1ovs-vswitchd(8) Open vSwitch Manual ovs-vswitchd(8)
2
6 ovs-vswitchd - Open vSwitch daemon
7
9 ovs-vswitchd [database]
10
12 A daemon that manages and controls any number of Open vSwitch switches
13 on the local machine.
14 The database argument specifies how ovs-vswitchd connects to
16 ovsdb-server. database may be an OVSDB active or passive connection
17 method, as described in ovsdb(7). The default is unix:/var/run/open‐
18 vswitch/db.sock.
19 ovs-vswitchd retrieves its configuration from database at startup. It
21 sets up Open vSwitch datapaths and then operates switching across each
22 bridge described in its configuration files. As the database changes,
23 ovs-vswitchd automatically updates its configuration to match.
24 ovs-vswitchd switches may be configured with any of the following fea‐
26 tures:
27 · L2 switching with MAC learning.
29 · NIC bonding with automatic fail-over and source MAC-based TX
31 load balancing ("SLB").
32 · 802.1Q VLAN support.
34 · Port mirroring, with optional VLAN tagging.
36 · NetFlow v5 flow logging.
38 · sFlow(R) monitoring.
40 · Connectivity to an external OpenFlow controller, such as NOX.
42 Only a single instance of ovs-vswitchd is intended to run at a time. A
44 single ovs-vswitchd can manage any number of switch instances, up to
45 the maximum number of supported Open vSwitch datapaths.
46 ovs-vswitchd does all the necessary management of Open vSwitch data‐
48 paths itself. Thus, ovs-dpctl(8) (and its userspace datapath counter‐
49 parts accessible via ovs-appctl dpctl/command) are not needed with
50 ovs-vswitchd and should not be used because they can interfere with its
51 operation. These tools are still useful for diagnostics.
52 An Open vSwitch datapath kernel module must be loaded for ovs-vswitchd
54 to be useful. Refer to the documentation for instructions on how to
55 build and load the Open vSwitch kernel module.
56
58 --mlockall
59 Causes ovs-vswitchd to call the mlockall() function, to attempt
60 to lock all of its process memory into physical RAM, preventing
61 the kernel from paging any of its memory to disk. This helps to
62 avoid networking interruptions due to system memory pressure.
63 Some systems do not support mlockall() at all, and other systems
65 only allow privileged users, such as the superuser, to use it.
66 ovs-vswitchd emits a log message if mlockall() is unavailable or
67 unsuccessful.
68 DPDK Options
70 For details on initializing ovs-vswitchd to use DPDK ports, refer to
71 the documentation or ovs-vswitchd.conf.db(5).
72 Daemon Options
74 The following options are valid on POSIX based platforms.
75 --pidfile[=pidfile]
77 Causes a file (by default, ovs-vswitchd.pid) to be created indi‐
78 cating the PID of the running process. If the pidfile argument
79 is not specified, or if it does not begin with /, then it is
80 created in /var/run/openvswitch.
81 If --pidfile is not specified, no pidfile is created.
83 --overwrite-pidfile
85 By default, when --pidfile is specified and the specified pid‐
86 file already exists and is locked by a running process,
87 ovs-vswitchd refuses to start. Specify --overwrite-pidfile to
88 cause it to instead overwrite the pidfile.
89 When --pidfile is not specified, this option has no effect.
91 --detach
93 Runs ovs-vswitchd as a background process. The process forks,
94 and in the child it starts a new session, closes the standard
95 file descriptors (which has the side effect of disabling logging
96 to the console), and changes its current directory to the root
97 (unless --no-chdir is specified). After the child completes its
98 initialization, the parent exits. ovs-vswitchd detaches only
99 after it has connected to the database, retrieved the initial
100 configuration, and set up that configuration.
101 --monitor
103 Creates an additional process to monitor the ovs-vswitchd dae‐
104 mon. If the daemon dies due to a signal that indicates a pro‐
105 gramming error (SIGABRT, SIGALRM, SIGBUS, SIGFPE, SIGILL, SIG‐
106 PIPE, SIGSEGV, SIGXCPU, or SIGXFSZ) then the monitor process
107 starts a new copy of it. If the daemon dies or exits for
108 another reason, the monitor process exits.
109 This option is normally used with --detach, but it also func‐
111 tions without it.
112 --no-chdir
114 By default, when --detach is specified, ovs-vswitchd changes its
115 current working directory to the root directory after it
116 detaches. Otherwise, invoking ovs-vswitchd from a carelessly
117 chosen directory would prevent the administrator from unmounting
118 the file system that holds that directory.
119 Specifying --no-chdir suppresses this behavior, preventing
121 ovs-vswitchd from changing its current working directory. This
122 may be useful for collecting core files, since it is common
123 behavior to write core dumps into the current working directory
124 and the root directory is not a good directory to use.
125 This option has no effect when --detach is not specified.
127 --no-self-confinement
129 By default daemon will try to self-confine itself to work with
130 files under well-known directories determined during build. It
131 is better to stick with this default behavior and not to use
132 this flag unless some other Access Control is used to confine
133 daemon. Note that in contrast to other access control implemen‐
134 tations that are typically enforced from kernel-space (e.g. DAC
135 or MAC), self-confinement is imposed from the user-space daemon
136 itself and hence should not be considered as a full confinement
137 strategy, but instead should be viewed as an additional layer of
138 security.
139 --user Causes ovs-vswitchd to run as a different user specified in
141 "user:group", thus dropping most of the root privileges. Short
142 forms "user" and ":group" are also allowed, with current user or
143 group are assumed respectively. Only daemons started by the root
144 user accepts this argument.
145 On Linux, daemons will be granted CAP_IPC_LOCK and
147 CAP_NET_BIND_SERVICES before dropping root privileges. Daemons
148 that interact with a datapath, such as ovs-vswitchd, will be
149 granted three additional capabilities, namely CAP_NET_ADMIN,
150 CAP_NET_BROADCAST and CAP_NET_RAW. The capability change will
151 apply even if the new user is root.
152 On Windows, this option is not currently supported. For security
154 reasons, specifying this option will cause the daemon process
155 not to start.
156 Service Options
158 The following options are valid only on Windows platform.
159 --service
161 Causes ovs-vswitchd to run as a service in the background. The
162 service should already have been created through external tools
163 like SC.exe.
164 --service-monitor
166 Causes the ovs-vswitchd service to be automatically restarted by
167 the Windows services manager if the service dies or exits for
168 unexpected reasons.
169 When --service is not specified, this option has no effect.
171 Public Key Infrastructure Options
173 -p privkey.pem
174 --private-key=privkey.pem
175 Specifies a PEM file containing the private key used as
176 ovs-vswitchd's identity for outgoing SSL connections.
177 -c cert.pem
179 --certificate=cert.pem
180 Specifies a PEM file containing a certificate that certifies the
181 private key specified on -p or --private-key to be trustworthy.
182 The certificate must be signed by the certificate authority (CA)
183 that the peer in SSL connections will use to verify it.
184 -C cacert.pem
186 --ca-cert=cacert.pem
187 Specifies a PEM file containing the CA certificate that
188 ovs-vswitchd should use to verify certificates presented to it
189 by SSL peers. (This may be the same certificate that SSL peers
190 use to verify the certificate specified on -c or --certificate,
191 or it may be a different one, depending on the PKI design in
192 use.)
193 -C none
195 --ca-cert=none
196 Disables verification of certificates presented by SSL peers.
197 This introduces a security risk, because it means that certifi‐
198 cates cannot be verified to be those of known trusted hosts.
