handle to iden‐
772 tify a set of flows:
773
774 cookie=value
775 A cookie can be associated with a flow using the add-flow,
776 add-flows, and mod-flows commands. value can be any 64-bit num‐
777 ber and need not be unique among flows. If this field is omit‐
778 ted, a default cookie value of 0 is used.
779
780 cookie=value/mask
781 When using NXM, the cookie can be used as a handle for querying,
782 modifying, and deleting flows. value and mask may be supplied
783 for the del-flows, mod-flows, dump-flows, and dump-aggregate
784 commands to limit matching cookies. A 1-bit in mask indicates
785 that the corresponding bit in cookie must match exactly, and a
786 0-bit wildcards that bit. A mask of -1 may be used to exactly
787 match a cookie.
788
789 The mod-flows command can update the cookies of flows that match
790 a cookie by specifying the cookie field twice (once with a mask
791 for matching and once without to indicate the new value):
792
793 ovs-ofctl mod-flows br0 cookie=1,actions=normal
794 Change all flows' cookies to 1 and change their actions
795 to normal.
796
797 ovs-ofctl mod-flows br0 cookie=1/-1,cookie=2,actions=normal
798 Update cookies with a value of 1 to 2 and change their
799 actions to normal.
800
801 The ability to match on cookies was added in Open vSwitch 1.5.0.
802
803 The following additional field sets the priority for flows added by the
804 add-flow and add-flows commands. For mod-flows and del-flows when
805 --strict is specified, priority must match along with the rest of the
806 flow specification. For mod-flows without --strict, priority is only
807 significant if the command creates a new flow, that is, non-strict
808 mod-flows does not match on priority and will not change the priority
809 of existing flows. Other commands do not allow priority to be speci‐
810 fied.
811
812 priority=value
813 The priority at which a wildcarded entry will match in compari‐
814 son to others. value is a number between 0 and 65535, inclu‐
815 sive. A higher value will match before a lower one. An exact-
816 match entry will always have priority over an entry containing
817 wildcards, so it has an implicit priority value of 65535. When
818 adding a flow, if the field is not specified, the flow's prior‐
819 ity will default to 32768.
820
821 OpenFlow leaves behavior undefined when two or more flows with
822 the same priority can match a single packet. Some users expect
823 ``sensible'' behavior, such as more specific flows taking prece‐
824 dence over less specific flows, but OpenFlow does not specify
825 this and Open vSwitch does not implement it. Users should
826 therefore take care to use priorities to ensure the behavior
827 that they expect.
828
829 The add-flow, add-flows, and mod-flows commands support the following
830 additional options. These options affect only new flows. Thus, for
831 add-flow and add-flows, these options are always significant, but for
832 mod-flows they are significant only if the command creates a new flow,
833 that is, their values do not update or affect existing flows.
834
835 idle_timeout=seconds
836 Causes the flow to expire after the given number of seconds of
837 inactivity. A value of 0 (the default) prevents a flow from
838 expiring due to inactivity.
839
840 hard_timeout=seconds
841 Causes the flow to expire after the given number of seconds,
842 regardless of activity. A value of 0 (the default) gives the
843 flow no hard expiration deadline.
844
845 importance=value
846 Sets the importance of a flow. The flow entry eviction mecha‐
847 nism can use importance as a factor in deciding which flow to
848 evict. A value of 0 (the default) makes the flow non-evictable
849 on the basis of importance. Specify a value between 0 and
850 65535.
851
852 Only OpenFlow 1.4 and later support importance.
853
854 send_flow_rem
855 Marks the flow with a flag that causes the switch to generate a
856 ``flow removed'' message and send it to interested controllers
857 when the flow later expires or is removed.
858
859 check_overlap
860 Forces the switch to check that the flow match does not overlap
861 that of any different flow with the same priority in the same
862 table. (This check is expensive so it is best to avoid it.)
863
864 reset_counts
865 When this flag is specified on a flow being added to a switch,
866 and the switch already has a flow with an identical match, an
867 OpenFlow 1.2 (or later) switch resets the flow's packet and byte
868 counters to 0. Without the flag, the packet and byte counters
869 are preserved.
870
871 OpenFlow 1.0 and 1.1 switches always reset counters in this sit‐
872 uation, as if reset_counts were always specified.
873
874 Open vSwitch 1.10 added support for reset_counts.
875
876 no_packet_counts
877 no_byte_counts
878 Adding these flags to a flow advises an OpenFlow 1.3 (or later)
879 switch that the controller does not need packet or byte coun‐
880 ters, respectively, for the flow. Some switch implementations
881 might achieve higher performance or reduce resource consumption
882 when these flags are used. These flags provide no benefit to
883 the Open vSwitch software switch implementation.
884
885 OpenFlow 1.2 and earlier do not support these flags.
886
887 Open vSwitch 1.10 added support for no_packet_counts and
888 no_byte_counts.
889
890 The dump-flows, dump-aggregate, del-flow and del-flows commands support
891 these additional optional fields:
892
893 out_port=port
894 If set, a matching flow must include an output action to port,
895 which must be an OpenFlow port number or name (e.g. local).
896
897 out_group=group
898 If set, a matching flow must include an group action naming
899 group, which must be an OpenFlow group number. This field is
900 supported in Open vSwitch 2.5 and later and requires OpenFlow
901 1.1 or later.
902
903 Table Entry Output
904 The dump-tables and dump-aggregate commands print information about the
905 entries in a datapath's tables. Each line of output is a flow entry as
906 described in Flow Syntax, above, plus some additional fields:
907
908 duration=secs
909 The time, in seconds, that the entry has been in the table.
910 secs includes as much precision as the switch provides, possibly
911 to nanosecond resolution.
912
913 n_packets
914 The number of packets that have matched the entry.
915
916 n_bytes
917 The total number of bytes from packets that have matched the
918 entry.
919
920 The following additional fields are included only if the switch is Open
921 vSwitch 1.6 or later and the NXM flow format is used to dump the flow
922 (see the description of the --flow-format option below). The values of
923 these additional fields are approximations only and in particular
924 idle_age will sometimes become nonzero even for busy flows.
925
926 hard_age=secs
927 The integer number of seconds since the flow was added or modi‐
928 fied. hard_age is displayed only if it differs from the integer
929 part of duration. (This is separate from duration because
930 mod-flows restarts the hard_timeout timer without zeroing dura‐
931 tion.)
932
933 idle_age=secs
934 The integer number of seconds that have passed without any pack‐
935 ets passing through the flow.
936
937 Packet-Out Syntax
938 ovs-ofctl bundle command accepts packet-outs to be specified in the
939 bundle file. Each packet-out comprises of a series of field=value
940 assignments, separated by commas or white space. (Embedding spaces
941 into a packet-out description normally requires quoting to prevent the
942 shell from breaking the description into multiple arguments.). Unless
943 noted otherwise only the last instance of each field is honoured. This
944 same syntax is also supported by the ovs-ofctl packet-out command.
945
946 in_port=port
947 The port number to be considered the in_port when processing
948 actions. This can be any valid OpenFlow port number, or any of
949 the LOCAL, CONTROLLER, or NONE. This field is required.
950
951
952 pipeline_field=value
953 Optionally, user can specify a list of pipeline fields for a
954 packet-out message. The supported pipeline fields includes tun‐
955 nel fields and register fields as defined in ovs-fields(7).
956
957
958 packet=hex-string
959 The actual packet to send, expressed as a string of hexadecimal
960 bytes. This field is required.
961
962
963 actions=[action][,action...]
964 The syntax of actions are identical to the actions= field
965 described in Flow Syntax above. Specifying actions= is
966 optional, but omitting actions is interpreted as a drop, so the
967 packet will not be sent anywhere from the switch. actions must
968 be specified at the end of each line, like for flow mods.
969
970 Group Syntax
971 Some ovs-ofctl commands accept an argument that describes a group or
972 groups. Such flow descriptions comprise a series field=value assign‐
973 ments, separated by commas or white space. (Embedding spaces into a
974 group description normally requires quoting to prevent the shell from
975 breaking the description into multiple arguments.). Unless noted other‐
976 wise only the last instance of each field is honoured.
977
978 group_id=id
979 The integer group id of group. When this field is specified in
980 del-groups or dump-groups, the keyword "all" may be used to des‐
981 ignate all groups. This field is required.
982
983
984
985 type=type
986 The type of the group. The add-group, add-groups and mod-groups
987 commands require this field. It is prohibited for other com‐
988 mands. The following keywords designated the allowed types:
989
990 all Execute all buckets in the group.
991
992 select Execute one bucket in the group, balancing across the
993 buckets according to their weights. To select a bucket,
994 for each live bucket, Open vSwitch hashes flow data with
995 the bucket ID and multiplies by the bucket weight to
996 obtain a ``score,'' and then selects the bucket with the
997 highest score. Use selection_method to control the flow
998 data used for selection.
999
1000 indirect
1001 Executes the one bucket in the group.
1002
1003 ff
1004 fast_failover
1005 Executes the first live bucket in the group which is
1006 associated with a live port or group.
1007
1008
1009 command_bucket_id=id
1010 The bucket to operate on. The insert-buckets and remove-buckets
1011 commands require this field. It is prohibited for other com‐
1012 mands. id may be an integer or one of the following keywords:
1013
1014 all Operate on all buckets in the group. Only valid when
1015 used with the remove-buckets command in which case the
1016 effect is to remove all buckets from the group.
1017
1018 first Operate on the first bucket present in the group. In the
1019 case of the insert-buckets command the effect is to
1020 insert new bucets just before the first bucket already
1021 present in the group; or to replace the buckets of the
1022 group if there are no buckets already present in the
1023 group. In the case of the remove-buckets command the
1024 effect is to remove the first bucket of the group; or do
1025 nothing if there are no buckets present in the group.
1026
1027 last Operate on the last bucket present in the group. In the
1028 case of the insert-buckets command the effect is to
1029 insert new bucets just after the last bucket already
1030 present in the group; or to replace the buckets of the
1031 group if there are no buckets already present in the
1032 group. In the case of the remove-buckets command the
1033 effect is to remove the last bucket of the group; or do
1034 nothing if there are no buckets present in the group.
1035
1036 If id is an integer then it should correspond to the bucket_id
1037 of a bucket present in the group. In case of the insert-buckets
1038 command the effect is to insert buckets just before the bucket
1039 in the group whose bucket_id is id. In case of the iremove-
1040 buckets command the effect is to remove the in the group whose
1041 bucket_id is id. It is an error if there is no bucket persent
1042 group in whose bucket_id is id.