199 --bootstrap-ca-cert=cacert.pem
201 When cacert.pem exists, this option has the same effect as -C or
202 --ca-cert. If it does not exist, then ovs-vswitchd will attempt
203 to obtain the CA certificate from the SSL peer on its first SSL
204 connection and save it to the named PEM file. If it is success‐
205 ful, it will immediately drop the connection and reconnect, and
206 from then on all SSL connections must be authenticated by a cer‐
207 tificate signed by the CA certificate thus obtained.
208 This option exposes the SSL connection to a man-in-the-middle
210 attack obtaining the initial CA certificate, but it may be use‐
211 ful for bootstrapping.
212 This option is only useful if the SSL peer sends its CA certifi‐
214 cate as part of the SSL certificate chain. The SSL protocol
215 does not require the server to send the CA certificate.
216 This option is mutually exclusive with -C and --ca-cert.
218 --peer-ca-cert=peer-cacert.pem
220 Specifies a PEM file that contains one or more additional cer‐
221 tificates to send to SSL peers. peer-cacert.pem should be the
222 CA certificate used to sign ovs-vswitchd's own certificate, that
223 is, the certificate specified on -c or --certificate. If
224 ovs-vswitchd's certificate is self-signed, then --certificate
225 and --peer-ca-cert should specify the same file.
226 This option is not useful in normal operation, because the SSL
228 peer must already have the CA certificate for the peer to have
229 any confidence in ovs-vswitchd's identity. However, this offers
230 a way for a new installation to bootstrap the CA certificate on
231 its first SSL connection.
232 Logging Options
234 -v[spec]
235 --verbose=[spec]
236 Sets logging levels. Without any spec, sets the log level for
237 every module and destination to dbg. Otherwise, spec is a list
238 of words separated by spaces or commas or colons, up to one from
239 each category below:
240 · A valid module name, as displayed by the vlog/list com‐
242 mand on ovs-appctl(8), limits the log level change to the
243 specified module.
244 · syslog, console, or file, to limit the log level change
246 to only to the system log, to the console, or to a file,
247 respectively. (If --detach is specified, ovs-vswitchd
248 closes its standard file descriptors, so logging to the
249 console will have no effect.)
250 On Windows platform, syslog is accepted as a word and is
252 only useful along with the --syslog-target option (the
253 word has no effect otherwise).
254 · off, emer, err, warn, info, or dbg, to control the log
256 level. Messages of the given severity or higher will be
257 logged, and messages of lower severity will be filtered
258 out. off filters out all messages. See ovs-appctl(8)
259 for a definition of each log level.
260 Case is not significant within spec.
262 Regardless of the log levels set for file, logging to a file
264 will not take place unless --log-file is also specified (see
265 below).
266 For compatibility with older versions of OVS, any is accepted as
268 a word but has no effect.
269 -v
271 --verbose
272 Sets the maximum logging verbosity level, equivalent to --ver‐
273 bose=dbg.
274 -vPATTERN:destination:pattern
276 --verbose=PATTERN:destination:pattern
277 Sets the log pattern for destination to pattern. Refer to
278 ovs-appctl(8) for a description of the valid syntax for pattern.
279 -vFACILITY:facility
281 --verbose=FACILITY:facility
282 Sets the RFC5424 facility of the log message. facility can be
283 one of kern, user, mail, daemon, auth, syslog, lpr, news, uucp,
284 clock, ftp, ntp, audit, alert, clock2, local0, local1, local2,
285 local3, local4, local5, local6 or local7. If this option is not
286 specified, daemon is used as the default for the local system
287 syslog and local0 is used while sending a message to the target
288 provided via the --syslog-target option.
289 --log-file[=file]
291 Enables logging to a file. If file is specified, then it is
292 used as the exact name for the log file. The default log file
293 name used if file is omitted is /var/log/open‐
294 vswitch/ovs-vswitchd.log.
295 --syslog-target=host:port
297 Send syslog messages to UDP port on host, in addition to the
298 system syslog. The host must be a numerical IP address, not a
299 hostname.
300 --syslog-method=method
302 Specify method how syslog messages should be sent to syslog dae‐
303 mon. Following forms are supported:
304 · libc, use libc syslog() function. Downside of using this
306 options is that libc adds fixed prefix to every message
307 before it is actually sent to the syslog daemon over
308 /dev/log UNIX domain socket.
309 · unix:file, use UNIX domain socket directly. It is possi‐
311 ble to specify arbitrary message format with this option.
312 However, rsyslogd 8.9 and older versions use hard coded
313 parser function anyway that limits UNIX domain socket
314 use. If you want to use arbitrary message format with
315 older rsyslogd versions, then use UDP socket to localhost
316 IP address instead.
317 · udp:ip:port, use UDP socket. With this method it is pos‐
319 sible to use arbitrary message format also with older
320 rsyslogd. When sending syslog messages over UDP socket
321 extra precaution needs to be taken into account, for
322 example, syslog daemon needs to be configured to listen
323 on the specified UDP port, accidental iptables rules
324 could be interfering with local syslog traffic and there
325 are some security considerations that apply to UDP sock‐
326 ets, but do not apply to UNIX domain sockets.
327 · null, discards all messages logged to syslog.
329 The default is taken from the OVS_SYSLOG_METHOD environment
331 variable; if it is unset, the default is libc.
332 Other Options
334 --unixctl=socket
335 Sets the name of the control socket on which ovs-vswitchd lis‐
336 tens for runtime management commands (see RUNTIME MANAGEMENT
337 COMMANDS, below). If socket does not begin with /, it is inter‐
338 preted as relative to /var/run/openvswitch. If --unixctl is not
339 used at all, the default socket is /var/run/open‐
340 vswitch/ovs-vswitchd.pid.ctl, where pid is ovs-vswitchd's
341 process ID.
342 On Windows a local named pipe is used to listen for runtime man‐
344 agement commands. A file is created in the absolute path as
345 pointed by socket or if --unixctl is not used at all, a file is
346 created as ovs-vswitchd.ctl in the configured OVS_RUNDIR direc‐
347 tory. The file exists just to mimic the behavior of a Unix
348 domain socket.
349 Specifying none for socket disables the control socket feature.
351 -h
353 --help Prints a brief help message to the console.
354 -V
356 --version
357 Prints version information to the console.
358
360 ovs-appctl(8) can send commands to a running ovs-vswitchd process. The
361 currently supported commands are described below. The command descrip‐
362 tions assume an understanding of how to configure Open vSwitch.
363 GENERAL COMMANDS
365 exit --cleanup
366 Causes ovs-vswitchd to gracefully terminate. If --cleanup is
367 specified, deletes flows from datapaths and releases other data‐
368 path resources configured by ovs-vswitchd. Otherwise, datapath
369 flows and other resources remains undeleted. Resources of data‐
370 paths that are integrated into ovs-vswitchd (e.g. the netdev
371 datapath type) are always released regardless of --cleanup
372 except for ports with internal type. Use --cleanup to release
373 internal ports too.
374 qos/show-types interface
376 Queries the interface for a list of Quality of Service types
377 that are configurable via Open vSwitch for the given interface.
378 qos/show interface
380 Queries the kernel for Quality of Service configuration and sta‐
381 tistics associated with the given interface.
382 bfd/show [interface]
384 Displays detailed information about Bidirectional Forwarding
385 Detection configured on interface. If interface is not speci‐
386 fied, then displays detailed information about all interfaces
387 with BFD enabled.
388 bfd/set-forwarding [interface] status
390 Force the fault status of the BFD module on interface (or all
391 interfaces if none is given) to be status. status can be
392 "true", "false", or "normal" which reverts to the standard
393 behavior.
394 cfm/show [interface]
396 Displays detailed information about Connectivity Fault Manage‐
397 ment configured on interface. If interface is not specified,
398 then displays detailed information about all interfaces with CFM
399 enabled.