1043
1044
1045 selection_method=method
1046 The selection method used to select a bucket for a select group.
1047 This is a string of 1 to 15 bytes in length known to lower lay‐
1048 ers. This field is optional for add-group, add-groups and
1049 mod-group commands on groups of type select. Prohibited other‐
1050 wise. If no selection method is specified, Open vSwitch up to
1051 release 2.9 applies the hash method with default fields. From
1052 2.10 onwards Open vSwitch defaults to the dp_hash method with
1053 symmetric L3/L4 hash algorithm, unless the weighted group buck‐
1054 ets cannot be mapped to a maximum of 64 dp_hash values with suf‐
1055 ficient accuracy. In those rare cases Open vSwitch 2.10 and
1056 later fall back to the hash method with the default set of hash
1057 fields.
1058
1059 dp_hash
1060 Use a datapath computed hash value. The hash algorithm
1061 varies accross different datapath implementations.
1062 dp_hash uses the upper 32 bits of the selec‐
1063 tion_method_param as the datapath hash algorithm selec‐
1064 tor. The supported values are 0 (corresponding to hash
1065 computation over the IP 5-tuple) and 1 (corresponding to
1066 a symmetric hash computation over the IP 5-tuple).
1067 Selecting specific fields with the fields option is not
1068 supported with dp_hash). The lower 32 bits are used as
1069 the hash basis.
1070
1071 Using dp_hash has the advantage that it does not require
1072 the generated datapath flows to exact match any addi‐
1073 tional packet header fields. For example, even if multi‐
1074 ple TCP connections thus hashed to different select group
1075 buckets have different source port numbers, generally all
1076 of them would be handled with a small set of already
1077 established datapath flows, resulting in less latency for
1078 TCP SYN packets. The downside is that the shared data‐
1079 path flows must match each packet twice, as the datapath
1080 hash value calculation happens only when needed, and a
1081 second match is required to match some bits of its value.
1082 This double-matching incurs a small additional latency
1083 cost for each packet, but this latency is orders of mag‐
1084 nitude less than the latency of creating new datapath
1085 flows for new TCP connections.
1086
1087 hash Use a hash computed over the fields specified with the
1088 fields option, see below. If no hash fields are speci‐
1089 fied, hash defaults to a symmetric hash over the combina‐
1090 tion of MAC addresses, VLAN tags, Ether type, IP
1091 addresses and L4 port numbers. hash uses the selec‐
1092 tion_method_param as the hash basis.
1093
1094 Note that the hashed fields become exact matched by the
1095 datapath flows. For example, if the TCP source port is
1096 hashed, the created datapath flows will match the spe‐
1097 cific TCP source port value present in the packet
1098 received. Since each TCP connection generally has a dif‐
1099 ferent source port value, a separate datapath flow will
1100 be need to be inserted for each TCP connection thus
1101 hashed to a select group bucket.
1102
1103 This option uses a Netronome OpenFlow extension which is only
1104 supported when using Open vSwitch 2.4 and later with OpenFlow
1105 1.5 and later.
1106
1107
1108 selection_method_param=param
1109 64-bit integer parameter to the selection method selected by the
1110 selection_method field. The parameter's use is defined by the
1111 lower-layer that implements the selection_method. It is
1112 optional if the selection_method field is specified as a non-
1113 empty string. Prohibited otherwise. The default value is zero.
1114
1115 This option uses a Netronome OpenFlow extension which is only
1116 supported when using Open vSwitch 2.4 and later with OpenFlow
1117 1.5 and later.
1118
1119
1120 fields=field
1121 fields(field[=mask]...)
1122 The field parameters to selection method selected by the selec‐
1123 tion_method field. The syntax is described in Flow Syntax with
1124 the additional restrictions that if a value is provided it is
1125 treated as a wildcard mask and wildcard masks following a slash
1126 are prohibited. The pre-requisites of fields must be provided by
1127 any flows that output to the group. The use of the fields is
1128 defined by the lower-layer that implements the selection_method.
1129 They are optional if the selection_method field is specified as
1130 ``hash', prohibited otherwise. The default is no fields.
1131
1132 This option will use a Netronome OpenFlow extension which is
1133 only supported when using Open vSwitch 2.4 and later with Open‐
1134 Flow 1.5 and later.
1135
1136
1137 bucket=bucket_parameters
1138 The add-group, add-groups and mod-group commands require at
1139 least one bucket field. Bucket fields must appear after all
1140 other fields. Multiple bucket fields to specify multiple buck‐
1141 ets. The order in which buckets are specified corresponds to
1142 their order in the group. If the type of the group is "indirect"
1143 then only one group may be specified. bucket_parameters con‐
1144 sists of a list of field=value assignments, separated by commas
1145 or white space followed by a comma-separated list of actions.
1146 The fields for bucket_parameters are:
1147
1148 bucket_id=id
1149 The 32-bit integer group id of the bucket. Values
1150 greater than 0xffffff00 are reserved. This field was
1151 added in Open vSwitch 2.4 to conform with the OpenFlow
1152 1.5 specification. It is not supported when earlier ver‐
1153 sions of OpenFlow are used. Open vSwitch will automati‐
1154 cally allocate bucket ids when they are not specified.
1155
1156 actions=[action][,action...]
1157 The syntax of actions are identical to the actions= field
1158 described in Flow Syntax above. Specifying actions= is
1159 optional, any unknown bucket parameter will be inter‐
1160 preted as an action.
1161
1162 weight=value
1163 The relative weight of the bucket as an integer. This may
1164 be used by the switch during bucket select for groups
1165 whose type is select.
1166
1167 watch_port=port
1168 Port used to determine liveness of group. This or the
1169 watch_group field is required for groups whose type is ff
1170 or fast_failover. This or the watch_group field can also
1171 be used for groups whose type is select.