400 cfm/set-fault [interface] status
402 Force the fault status of the CFM module on interface (or all
403 interfaces if none is given) to be status. status can be
404 "true", "false", or "normal" which reverts to the standard
405 behavior.
406 stp/tcn [bridge]
408 Forces a topology change event on bridge if it's running STP.
409 This may cause it to send Topology Change Notifications to its
410 peers and flush its MAC table. If no bridge is given, forces a
411 topology change event on all bridges.
412 stp/show [bridge]
414 Displays detailed information about spanning tree on the bridge.
415 If bridge is not specified, then displays detailed information
416 about all bridges with STP enabled.
417 rstp/tcn [bridge]
419 Forces a topology change event on bridge if it's running RSTP.
420 This may cause it to send Topology Change Notifications to its
421 peers and flush its MAC table. If no bridge is given, forces a
422 topology change event on all bridges.
423 rstp/show [bridge]
425 Displays detailed information about rapid spanning tree on the
426 bridge. If bridge is not specified, then displays detailed
427 information about all bridges with RSTP enabled.
428 BRIDGE COMMANDS
430 These commands manage bridges.
431 fdb/flush [bridge]
433 Flushes bridge MAC address learning table, or all learning
434 tables if no bridge is given.
435 fdb/show bridge
437 Lists each MAC address/VLAN pair learned by the specified
438 bridge, along with the port on which it was learned and the age
439 of the entry, in seconds.
440 fdb/stats-clear [bridge]
442 Clear bridge MAC address learning table statistics, or all sta‐
443 tistics if no bridge is given.
444 fdb/stats-show bridge
446 Show MAC address learning table statistics for the specified
447 bridge.
448 mdb/flush [bridge]
450 Flushes bridge multicast snooping table, or all snooping tables
451 if no bridge is given.
452 mdb/show bridge
454 Lists each multicast group/VLAN pair learned by the specified
455 bridge, along with the port on which it was learned and the age
456 of the entry, in seconds.
457 bridge/reconnect [bridge]
459 Makes bridge drop all of its OpenFlow controller connections and
460 reconnect. If bridge is not specified, then all bridges drop
461 their controller connections and reconnect.
462 This command might be useful for debugging OpenFlow controller
464 issues.
465 bridge/dump-flows [--offload-stats] bridge
467 Lists all flows in bridge, including those normally hidden to
468 commands such as ovs-ofctl dump-flows. Flows set up by mecha‐
469 nisms such as in-band control and fail-open are hidden from the
470 controller since it is not allowed to modify or override them.
471 If --offload-stats are specified then also list statistics for
472 offloaded packets and bytes, which are a subset of the total
473 packets and bytes.
474 BOND COMMANDS
476 These commands manage bonded ports on an Open vSwitch's bridges. To
477 understand some of these commands, it is important to understand a
478 detail of the bonding implementation called ``source load balancing''
479 (SLB). Instead of directly assigning Ethernet source addresses to mem‐
480 bers, the bonding implementation computes a function that maps an
481 48-bit Ethernet source addresses into an 8-bit value (a ``MAC hash''
482 value). All of the Ethernet addresses that map to a single 8-bit value
483 are then assigned to a single member.
484 bond/list
486 Lists all of the bonds, and their members, on each bridge.
487 bond/show [port]
489 Lists all of the bond-specific information (updelay, downdelay,
490 time until the next rebalance) about the given bonded port, or
491 all bonded ports if no port is given. Also lists information
492 about each members: whether it is enabled or disabled, the time
493 to completion of an updelay or downdelay if one is in progress,
494 whether it is the active member, the hashes assigned to the mem‐
495 ber. Any LACP information related to this bond may be found
496 using the lacp/show command.
497 bond/migrate port hash member
499 Only valid for SLB bonds. Assigns a given MAC hash to a new
500 member. port specifies the bond port, hash the MAC hash to be
501 migrated (as a decimal number between 0 and 255), and member the
502 new member to be assigned.
503 The reassignment is not permanent: rebalancing or fail-over will
505 cause the MAC hash to be shifted to a new member in the usual
506 manner.
507 A MAC hash cannot be migrated to a disabled member.
509 bond/set-active-member port member
511 Sets member as the active member on port. member must currently
512 be enabled.
513 The setting is not permanent: a new active member will be
515 selected if member becomes disabled.
516 bond/enable-member port member
518 bond/disable-member port member
519 Enables (or disables) member on the given bond port, skipping
520 any updelay (or downdelay).
521 This setting is not permanent: it persists only until the car‐
523 rier status of member changes.
524 bond/hash mac [vlan] [basis]
526 Returns the hash value which would be used for mac with vlan and
527 basis if specified.
528 lacp/show [port]
530 Lists all of the LACP related information about the given port:
531 active or passive, aggregation key, system id, and system prior‐
532 ity. Also lists information about each member: whether it is
533 enabled or disabled, whether it is attached or detached, port id
534 and priority, actor information, and partner information. If
535 port is not specified, then displays detailed information about
536 all interfaces with CFM enabled.
537 lacp/stats-show [port]
539 Lists various stats about LACP PDUs (number of RX/TX PDUs, bad
540 PDUs received) and member state (number of times its state
541 expired/defaulted and carrier status changed) for the given
542 port. If port is not specified, then displays stats of all
543 interfaces with LACP enabled.
544 DPCTL DATAPATH DEBUGGING COMMANDS
546 The primary way to configure ovs-vswitchd is through the Open vSwitch
547 database, e.g. using ovs-vsctl(8). These commands provide a debugging
548 interface for managing datapaths. They implement the same features
549 (and syntax) as ovs-dpctl(8). Unlike ovs-dpctl(8), these commands work
550 with datapaths that are integrated into ovs-vswitchd (e.g. the netdev
551 datapath type).
552 Do not use commands to add or remove or modify datapaths if
554 ovs-vswitchd is running because this interferes with ovs-vswitchd's own
555 datapath management.
556 dpctl/add-dp dp [netdev[,option]...]
558 Creates datapath dp, with a local port also named dp. This will
559 fail if a network device dp already exists.
560 If netdevs are specified, ovs-vswitchd adds them to the new
562 datapath, just as if add-if was specified.
563 dpctl/del-dp dp
565 Deletes datapath dp. If dp is associated with any network
566 devices, they are automatically removed.
567 dpctl/add-if dp netdev[,option]...
569 Adds each netdev to the set of network devices datapath dp moni‐
570 tors, where dp is the name of an existing datapath, and netdev
571 is the name of one of the host's network devices, e.g. eth0.
572 Once a network device has been added to a datapath, the datapath
573 has complete ownership of the network device's traffic and the
574 network device appears silent to the rest of the system.
575 A netdev may be followed by a comma-separated list of options.
577 The following options are currently supported:
578 type=type
580 Specifies the type of port to add. The default type is
581 system.
582 port_no=port
584 Requests a specific port number within the datapath. If
585 this option is not specified then one will be automati‐
586 cally assigned.
587 key=value
589 Adds an arbitrary key-value option to the port's configu‐
590 ration.
591 ovs-vswitchd.conf.db(5) documents the available port types and
593 options.
594 dpctl/set-if dp port[,option]...
596 Reconfigures each port in dp as specified. An option of the
597 form key=value adds the specified key-value option to the port
598 or overrides an existing key's value. An option of the form
599 key=, that is, without a value, deletes the key-value named key.
600 The type and port number of a port cannot be changed, so type
601 and port_no are only allowed if they match the existing configu‐
602 ration.
603 dpctl/del-if dp netdev...
605 Removes each netdev from the list of network devices datapath dp
606 monitors.
607 dpctl/dump-dps
609 Prints the name of each configured datapath on a separate line.
610 dpctl/show [-s | --statistics] [dp...]
612 Prints a summary of configured datapaths, including their data‐
613 path numbers and a list of ports connected to each datapath.
614 (The local port is identified as port 0.) If -s or --statistics
615 is specified, then packet and byte counters are also printed for
616 each port.
617 The datapath numbers consists of flow stats and mega flow mask
619 stats.
620 The "lookups" row displays three stats related to flow lookup
622 triggered by processing incoming packets in the datapath. "hit"
623 displays number of packets matches existing flows. "missed" dis‐
624 plays the number of packets not matching any existing flow and
625 require user space processing. "lost" displays number of pack‐
626 ets destined for user space process but subsequently dropped
627 before reaching userspace. The sum of "hit" and "miss" equals to
628 the total number of packets datapath processed.
629 The "flows" row displays the number of flows in datapath.
631 The "masks" row displays the mega flow mask stats. This row is
633 omitted for datapath not implementing mega flow. "hit" displays
634 the total number of masks visited for matching incoming packets.
635 "total" displays number of masks in the datapath. "hit/pkt" dis‐
636 plays the average number of masks visited per packet; the ratio
637 between "hit" and total number of packets processed by the data‐
638 path.
639 If one or more datapaths are specified, information on only
641 those datapaths are displayed. Otherwise, ovs-vswitchd displays
642 information about all configured datapaths.
643 DATAPATH FLOW TABLE DEBUGGING COMMANDS
645 The following commands are primarily useful for debugging Open vSwitch.
646 The flow table entries (both matches and actions) that they work with
647 are not OpenFlow flow entries. Instead, they are different and consid‐
648 erably simpler flows maintained by the Open vSwitch kernel module. Do
649 not use commands to add or remove or modify datapath flows if
650 ovs-vswitchd is running because it interferes with ovs-vswitchd's own
651 datapath flow management. Use ovs-ofctl(8), instead, to work with
652 OpenFlow flow entries.
653 The dp argument to each of these commands is optional when exactly one
655 datapath exists, in which case that datapath is the default. When mul‐
656 tiple datapaths exist, then a datapath name is required.
657 dpctl/dump-flows [-m | --more] [--names | --no-names] [dp] [filter=fil‐
659 ter] [type=type] [pmd=pmd]
660 Prints to the console all flow entries in datapath dp's flow ta‐
661 ble. Without -m or --more, output omits match fields that a
662 flow wildcards entirely; with -m or --more, output includes all
663 wildcarded fields.
664 If filter=filter is specified, only displays the flows that
666 match the filter. filter is a flow in the form similiar to that
667 accepted by ovs-ofctl(8)'s add-flow command. (This is not an
668 OpenFlow flow: besides other differences, it never contains
669 wildcards.) The filter is also useful to match wildcarded
670 fields in the datapath flow. As an example, fil‐
671 ter='tcp,tp_src=100' will match the datapath flow containing
672 'tcp(src=80/0xff00,dst=8080/0xff)'.
673 If pmd=pmd is specified, only displays flows of the specified
675 pmd. Using pmd=-1 will restrict the dump to flows from the main
676 thread. This option is only supported by the userspace data‐
677 path.
678 If type=type is specified, only displays flows of the specified
680 types. This option supported only for ovs-appctl
681 dpctl/dump-flows. type is a comma separated list, which can
682 contain any of the following:
683 ovs - displays flows handled in the ovs dp
684 tc - displays flows handled in the tc dp
685 dpdk - displays flows fully offloaded by dpdk
686 offloaded - displays flows offloaded to the HW
687 non-offloaded - displays flows not offloaded to the HW
688 partially-offloaded - displays flows where only part of their
689 proccessing is done in HW
690 all - displays all the types of flows
691 By default all the types of flows are displayed. ovs-dpctl
693 always acts as if the type was ovs.
694 dpctl/add-flow [dp] flow actions
696 dpctl/mod-flow [--clear] [--may-create] [-s | --statistics] [dp] flow
698 actions
699 Adds or modifies a flow in dp's flow table that, when a packet
700 matching flow arrives, causes actions to be executed.
701 The add-flow command succeeds only if flow does not already
703 exist in dp. Contrariwise, mod-flow without --may-create only
704 modifies the actions for an existing flow. With --may-create,
705 mod-flow will add a new flow or modify an existing one.
706 If -s or --statistics is specified, then mod-flow prints the
708 modified flow's statistics. A flow's statistics are the number
709 of packets and bytes that have passed through the flow, the
710 elapsed time since the flow last processed a packet (if ever),
711 and (for TCP flows) the union of the TCP flags processed through
712 the flow.
713 With --clear, mod-flow zeros out the flow's statistics. The
715 statistics printed if -s or --statistics is also specified are
716 those from just before clearing the statistics.
717 NOTE: flow and actions do not match the syntax used with
719 ovs-ofctl(8)'s add-flow command.
720 Usage Examples
722 Forward ARP between ports 1 and 2 on datapath myDP:
724 ovs-dpctl add-flow myDP \
726 "in_port(1),eth(),eth_type(0x0806),arp()" 2
727 ovs-dpctl add-flow myDP \
729 "in_port(2),eth(),eth_type(0x0806),arp()" 1
730 Forward all IPv4 traffic between two addresses on ports 1 and 2:
732 ovs-dpctl add-flow myDP \
734 "in_port(1),eth(),eth_type(0x800),\
735 ipv4(src=172.31.110.4,dst=172.31.110.5)" 2
736 ovs-dpctl add-flow myDP \
738 "in_port(2),eth(),eth_type(0x800),\
739 ipv4(src=172.31.110.5,dst=172.31.110.4)" 1
740 dpctl/add-flows [dp] file
742 dpctl/mod-flows [dp] file
743 dpctl/del-flows [dp] file
744 Reads flow entries from file (or stdin if file is -) and adds,
745 modifies, or deletes each entry to the datapath. Each flow
746 specification (e.g., each line in file) may start with add, mod‐
747 ify, or delete keyword to specify whether a flow is to be added,
748 modified, or deleted. A flow specification without one of these
749 keywords is treated based on the used command. All flow modifi‐
750 cations are executed as individual transactions in the order
751 specified.
752 dpctl/del-flow [-s | --statistics] [dp] flow
754 Deletes the flow from dp's flow table that matches flow. If -s
755 or --statistics is specified, then del-flow prints the deleted
756 flow's statistics.
757 dpctl/get-flow [dp] ufid:ufid [-m | --more] [--names | --no-names]
759 Fetches the flow from dp's flow table with unique identifier
760 ufid. ufid must be specified as a string of 32 hexadecimal
761 characters.
762 dpctl/del-flows [dp]
764 Deletes all flow entries from datapath dp's flow table.
765 CONNECTION TRACKING TABLE COMMANDS
767 The following commands are useful for debugging and configuring the
768 connection tracking table in the datapath.
769 The dp argument to each of these commands is optional when exactly one
771 datapath exists, in which case that datapath is the default. When mul‐
772 tiple datapaths exist, then a datapath name is required.
773 N.B.(Linux specific): the system datapaths (i.e. the Linux kernel mod‐
775 ule Open vSwitch datapaths) share a single connection tracking table
776 (which is also used by other kernel subsystems, such as iptables, nfta‐
777 bles and the regular host stack). Therefore, the following commands do
778 not apply specifically to one datapath.
779 dpctl/ipf-set-enabled [dp] v4|v6
781 dpctl/ipf-set-disabled [dp] v4|v6
782 Enables or disables IP fragmentation handling for the userspace
783 connection tracker. Either v4 or v6 must be specified. Both
784 IPv4 and IPv6 fragment reassembly are enabled by default. Only
785 supported for the userspace datapath.
786 dpctl/ipf-set-min-frag [dp] v4|v6 minfrag
788 Sets the minimum fragment size (L3 header and data) for non-
789 final fragments to minfrag. Either v4 or v6 must be specified.