1172
1173 watch_group=group_id
1174 Group identifier of group used to determine liveness of
1175 group. This or the watch_port field is required for
1176 groups whose type is ff or fast_failover. This or the
1177 watch_port field can also be used for groups whose type
1178 is select.
1179
1180 Meter Syntax
1181 The meter table commands accept an argument that describes a meter.
1182 Such meter descriptions comprise a series field=value assignments, sep‐
1183 arated by commas or white space. (Embedding spaces into a group
1184 description normally requires quoting to prevent the shell from break‐
1185 ing the description into multiple arguments.). Unless noted otherwise
1186 only the last instance of each field is honoured.
1187
1188 meter=id
1189 The identifier for the meter. An integer is used to specify a
1190 user-defined meter. In addition, the keywords "all", "con‐
1191 troller", and "slowpath", are also supported as virtual meters.
1192 The "controller" and "slowpath" virtual meters apply to packets
1193 sent to the controller and to the OVS userspace, respectively.
1194
1195 When this field is specified in del-meter, dump-meter, or meter-
1196 stats, the keyword "all" may be used to designate all meters.
1197 This field is required, except for meter-stats, which dumps all
1198 stats when this field is not specified.
1199
1200 kbps
1201 pktps The unit for the rate and burst_size band parameters. kbps
1202 specifies kilobits per second, and pktps specifies packets per
1203 second. A unit is required for the add-meter and mod-meter com‐
1204 mands.
1205
1206
1207 burst If set, enables burst support for meter bands through the
1208 burst_size parameter.
1209
1210
1211 stats If set, enables the collection of meter and band statistics.
1212
1213
1214 bands=band_parameters
1215 The add-meter and mod-meter commands require at least one band
1216 specification. Bands must appear after all other fields.
1217
1218 type=type
1219 The type of the meter band. This keyword starts a new
1220 band specification. Each band specifies a rate above
1221 which the band is to take some action. The action depends
1222 on the band type. If multiple bands' rate is exceeded,
1223 then the band with the highest rate among the exceeded
1224 bands is selected. The following keywords designate the
1225 allowed meter band types:
1226
1227 drop Drop packets exceeding the band's rate limit.
1228
1229 The other band_parameters are:
1230
1231 rate=value
1232 The relative rate limit for this band, in kilobits per
1233 second or packets per second, depending on whether kbps
1234 or pktps was specified.
1235
1236 burst_size=size
1237 If burst is specified for the meter entry, configures the
1238 maximum burst allowed for the band in kilobits or pack‐
1239 ets, depending on whether kbps or pktps was specified.
1240 If unspecified, the switch is free to select some reason‐
1241 able value depending on its configuration.
1242
1244 --strict
1245 Uses strict matching when running flow modification commands.
1246
1247 --names
1248 --no-names
1249 Every OpenFlow port has a name and a number, and every OpenFlow
1250 flow table has a number and sometimes a name. By default,
1251 ovs-ofctl commands accept both port and table names and numbers,
1252 and they display port and table names if ovs-ofctl is running on
1253 an interactive console, numbers otherwise. With --names,
1254 ovs-ofctl commands both accept and display port and table names;
1255 with --no-names, commands neither accept nor display port and
1256 table names.
1257
1258 If a port or table name contains special characters or might be
1259 confused with a keyword within a flow, it may be enclosed in
1260 double quotes (escaped from the shell). If necessary, JSON-
1261 style escape sequences may be used inside quotes, as specified
1262 in RFC 7159. When it displays port and table names, ovs-ofctl
1263 quotes any name that does not start with a letter followed by
1264 letters or digits.
1265
1266 Open vSwitch added support for port names and these options.
1267 Open vSwitch 2.10 added support for table names. Earlier ver‐
1268 sions always behaved as if --no-names were specified.
1269
1270 Open vSwitch does not place its own limit on the length of port
1271 names, but OpenFlow limits port names to 15 bytes. Because
1272 ovs-ofctl uses OpenFlow to retrieve the mapping between port
1273 names and numbers, names longer than this limit will be trun‐
1274 cated for both display and acceptance. Truncation can also
1275 cause long names that are different to appear to be the same;
1276 when a switch has two ports with the same (truncated) name,
1277 ovs-ofctl refuses to display or accept the name, using the num‐
1278 ber instead.
1279
1280 OpenFlow and Open vSwitch limit table names to 32 bytes.
1281
1282 --stats
1283 --no-stats
1284 The dump-flows command by default, or with --stats, includes
1285 flow duration, packet and byte counts, and idle and hard age in
1286 its output. With --no-stats, it omits all of these, as well as
1287 cookie values and table IDs if they are zero.
1288
1289 --read-only
1290 Do not execute read/write commands.
1291
1292 --bundle
1293 Execute flow mods as an OpenFlow 1.4 atomic bundle transaction.
1294
1295 · Within a bundle, all flow mods are processed in the order
1296 they appear and as a single atomic transaction, meaning
1297 that if one of them fails, the whole transaction fails
1298 and none of the changes are made to the switch's flow ta‐
1299 ble, and that each given datapath packet traversing the
1300 OpenFlow tables sees the flow tables either as before the
1301 transaction, or after all the flow mods in the bundle
1302 have been successfully applied.
1303
1304 · The beginning and the end of the flow table modification
1305 commands in a bundle are delimited with OpenFlow 1.4 bun‐
1306 dle control messages, which makes it possible to stream
1307 the included commands without explicit OpenFlow barriers,
1308 which are otherwise used after each flow table modifica‐
1309 tion command. This may make large modifications execute
1310 faster as a bundle.
1311
1312 · Bundles require OpenFlow 1.4 or higher. An explicit -O
1313 OpenFlow14 option is not needed, but you may need to
1314 enable OpenFlow 1.4 support for OVS by setting the OVSDB
1315 protocols column in the bridge table.
1316
1317 -O [version[,version]...]
1318 --protocols=[version[,version]...]
1319 Sets the OpenFlow protocol versions that are allowed when estab‐
1320 lishing an OpenFlow session.
1321
1322 These protocol versions are enabled by default:
1323
1324 · OpenFlow10, for OpenFlow 1.0.
1325 The following protocol versions are generally supported, but for com‐
1326 patibility with older versions of Open vSwitch they are not enabled by
1327 default:
1328
1329 · OpenFlow11, for OpenFlow 1.1.
1330
1331 · OpenFlow12, for OpenFlow 1.2.
1332
1333 · OpenFlow13, for OpenFlow 1.3.
1334
1335 · OpenFlow14, for OpenFlow 1.4.
1336
1337 · OpenFlow15, for OpenFlow 1.5.
1338
1339 -F format[,format...]
1340 --flow-format=format[,format...]
1341 ovs-ofctl supports the following individual flow formats, any
1342 number of which may be listed as format:
1343
1344 OpenFlow10-table_id
1345 This is the standard OpenFlow 1.0 flow format. All Open‐
1346 Flow switches and all versions of Open vSwitch support
1347 this flow format.
1348
1349 OpenFlow10+table_id
1350 This is the standard OpenFlow 1.0 flow format plus a
1351 Nicira extension that allows ovs-ofctl to specify the
1352 flow table in which a particular flow should be placed.
1353 Open vSwitch 1.2 and later supports this flow format.
1354
1355 NXM-table_id (Nicira Extended Match)
1356 This Nicira extension to OpenFlow is flexible and exten‐
1357 sible. It supports all of the Nicira flow extensions,
1358 such as tun_id and registers. Open vSwitch 1.1 and later
1359 supports this flow format.
1360
1361 NXM+table_id (Nicira Extended Match)
1362 This combines Nicira Extended match with the ability to
1363 place a flow in a specific table. Open vSwitch 1.2 and
1364 later supports this flow format.
1365
1366 OXM-OpenFlow12
1367 OXM-OpenFlow13
1368 OXM-OpenFlow14
1369 OXM-OpenFlow15
1370 These are the standard OXM (OpenFlow Extensible Match)
1371 flow format in OpenFlow 1.2 and later.
1372
1373 ovs-ofctl also supports the following abbreviations for collec‐
1374 tions of flow formats:
1375
1376 any Any supported flow format.
1377
1378 OpenFlow10
1379 OpenFlow10-table_id or OpenFlow10+table_id.
1380
1381 NXM NXM-table_id or NXM+table_id.
1382
1383 OXM OXM-OpenFlow12, OXM-OpenFlow13, or OXM-OpenFlow14.
1384
1385 For commands that modify the flow table, ovs-ofctl by default
1386 negotiates the most widely supported flow format that supports
1387 the flows being added. For commands that query the flow table,
1388 ovs-ofctl by default uses the most advanced format supported by
1389 the switch.
1390
1391 This option, where format is a comma-separated list of one or
1392 more of the formats listed above, limits ovs-ofctl's choice of
1393 flow format. If a command cannot work as requested using one of
1394 the specified flow formats, ovs-ofctl will report a fatal error.
1395
1396 -P format
1397 --packet-in-format=format
1398 ovs-ofctl supports the following ``packet-in'' formats, in order
1399 of increasing capability:
1400
1401 standard
1402 This uses the OFPT_PACKET_IN message, the standard
1403 ``packet-in'' message for any given OpenFlow version.
1404 Every OpenFlow switch that supports a given OpenFlow ver‐
1405 sion supports this format.
1406
1407 nxt_packet_in
1408 This uses the NXT_PACKET_IN message, which adds many of
1409 the capabilities of the OpenFlow 1.1 and later ``packet-
1410 in'' messages before those OpenFlow versions were avail‐
1411 able in Open vSwitch. Open vSwitch 1.1 and later support
1412 this format. Only Open vSwitch 2.6 and later, however,
1413 support it for OpenFlow 1.1 and later (but there is lit‐
1414 tle reason to use it with those versions of OpenFlow).
1415
1416 nxt_packet_in2
1417 This uses the NXT_PACKET_IN2 message, which is extensible
1418 and should avoid the need to define new formats later.
1419 In particular, this format supports passing arbitrary
1420 user-provided data to a controller using the userdata
1421 option on the controller action. Open vSwitch 2.6 and
1422 later support this format.
1423
1424 Without this option, ovs-ofctl prefers nxt_packet_in2 if the
1425 switch supports it. Otherwise, if OpenFlow 1.0 is in use,
1426 ovs-ofctl prefers nxt_packet_in if the switch supports it. Oth‐
1427 erwise, ovs-ofctl falls back to the standard packet-in format.
1428 When this option is specified, ovs-ofctl insists on the selected
1429 format. If the switch does not support the requested format,
1430 ovs-ofctl will report a fatal error.