790 For enhanced DOS security, higher minimum fragment sizes can
791 usually be used. The default IPv4 value is 1200 and the clamped
792 minimum is 400. The default IPv6 value is 1280, with a clamped
793 minimum of 400, for testing flexibility. The maximum fragment
794 size is not clamped, however, setting this value too high might
795 result in valid fragments being dropped. Only supported for
796 userspace datapath.
797 dpctl/ipf-set-max-nfrags [dp] maxfrags
799 Sets the maximum number of fragments tracked by the userspace
800 datapath connection tracker to maxfrags. The default value is
801 1000 and the clamped maximum is 5000. Note that packet buffers
802 can be held by the fragmentation module while fragments are
803 incomplete, but will timeout after 15 seconds. Memory pool siz‐
804 ing should be set accordingly when fragmentation is enabled.
805 Only supported for userspace datapath.
806 dpctl/ipf-get-status [dp] [-m | --more]
808 Gets the configuration settings and fragment counters associated
809 with the fragmentation handling of the userspace datapath con‐
810 nection tracker. With -m or --more, also dumps the IP fragment
811 lists. Only supported for userspace datapath.
812 dpctl/dump-conntrack [-m | --more] [-s | --statistics] [dp] [zone=zone]
814 Prints to the console all the connection entries in the tracker
815 used by dp. If zone=zone is specified, only shows the connec‐
816 tions in zone. With --more, some implementation specific
817 details are included. With --statistics timeouts and timestamps
818 are added to the output.
819 dpctl/flush-conntrack [dp] [zone=zone] [ct-tuple]
821 Flushes the connection entries in the tracker used by dp based
822 on zone and connection tracking tuple ct-tuple. If ct-tuple is
823 not provided, flushes all the connection entries. If zone=zone
824 is specified, only flushes the connections in zone.
825 If ct-tuple is provided, flushes the connection entry specified
827 by ct-tuple in zone. The zone defaults to 0 if it is not pro‐
828 vided. The userspace connection tracker requires flushing with
829 the original pre-NATed tuple and a warning log will be otherwise
830 generated. An example of an IPv4 ICMP ct-tuple:
831 "ct_nw_src=10.1.1.1,ct_nw_dst=10.1.1.2,ct_nw_proto=1,icmp_type=8,icmp_code=0,icmp_id=10"
833 An example of an IPv6 TCP ct-tuple:
835 "ct_ipv6_src=fc00::1,ct_ipv6_dst=fc00::2,ct_nw_proto=6,ct_tp_src=1,ct_tp_dst=2"
837 dpctl/ct-stats-show [dp] [zone=zone] [-m | --more]
839 Displays the number of connections grouped by protocol used by
840 dp. If zone=zone is specified, numbers refer to the connections
841 in zone. With --more, groups by connection state for each pro‐
842 tocol.
843 dpctl/ct-bkts [dp] [gt=threshold]
845 For each conntrack bucket, displays the number of connections
846 used by dp. If gt=threshold is specified, bucket numbers are
847 displayed when the number of connections in a bucket is greater
848 than threshold.
849 dpctl/ct-set-maxconns [dp] maxconns
851 Sets the maximum limit of connection tracker entries to maxconns
852 on dp. This can be used to reduce the processing load on the
853 system due to connection tracking or simply limiting connection
854 tracking. If the number of connections is already over the new
855 maximum limit request then the new maximum limit will be
856 enforced when the number of connections decreases to that limit,
857 which normally happens due to connection expiry. Only supported
858 for userspace datapath.
859 dpctl/ct-get-maxconns [dp]
861 Prints the maximum limit of connection tracker entries on dp.
862 Only supported for userspace datapath.
863 dpctl/ct-get-nconns [dp]
865 Prints the current number of connection tracker entries on dp.
866 Only supported for userspace datapath.
867 dpctl/ct-enable-tcp-seq-chk [dp]
869 dpctl/ct-disable-tcp-seq-chk [dp]
870 Enables or disables TCP sequence checking. When set to dis‐
871 abled, all sequence number verification is disabled, including
872 for TCP resets. This is similar, but not the same as 'be_lib‐
873 eral' mode, as in Netfilter. Disabling sequence number verifi‐
874 cation is not an optimization in itself, but is needed for some
875 hardware offload support which might offer some performance
876 advantage. Sequence number checking is enabled by default to
877 enforce better security and should only be disabled if required
878 for hardware offload support. This command is only supported
879 for the userspace datapath.
880 dpctl/ct-get-tcp-seq-chk [dp]
882 Prints whether TCP sequence checking is enabled or disabled on
883 dp. Only supported for the userspace datapath.
884 dpctl/ct-set-limits [dp] [default=default_limit]
886 [zone=zone,limit=limit]...
887 Sets the maximum allowed number of connections in a connection
888 tracking zone. A specific zone may be set to limit, and multi‐
889 ple zones may be specified with a comma-separated list. If a
890 per-zone limit for a particular zone is not specified in the
891 datapath, it defaults to the default per-zone limit. A default
892 zone may be specified with the default=default_limit argument.
893 Initially, the default per-zone limit is unlimited. An unlim‐
894 ited number of entries may be set with 0 limit.
895 dpctl/ct-del-limits [dp] zone=zone[,zone]...
897 Deletes the connection tracking limit for zone. Multiple zones
898 may be specified with a comma-separated list.
899 dpctl/ct-get-limits [dp] [zone=zone[,zone]...]
901 Retrieves the maximum allowed number of connections and current
902 counts per-zone. If zone is given, only the specified zone(s)
903 are printed. If no zones are specified, all the zone limits and
904 counts are provided. The command always displays the default
905 zone limit.
906 DPDK COMMANDS
908 These commands manage DPDK components.
909 dpdk/log-list
911 Lists all DPDK components that emit logs and their logging lev‐
912 els.
913 dpdk/log-set [spec]
915 Sets DPDK components logging level. Without any spec, sets the
916 logging level for all DPDK components to debug. Otherwise, spec
917 is a list of words separated by spaces: a word can be either a
918 logging level (emergency, alert, critical, error, warning,
919 notice, info or debug) or a pattern matching DPDK components
920 (see dpdk/log-list command on ovs-appctl(8)) separated by a
921 colon from the logging level to apply.
922 DPIF-NETDEV COMMANDS
924 These commands are used to expose internal information (mostly statis‐
925 tics) about the "dpif-netdev" userspace datapath. If there is only one
926 datapath (as is often the case, unless dpctl/ commands are used), the
927 dp argument can be omitted. By default the commands present data for
928 all pmd threads in the datapath. By specifying the "-pmd Core" option
929 one can filter the output for a single pmd in the datapath.
930 dpif-netdev/pmd-stats-show [-pmd core] [dp]
932 Shows performance statistics for one or all pmd threads of the
933 datapath dp. The special thread "main" sums up the statistics of
934 every non pmd thread.
935 The sum of "emc hits", "smc hits", "megaflow hits" and "miss" is
937 the number of packet lookups performed by the datapath. Beware
938 that a recirculated packet experiences one additional lookup per
939 recirculation, so there may be more lookups than forwarded pack‐
940 ets in the datapath.
941 Cycles are counted using the TSC or similar facilities (when
943 available on the platform). The duration of one cycle depends on
944 the processing platform.
945 "idle cycles" refers to cycles spent in PMD iterations not for‐
947 warding any any packets. "processing cycles" refers to cycles
948 spent in PMD iterations forwarding at least one packet, includ‐
949 ing the cost for polling, processing and transmitting said pack‐
950 ets.
951 To reset these counters use dpif-netdev/pmd-stats-clear.
953 dpif-netdev/pmd-stats-clear [dp]
955 Resets to zero the per pmd thread performance numbers shown by
956 the dpif-netdev/pmd-stats-show and dpif-netdev/pmd-perf-show
957 commands. It will NOT reset datapath or bridge statistics, only
958 the values shown by the above commands.
959 dpif-netdev/pmd-perf-show [-nh] [-it iter_len] [-ms ms_len] [-pmd core]
961 [dp]
962 Shows detailed performance metrics for one or all pmds threads
963 of the user space datapath.
964 The collection of detailed statistics can be controlled by a new
966 configuration parameter "other_config:pmd-perf-metrics". By
967 default it is disabled. The run-time overhead, when enabled, is
968 in the order of 1%.
969 — used cycles
972 — forwared packets
973 — number of rx batches
974 — packets/rx batch
975 — max. vhostuser queue fill level
976 — number of upcalls
977 — cycles spent in upcalls
978 This raw recorded data is used threefold:
980 1. In histograms for each of the following metrics:
983 — cycles/iteration (logarithmic)
984 — packets/iteration (logarithmic)
985 — cycles/packet
986 — packets/batch
987 — max. vhostuser qlen (logarithmic)
988 — upcalls
989 — cycles/upcall (logarithmic) The histograms bins
990 are divided linear or logarithmic.
991 2. A cyclic history of the above metrics for 1024 iterations
992 3. A cyclic history of the cummulative/average values per
993 millisecond wall clock for the last 1024 milliseconds:
994 — number of iterations
995 — avg. cycles/iteration
996 — packets (Kpps)
997 — avg. packets/batch
998 — avg. max vhost qlen
999 — upcalls
1000 — avg. cycles/upcall
1001 The command options are:
1003 -nh Suppress the histograms
1005 -it iter_len
1007 Display the last iter_len iteration stats
1008 -ms ms_len
1010 Display the last ms_len millisecond stats
1011 The output always contains the following global PMD statistics:
1013 Time: 15:24:55.270
1015 Measurement duration: 1.008 s
1016 pmd thread numa_id 0 core_id 1:
1018 Iterations: 572817 (1.76 us/it)
1020 - Used TSC cycles: 2419034712 ( 99.9 % of total cycles)
1021 - idle iterations: 486808 ( 15.9 % of used cycles)
1022 - busy iterations: 86009 ( 84.1 % of used cycles)
1023 Rx packets: 2399607 (2381 Kpps, 848 cycles/pkt)
1024 Datapath passes: 3599415 (1.50 passes/pkt)
1025 - EMC hits: 336472 ( 9.3 %)
1026 - SMC hits: 0 ( 0.0 %)
1027 - Megaflow hits: 3262943 ( 90.7 %, 1.00 subtbl lookups/hit)
1028 - Upcalls: 0 ( 0.0 %, 0.0 us/upcall)
1029 - Lost upcalls: 0 ( 0.0 %)
1030 Tx packets: 2399607 (2381 Kpps)
1031 Tx batches: 171400 (14.00 pkts/batch)
1032 Here "Rx packets" actually reflects the number of packets for‐
1034 warded by the datapath. "Datapath passes" matches the number of
1035 packet lookups as reported by the dpif-netdev/pmd-stats-show
1036 command.
1037 To reset the counters and start a new measurement use dpif-net‐
1039 dev/pmd-stats-clear.
1040 dpif-netdev/pmd-perf-log-set on|off [-b before] [-a after] [-e|-ne]
1042 [-us usec] [-q qlen]
1043 The userspace "netdev" datapath is able to supervise the PMD
1044 performance metrics and detect iterations with suspicious sta‐
1045 tistics according to the following criteria:
1046 — The iteration lasts longer than usec microseconds
1048 (default 250). This can be used to capture events where
1049 a PMD is blocked or interrupted for such a period of time
1050 that there is a risk for dropped packets on any of its Rx
1051 queues.
1052 — The max vhost qlen exceeds a threshold qlen (default
1054 128). This can be used to infer virtio queue overruns and
1055 dropped packets inside a VM, which are not visible in OVS
1056 otherwise.
1057 Such suspicious iterations can be logged together with their
1059 iteration statistics in the ovs-vswitchd.log to be able to cor‐
1060 relate them to packet drop or other events outside OVS.
1061 The above command enables (on) or disables (off) supervision and
1063 logging at run-time and can be used to adjust the above thresh‐
1064 olds for detecting suspicious iterations. By default supervision
1065 and logging is disabled.
1066 The command options are:
1068 -b before
1070 The number of iterations before the suspicious iteration
1071 to be logged (default 5).
1072 -a after
1074 The number of iterations after the suspicious iteration
1075 to be logged (default 5).
1076 -e Extend logging interval if another suspicious iteration
1078 is detected before logging occurs.
1079 -ne Do not extend logging interval if another suspicious
1081 iteration is detected before logging occurs (default).
1082 -q qlen
1084 Suspicious vhost queue fill level threshold. Increase
1085 this to 512 if the Qemu supports 1024 virtio queue length
1086 (default 128).
1087 -us usec
1089 Change the duration threshold for a suspicious iteration
1090 (default 250 us).
1091 Note: Logging of suspicious iterations itself consumes a considerable
1093 amount of processing cycles of a PMD which may be visible in the itera‐
1094 tion history. In the worst case this can lead OVS to detect another
1095 suspicious iteration caused by logging.
1096 If more than 100 iterations around a suspicious iteration have been
1098 logged once, OVS falls back to the safe default values (-b 5 -a 5 -ne)
1099 to avoid that logging itself continuously causes logging of further
1100 suspicious iterations.
1101 dpif-netdev/pmd-rxq-show [-pmd core] [dp]
1103 For one or all pmd threads of the datapath dp show the list of
1104 queue-ids with port names, which this thread polls.
1105 dpif-netdev/pmd-rxq-rebalance [dp]
1107 Reassigns rxqs to pmds in the datapath dp based on their current
1108 usage.
1109 dpif-netdev/bond-show [dp]
1111 When "other_config:lb-output-action" is set to "true", the
1112 userspace datapath handles the load balancing of bonds directly
1113 instead of depending on flow recirculation (only in balance-tcp
1114 mode).
1115 When this is the case, the above command prints the load-balanc‐
1117 ing information of the bonds configured in datapath dp showing
1118 the interface associated with each bucket (hash).
1119 NETDEV-DPDK COMMANDS
1121 These commands manage DPDK related ports (type=dpdk*).
1122 netdev-dpdk/set-admin-state [interface] up | down
1124 Change the admin state for DPDK interface to up or down. If
1125 interface is not specified, then it applies to all DPDK ports.
1126 netdev-dpdk/detach pci-address
1128 Detaches device with corresponding pci-address from DPDK. This
1129 command can be used to detach device if it wasn't detached auto‐
1130 matically after port deletion. Refer to the documentation for
1131 details and instructions.
1132 netdev-dpdk/get-mempool-info [interface]
1134 Prints the debug information about memory pool used by DPDK
1135 interface. If called without arguments, information of all the
1136 available mempools will be printed. For additional mempool sta‐
1137 tistics enable CONFIG_RTE_LIBRTE_MEMPOOL_DEBUG while building
1138 DPDK.
1139 DATAPATH DEBUGGING COMMANDS
1141 These commands query and modify datapaths. They are are similar to
1142 ovs-dpctl(8) commands. dpif/show has the additional functionality,
1143 beyond dpctl/show of printing OpenFlow port numbers. The other com‐
1144 mands are redundant and will be removed in a future release.
1145 dpif/dump-dps
1147 Prints the name of each configured datapath on a separate line.
1148 dpif/show
1150 Prints a summary of configured datapaths, including statistics
1151 and a list of connected ports. The port information includes
1152 the OpenFlow port number, datapath port number, and the type.