1431
1432 Before version 2.6, Open vSwitch called standard format open‐
1433 flow10 and nxt_packet_in format nxm, and ovs-ofctl still accepts
1434 these names as synonyms. (The name openflow10 was a misnomer
1435 because this format actually varies from one OpenFlow version to
1436 another; it is not consistently OpenFlow 1.0 format. Similarly,
1437 when nxt_packet_in2 was introduced, the name nxm became confus‐
1438 ing because it also uses OXM/NXM.)
1439
1440 This option affects only the monitor command.
1441
1442 --timestamp
1443 Print a timestamp before each received packet. This option only
1444 affects the monitor, snoop, and ofp-parse-pcap commands.
1445
1446 -m
1447 --more Increases the verbosity of OpenFlow messages printed and logged
1448 by ovs-ofctl commands. Specify this option more than once to
1449 increase verbosity further.
1450
1451 --sort[=field]
1452 --rsort[=field]
1453 Display output sorted by flow field in ascending (--sort) or
1454 descending (--rsort) order, where field is any of the fields
1455 that are allowed for matching or priority to sort by priority.
1456 When field is omitted, the output is sorted by priority. Spec‐
1457 ify these options multiple times to sort by multiple fields.
1458
1459 Any given flow will not necessarily specify a value for a given
1460 field. This requires special treatement:
1461
1462 · A flow that does not specify any part of a field that is
1463 used for sorting is sorted after all the flows that do
1464 specify the field. For example, --sort=tcp_src will sort
1465 all the flows that specify a TCP source port in ascending
1466 order, followed by the flows that do not specify a TCP
1467 source port at all.
1468
1469 · A flow that only specifies some bits in a field is sorted
1470 as if the wildcarded bits were zero. For example,
1471 --sort=nw_src would sort a flow that specifies
1472 nw_src=192.168.0.0/24 the same as nw_src=192.168.0.0.
1473
1474 These options currently affect only dump-flows output.
1475
1476 Daemon Options
1477 The following options are valid on POSIX based platforms.
1478
1479 --pidfile[=pidfile]
1480 Causes a file (by default, ovs-ofctl.pid) to be created indicat‐
1481 ing the PID of the running process. If the pidfile argument is
1482 not specified, or if it does not begin with /, then it is cre‐
1483 ated in /var/run/openvswitch.
1484
1485 If --pidfile is not specified, no pidfile is created.
1486
1487 --overwrite-pidfile
1488 By default, when --pidfile is specified and the specified pid‐
1489 file already exists and is locked by a running process,
1490 ovs-ofctl refuses to start. Specify --overwrite-pidfile to
1491 cause it to instead overwrite the pidfile.
1492
1493 When --pidfile is not specified, this option has no effect.
1494
1495 --detach
1496 Runs ovs-ofctl as a background process. The process forks, and
1497 in the child it starts a new session, closes the standard file
1498 descriptors (which has the side effect of disabling logging to
1499 the console), and changes its current directory to the root
1500 (unless --no-chdir is specified). After the child completes its
1501 initialization, the parent exits. ovs-ofctl detaches only when
1502 executing the monitor or snoop commands.
1503
1504 --monitor
1505 Creates an additional process to monitor the ovs-ofctl daemon.
1506 If the daemon dies due to a signal that indicates a programming
1507 error (SIGABRT, SIGALRM, SIGBUS, SIGFPE, SIGILL, SIGPIPE,
1508 SIGSEGV, SIGXCPU, or SIGXFSZ) then the monitor process starts a
1509 new copy of it. If the daemon dies or exits for another reason,
1510 the monitor process exits.
1511
1512 This option is normally used with --detach, but it also func‐
1513 tions without it.
1514
1515 --no-chdir
1516 By default, when --detach is specified, ovs-ofctl changes its
1517 current working directory to the root directory after it
1518 detaches. Otherwise, invoking ovs-ofctl from a carelessly cho‐
1519 sen directory would prevent the administrator from unmounting
1520 the file system that holds that directory.
1521
1522 Specifying --no-chdir suppresses this behavior, preventing
1523 ovs-ofctl from changing its current working directory. This may
1524 be useful for collecting core files, since it is common behavior
1525 to write core dumps into the current working directory and the
1526 root directory is not a good directory to use.
1527
1528 This option has no effect when --detach is not specified.
1529
1530 --no-self-confinement
1531 By default daemon will try to self-confine itself to work with
1532 files under well-known directories determined during build. It
1533 is better to stick with this default behavior and not to use
1534 this flag unless some other Access Control is used to confine
1535 daemon. Note that in contrast to other access control implemen‐
1536 tations that are typically enforced from kernel-space (e.g. DAC
1537 or MAC), self-confinement is imposed from the user-space daemon
1538 itself and hence should not be considered as a full confinement
1539 strategy, but instead should be viewed as an additional layer of
1540 security.
1541
1542 --user Causes ovs-ofctl to run as a different user specified in
1543 "user:group", thus dropping most of the root privileges. Short
1544 forms "user" and ":group" are also allowed, with current user or
1545 group are assumed respectively. Only daemons started by the root
1546 user accepts this argument.
1547
1548 On Linux, daemons will be granted CAP_IPC_LOCK and
1549 CAP_NET_BIND_SERVICES before dropping root privileges. Daemons
1550 that interact with a datapath, such as ovs-vswitchd, will be
1551 granted three additional capabilities, namely CAP_NET_ADMIN,
1552 CAP_NET_BROADCAST and CAP_NET_RAW. The capability change will
1553 apply even if the new user is root.
1554
1555 On Windows, this option is not currently supported. For security
1556 reasons, specifying this option will cause the daemon process
1557 not to start.