1153 (The local port is identified as OpenFlow port 65534.)
1154 dpif/dump-flows [-m] dp
1156 Prints to the console all flow entries in datapath dp's flow ta‐
1157 ble. Without -m, output omits match fields that a flow wildcards
1158 entirely; with -m output includes all wildcarded fields.
1159 This command is primarily useful for debugging Open vSwitch.
1161 The flow table entries that it displays are not OpenFlow flow
1162 entries. Instead, they are different and considerably simpler
1163 flows maintained by the datapath module. If you wish to see the
1164 OpenFlow flow entries, use ovs-ofctl dump-flows.
1165 dpif/del-flows dp
1167 Deletes all flow entries from datapath dp's flow table and
1168 underlying datapath implementation (e.g., kernel datapath mod‐
1169 ule).
1170 This command is primarily useful for debugging Open vSwitch. As
1172 discussed in dpif/dump-flows, these entries are not OpenFlow
1173 flow entries.
1174 OFPROTO COMMANDS
1176 These commands manage the core OpenFlow switch implementation (called
1177 ofproto).
1178 ofproto/list
1180 Lists the names of the running ofproto instances. These are the
1181 names that may be used on ofproto/trace.
1182 ofproto/trace [options] [dpname] odp_flow [packet]
1184 ofproto/trace [options] bridge br_flow [packet]]
1185 ofproto/trace-packet-out [options] [dpname] odp_flow [packet] actions
1186 ofproto/trace-packet-out [options] bridge br_flow [packet] actions
1187 Traces the path of an imaginary packet through switch and
1188 reports the path that it took. The initial treatment of the
1189 packet varies based on the command:
1190 · ofproto/trace looks the packet up in the OpenFlow flow
1192 table, as if the packet had arrived on an OpenFlow port.
1193 · ofproto/trace-packet-out applies the specified OpenFlow
1195 actions, as if the packet, flow, and actions had been
1196 specified in an OpenFlow ``packet-out'' request.
1197 The packet's headers (e.g. source and destination) and metadata
1199 (e.g. input port), together called its ``flow,'' are usually all
1200 that matter for the purpose of tracing a packet. You can spec‐
1201 ify the flow in the following ways:
1202 dpname odp_flow
1204 odp_flow is a flow in the form printed by ovs-dpctl(8)'s
1205 dump-flows command. If all of your bridges have the same
1206 type, which is the common case, then you can omit dpname,
1207 but if you have bridges of different types (say, both
1208 ovs-netdev and ovs-system), then you need to specify a
1209 dpname to disambiguate.
1210 bridge br_flow
1212 br_flow is a flow in the form similar to that accepted by
1213 ovs-ofctl(8)'s add-flow command. (This is not an Open‐
1214 Flow flow: besides other differences, it never contains
1215 wildcards.) bridge names of the bridge through which
1216 br_flow should be traced.
1217 These commands support the following options:
1219 --generate
1221 Generate a packet from the flow (see below for more
1222 information).
1223 --l7 payload
1225 --l7-len length
1226 Accepted only with --generate (see below for more infor‐
1227 mation).
1228 --consistent
1230 Accepted by ofproto-trace-packet-out only. With this
1231 option, the command rejects actions that are inconsistent
1232 with the specified packet. (An example of an inconsis‐
1233 tency is attempting to strip the VLAN tag from a packet
1234 that does not have a VLAN tag.) Open vSwitch ignores
1235 most forms of inconsistency in OpenFlow 1.0 and rejects
1236 inconsistencies in later versions of OpenFlow. The
1237 option is necessary because the command does not ordinar‐
1238 ily imply a particular OpenFlow version. One exception
1239 is that, when actions includes an action that only Open‐
1240 Flow 1.1 and later supports (such as push_vlan), --con‐
1241 sistent is automatically enabled.
1242 --ct-next flags
1244 When the traced flow triggers conntrack actions,
1245 ofproto/trace will automatically trace the forked packet
1246 processing pipeline with user specified ct_state. This
1247 option sets the ct_state flags that the conntrack module
1248 will report. The flags must be a comma- or space-sepa‐
1249 rated list of the following connection tracking flags:
1250 · trk: Include to indicate connection tracking has
1252 taken place.
1253 · new: Include to indicate a new flow.
1255 · est: Include to indicate an established flow.
1257 · rel: Include to indicate a related flow.
1259 · rpl: Include to indicate a reply flow.
1261 · inv: Include to indicate a connection entry in a
1263 bad state.
1264 · dnat: Include to indicate a packet whose destina‐
1266 tion IP address has been changed.
1267 · snat: Include to indicate a packet whose source IP
1269 address has been changed.
1270 When --ct-next is unspecified, or when there are fewer
1272 --ct-next options than ct actions, the flags default to
1273 trk,new.
1274 Most commonly, one specifies only a flow, using one of the forms
1276 above, but sometimes one might need to specify an actual packet
1277 instead of just a flow:
1278 Side effects.
1280 Some actions have side effects. For example, the normal
1281 action can update the MAC learning table, and the learn
1282 action can change OpenFlow tables. The trace commands
1283 only perform side effects when a packet is specified. If
1284 you want side effects to take place, then you must supply
1285 a packet.
1286 (Output actions are obviously side effects too, but the
1288 trace commands never execute them, even when one speci‐
1289 fies a packet.)
1290 Incomplete information.
1292 Most of the time, Open vSwitch can figure out everything
1293 about the path of a packet using just the flow, but in
1294 some special circumstances it needs to look at parts of
1295 the packet that are not included in the flow. When this
1296 is the case, and you do not supply a packet, then a trace
1297 command will tell you it needs a packet.
1298 If you wish to include a packet as part of a trace operation,
1300 there are two ways to do it:
1301 --generate
1303 This option, added to one of the ways to specify a flow
1304 already described, causes Open vSwitch to internally gen‐
1305 erate a packet with the flow described and then to use
1306 that packet. If your goal is to execute side effects,
1307 then --generate is the easiest way to do it, but --gener‐
1308 ate is not a good way to fill in incomplete information,
1309 because it generates packets based on only the flow
1310 information, which means that the packets really do not
1311 have any more information than the flow.
1312 By default, for protocols that allow arbitrary L7 pay‐
1314 loads, the generated packet has 64 bytes of payload. Use
1315 --l7-len to change the payload length, or --l7 to specify
1316 the exact contents of the payload.
1317 packet This form supplies an explicit packet as a sequence of
1319 hex digits. An Ethernet frame is at least 14 bytes long,
1320 so there must be at least 28 hex digits. Obviously, it
1321 is inconvenient to type in the hex digits by hand, so the
1322 ovs-pcap(1) and ovs-tcpundump(1) utilities provide easier
1323 ways.
1324 With this form, packet headers are extracted directly
1326 from packet, so the odp_flow or br_flow should specify
1327 only metadata. The metadata can be:
1328 skb_priority
1330 Packet QoS priority.
1331 pkt_mark
1333 Mark of the packet.
1334 ct_state
1336 Connection state of the packet.
1337 ct_zone
1339 Connection tracking zone for packet.
1340 ct_mark
1342 Connection mark of the packet.
1343 ct_label
1345 Connection label of the packet.
1346 tun_id The tunnel ID on which the packet arrived.
1348 in_port
1350 The port on which the packet arrived.
1351 The in_port value is kernel datapath port number for the first
1353 format and OpenFlow port number for the second format. The num‐
1354 bering of these two types of port usually differs and there is
1355 no relationship.