1558
1559 --unixctl=socket
1560 Sets the name of the control socket on which ovs-ofctl listens
1561 for runtime management commands (see RUNTIME MANAGEMENT COM‐
1562 MANDS, below). If socket does not begin with /, it is inter‐
1563 preted as relative to /var/run/openvswitch. If --unixctl is not
1564 used at all, the default socket is /var/run/open‐
1565 vswitch/ovs-ofctl.pid.ctl, where pid is ovs-ofctl's process ID.
1566
1567 On Windows a local named pipe is used to listen for runtime man‐
1568 agement commands. A file is created in the absolute path as
1569 pointed by socket or if --unixctl is not used at all, a file is
1570 created as ovs-ofctl.ctl in the configured OVS_RUNDIR directory.
1571 The file exists just to mimic the behavior of a Unix domain
1572 socket.
1573
1574 Specifying none for socket disables the control socket feature.
1575
1576 Public Key Infrastructure Options
1577 -p privkey.pem
1578 --private-key=privkey.pem
1579 Specifies a PEM file containing the private key used as
1580 ovs-ofctl's identity for outgoing SSL connections.
1581
1582 -c cert.pem
1583 --certificate=cert.pem
1584 Specifies a PEM file containing a certificate that certifies the
1585 private key specified on -p or --private-key to be trustworthy.
1586 The certificate must be signed by the certificate authority (CA)
1587 that the peer in SSL connections will use to verify it.
1588
1589 -C cacert.pem
1590 --ca-cert=cacert.pem
1591 Specifies a PEM file containing the CA certificate that
1592 ovs-ofctl should use to verify certificates presented to it by
1593 SSL peers. (This may be the same certificate that SSL peers use
1594 to verify the certificate specified on -c or --certificate, or
1595 it may be a different one, depending on the PKI design in use.)
1596
1597 -C none
1598 --ca-cert=none
1599 Disables verification of certificates presented by SSL peers.
1600 This introduces a security risk, because it means that certifi‐
1601 cates cannot be verified to be those of known trusted hosts.
1602
1603 -v[spec]
1604 --verbose=[spec]
1605 Sets logging levels. Without any spec, sets the log level for
1606 every module and destination to dbg. Otherwise, spec is a list
1607 of words separated by spaces or commas or colons, up to one from
1608 each category below:
1609
1610 · A valid module name, as displayed by the vlog/list com‐
1611 mand on ovs-appctl(8), limits the log level change to the
1612 specified module.
1613
1614 · syslog, console, or file, to limit the log level change
1615 to only to the system log, to the console, or to a file,
1616 respectively. (If --detach is specified, ovs-ofctl
1617 closes its standard file descriptors, so logging to the
1618 console will have no effect.)
1619
1620 On Windows platform, syslog is accepted as a word and is
1621 only useful along with the --syslog-target option (the
1622 word has no effect otherwise).
1623
1624 · off, emer, err, warn, info, or dbg, to control the log
1625 level. Messages of the given severity or higher will be
1626 logged, and messages of lower severity will be filtered
1627 out. off filters out all messages. See ovs-appctl(8)
1628 for a definition of each log level.
1629
1630 Case is not significant within spec.
1631
1632 Regardless of the log levels set for file, logging to a file
1633 will not take place unless --log-file is also specified (see
1634 below).
1635
1636 For compatibility with older versions of OVS, any is accepted as
1637 a word but has no effect.
1638
1639 -v
1640 --verbose
1641 Sets the maximum logging verbosity level, equivalent to --ver‐
1642 bose=dbg.
1643
1644 -vPATTERN:destination:pattern
1645 --verbose=PATTERN:destination:pattern
1646 Sets the log pattern for destination to pattern. Refer to
1647 ovs-appctl(8) for a description of the valid syntax for pattern.
1648
1649 -vFACILITY:facility
1650 --verbose=FACILITY:facility
1651 Sets the RFC5424 facility of the log message. facility can be
1652 one of kern, user, mail, daemon, auth, syslog, lpr, news, uucp,
1653 clock, ftp, ntp, audit, alert, clock2, local0, local1, local2,
1654 local3, local4, local5, local6 or local7. If this option is not
1655 specified, daemon is used as the default for the local system
1656 syslog and local0 is used while sending a message to the target
1657 provided via the --syslog-target option.
1658
1659 --log-file[=file]
1660 Enables logging to a file. If file is specified, then it is
1661 used as the exact name for the log file. The default log file
1662 name used if file is omitted is /var/log/open‐
1663 vswitch/ovs-ofctl.log.
1664
1665 --syslog-target=host:port
1666 Send syslog messages to UDP port on host, in addition to the
1667 system syslog. The host must be a numerical IP address, not a
1668 hostname.
1669
1670 --syslog-method=method
1671 Specify method how syslog messages should be sent to syslog dae‐
1672 mon. Following forms are supported:
1673
1674 · libc, use libc syslog() function. Downside of using this
1675 options is that libc adds fixed prefix to every message
1676 before it is actually sent to the syslog daemon over
1677 /dev/log UNIX domain socket.
1678
1679 · unix:file, use UNIX domain socket directly. It is possi‐
1680 ble to specify arbitrary message format with this option.
1681 However, rsyslogd 8.9 and older versions use hard coded
1682 parser function anyway that limits UNIX domain socket
1683 use. If you want to use arbitrary message format with
1684 older rsyslogd versions, then use UDP socket to localhost
1685 IP address instead.
1686
1687 · udp:ip:port, use UDP socket. With this method it is pos‐
1688 sible to use arbitrary message format also with older
1689 rsyslogd. When sending syslog messages over UDP socket
1690 extra precaution needs to be taken into account, for
1691 example, syslog daemon needs to be configured to listen
1692 on the specified UDP port, accidental iptables rules
1693 could be interfering with local syslog traffic and there
1694 are some security considerations that apply to UDP sock‐
1695 ets, but do not apply to UNIX domain sockets.
1696
1697 · null, discards all messages logged to syslog.
1698
1699 The default is taken from the OVS_SYSLOG_METHOD environment
1700 variable; if it is unset, the default is libc.
1701
1702 --color[=when]
1703 Colorize the output (for some commands); when can be never,
1704 always, or auto (the default).
1705
1706 Only some commands support output coloring. Color names and
1707 default colors may change in future releases.
1708
1709 The environment variable OVS_COLORS can be used to specify user-
1710 defined colors and other attributes used to highlight various
1711 parts of the output. If set, its value is a colon-separated list
1712 of capabilities that defaults to
1713 ac:01;31:dr=34:le=31:pm=36:pr=35:sp=33:vl=32. Supported capabil‐
1714 ities were initially designed for coloring flows from ovs-ofctl
1715 dump-flows switch command, and they are as follows.
1716
1717 ac=01;31
1718 SGR substring for actions= keyword in a flow. The
1719 default is a bold red text foreground.
1720
1721 dr=34 SGR substring for drop keyword. The default is a
1722 dark blue text foreground.
1723
1724 le=31 SGR substring for learn= keyword in a flow. The
1725 default is a red text foreground.
1726
1727 pm=36 SGR substring for flow match attribute names. The
1728 default is a cyan text foreground.
1729
1730 pr=35 SGR substring for keywords in a flow that are fol‐
1731 lowed by arguments inside parenthesis. The
1732 default is a magenta text foreground.
1733
1734 sp=33 SGR substring for some special keywords in a flow,
1735 notably: table=, priority=, load:, output:, move:,
1736 group:, CONTROLLER:, set_field:, resubmit:, exit.
1737 The default is a yellow text foreground.
1738
1739 vl=32 SGR substring for a lone flow match attribute with
1740 no field name. The default is a green text fore‐
1741 ground.
1742
1743 See the Select Graphic Rendition (SGR) section in the documenta‐
1744 tion of the text terminal that is used for permitted values and
1745 their meaning as character attributes.
1746
1747 -h
1748 --help Prints a brief help message to the console.
1749
1750 -V
1751 --version
1752 Prints version information to the console.
1753
1755 ovs-appctl(8) can send commands to a running ovs-ofctl process. The
1756 supported commands are listed below.
1757
1758 exit Causes ovs-ofctl to gracefully terminate. This command applies
1759 only when executing the monitor or snoop commands.
1760
1761 ofctl/set-output-file file
1762 Causes all subsequent output to go to file instead of stderr.
1763 This command applies only when executing the monitor or snoop
1764 commands.
1765
1766 ofctl/send ofmsg...
1767 Sends each ofmsg, specified as a sequence of hex digits that
1768 express an OpenFlow message, on the OpenFlow connection. This
1769 command is useful only when executing the monitor command.
1770
1771 ofctl/packet-out packet-out
1772 Sends an OpenFlow PACKET_OUT message specified in Packet-Out
1773 Syntax, on the OpenFlow connection. See Packet-Out Syntax sec‐
1774 tion for more information. This command is useful only when
1775 executing the monitor command.
1776
1777 ofctl/barrier
1778 Sends an OpenFlow barrier request on the OpenFlow connection and
1779 waits for a reply. This command is useful only for the monitor
1780 command.
1781
1783 The following examples assume that ovs-vswitchd has a bridge named br0
1784 configured.
1785
1786 ovs-ofctl dump-tables br0
1787 Prints out the switch's table stats. (This is more interesting
1788 after some traffic has passed through.)
1789
1790 ovs-ofctl dump-flows br0
1791 Prints the flow entries in the switch.
1792
1793 ovs-ofctl add-flow table=0 actions=learn(table=1,hard_timeout=10,
1794 NXM_OF_VLAN_TCI[0..11],output:NXM_OF_IN_PORT[]), resubmit(,1)
1795 ovs-ofctl add-flow table=1 priority=0 actions=flood Implements
1796 a level 2 MAC learning switch using the learn.
1797
1798 ovs-ofctl add-flow br0 'table=0,priority=0
1799 actions=load:3->NXM_NX_REG0[0..15],learn(table=0,priority=1,idle_time‐
1800 out=10,NXM_OF_ETH_SRC[],NXM_OF_VLAN_TCI[0..11],out‐
1801 put:NXM_NX_REG0[0..15]),output:2
1802 In this use of a learn action, the first packet from each source
1803 MAC will be sent to port 2. Subsequent packets will be output to
1804 port 3, with an idle timeout of 10 seconds. NXM field names and
1805 match field names are both accepted, e.g. NXM_NX_REG0 or reg0
1806 for the first register, and empty brackets may be omitted.
1807
1808 Additional examples may be found documented as part of related
1809 sections.
1810
1812 ovs-fields(7), ovs-actions(7), ovs-appctl(8), ovs-vswitchd(8),
1813 ovs-vswitchd.conf.db(8)
1814
1815
1816
1817Open vSwitch 2.15.0 ovs-ofctl(8)