1356 Usage examples:
1358 Trace an unicast ICMP echo request on ingress port 1 to destination
1360 MAC 00:00:5E:00:53:01
1361 ofproto/trace br in_port=1,icmp,icmp_type=8,\
1362 dl_dst=00:00:5E:00:53:01
1363 Trace an unicast ICMP echo reply on ingress port 1 to destination
1365 MAC 00:00:5E:00:53:01
1366 ofproto/trace br in_port=1,icmp,icmp_type=0,\
1367 dl_dst=00:00:5E:00:53:01
1368 Trace an ARP request on ingress port 1
1370 ofproto/trace br in_port=1,arp,arp_op=1
1371 Trace an ARP reply on ingress port 1
1373 ofproto/trace br in_port=1,arp,arp_op=2
1374 VLOG COMMANDS
1376 These commands manage ovs-vswitchd's logging settings.
1377 vlog/set [spec]
1379 Sets logging levels. Without any spec, sets the log level for
1380 every module and destination to dbg. Otherwise, spec is a list
1381 of words separated by spaces or commas or colons, up to one from
1382 each category below:
1383 · A valid module name, as displayed by the vlog/list com‐
1385 mand on ovs-appctl(8), limits the log level change to the
1386 specified module.
1387 · syslog, console, or file, to limit the log level change
1389 to only to the system log, to the console, or to a file,
1390 respectively.
1391 On Windows platform, syslog is accepted as a word and is
1393 only useful along with the --syslog-target option (the
1394 word has no effect otherwise).
1395 · off, emer, err, warn, info, or dbg, to control the log
1397 level. Messages of the given severity or higher will be
1398 logged, and messages of lower severity will be filtered
1399 out. off filters out all messages. See ovs-appctl(8)
1400 for a definition of each log level.
1401 Case is not significant within spec.
1403 Regardless of the log levels set for file, logging to a file
1405 will not take place unless ovs-vswitchd was invoked with the
1406 --log-file option.
1407 For compatibility with older versions of OVS, any is accepted as
1409 a word but has no effect.
1410 vlog/set PATTERN:destination:pattern
1412 Sets the log pattern for destination to pattern. Refer to
1413 ovs-appctl(8) for a description of the valid syntax for pattern.
1414 vlog/list
1416 Lists the supported logging modules and their current levels.
1417 vlog/list-pattern
1419 Lists logging patterns used for each destination.
1420 vlog/close
1422 Causes ovs-vswitchd to close its log file, if it is open. (Use
1423 vlog/reopen to reopen it later.)
1424 vlog/reopen
1426 Causes ovs-vswitchd to close its log file, if it is open, and
1427 then reopen it. (This is useful after rotating log files, to
1428 cause a new log file to be used.)
1429 This has no effect unless ovs-vswitchd was invoked with the
1431 --log-file option.
1432 vlog/disable-rate-limit [module]...
1434 vlog/enable-rate-limit [module]...
1435 By default, ovs-vswitchd limits the rate at which certain mes‐
1436 sages can be logged. When a message would appear more fre‐
1437 quently than the limit, it is suppressed. This saves disk
1438 space, makes logs easier to read, and speeds up execution, but
1439 occasionally troubleshooting requires more detail. Therefore,
1440 vlog/disable-rate-limit allows rate limits to be disabled at the
1441 level of an individual log module. Specify one or more module
1442 names, as displayed by the vlog/list command. Specifying either
1443 no module names at all or the keyword any disables rate limits
1444 for every log module.
1445 The vlog/enable-rate-limit command, whose syntax is the same as
1447 vlog/disable-rate-limit, can be used to re-enable a rate limit
1448 that was previously disabled.
1449 MEMORY COMMANDS
1451 These commands report memory usage.
1452 memory/show
1454 Displays some basic statistics about ovs-vswitchd's memory
1455 usage. ovs-vswitchd also logs this information soon after
1456 startup and periodically as its memory consumption grows.
1457 COVERAGE COMMANDS
1459 These commands manage ovs-vswitchd's ``coverage counters,'' which count
1460 the number of times particular events occur during a daemon's runtime.
1461 In addition to these commands, ovs-vswitchd automatically logs coverage
1462 counter values, at INFO level, when it detects that the daemon's main
1463 loop takes unusually long to run.
1464 Coverage counters are useful mainly for performance analysis and debug‐
1466 ging.
1467 coverage/show
1469 Displays the averaged per-second rates for the last few seconds,
1470 the last minute and the last hour, and the total counts of all
1471 of the coverage counters.
1472 coverage/read-counter counter
1474 Displays the total count for the given coverage counter.
1475 OPENVSWITCH TUNNELING COMMANDS
1477 These commands query and modify OVS tunnel components.
1478 ovs/route/add ipv4_address/plen output_bridge [GW]
1480 Adds ipv4_address/plen route to vswitchd routing table. out‐
1481 put_bridge needs to be OVS bridge name. This command is useful
1482 if OVS cached routes does not look right.
1483 ovs/route/show
1485 Print all routes in OVS routing table, This includes routes
1486 cached from system routing table and user configured routes.
1487 ovs/route/del ipv4_address/plen
1489 Delete ipv4_address/plen route from OVS routing table.
1490 tnl/neigh/show
1492 tnl/arp/show
1494 OVS builds ARP cache by snooping are messages. This command
1495 shows ARP cache table.
1496 tnl/neigh/set bridge ip mac
1498 tnl/arp/set bridge ip mac
1500 Adds or modifies an ARP cache entry in bridge, mapping ip to
1501 mac.
1502 tnl/neigh/flush
1504 tnl/arp/flush
1506 Flush ARP table.
1507 tnl/egress_port_range [num1] [num2]
1509 Set range for UDP source port used for UDP based Tunnels. For
1510 example VxLAN. If case of zero arguments this command prints
1511 current range in use.
1512
1514 This section documents aspects of OpenFlow for which the OpenFlow spec‐
1515 ification requires documentation.
1516 Packet buffering.
1518 The OpenFlow specification, version 1.2, says:
1519 Switches that implement buffering are expected to expose,
1521 through documentation, both the amount of available buffering,
1522 and the length of time before buffers may be reused.
1523 Open vSwitch does not maintains any packet buffers.
1525 Bundle lifetime
1527 The OpenFlow specification, version 1.4, says:
1528 If the switch does not receive any OFPT_BUNDLE_CONTROL or
1530 OFPT_BUNDLE_ADD_MESSAGE message for an opened bundle_id for a
1531 switch defined time greater than 1s, it may send an
1532 ofp_error_msg with OFPET_BUNDLE_FAILED type and OFPBFC_TIMEOUT
1533 code. If the switch does not receive any new message in a bun‐
1534 dle apart from echo request and replies for a switch defined
1535 time greater than 1s, it may send an ofp_error_msg with
1536 OFPET_BUNDLE_FAILED type and OFPBFC_TIMEOUT code.
1537 Open vSwitch implements default idle bundle lifetime of 10 seconds.
1539 (This is configurable via other-config:bundle-idle-timeout in the
1540 Open_vSwitch table. See ovs-vswitchd.conf.db(5) for details.)
1541
1543 We believe these limits to be accurate as of this writing. These lim‐
1544 its assume the use of the Linux kernel datapath.
1545 · ovs-vswitchd started through ovs-ctl(8) provides a limit of
1547 65535 file descriptors. The limits on the number of bridges and
1548 ports is decided by the availability of file descriptors. With
1549 the Linux kernel datapath, creation of a single bridge consumes
1550 three file descriptors and each port consumes one additional
1551 file descriptor. Other platforms may have different limita‐
1552 tions.
1553 · 8,192 MAC learning entries per bridge, by default. (This is
1555 configurable via other-config:mac-table-size in the Bridge ta‐
1556 ble. See ovs-vswitchd.conf.db(5) for details.)
1557 · Kernel flows are limited only by memory available to the kernel.
1559 Performance will degrade beyond 1,048,576 kernel flows per
1560 bridge with a 32-bit kernel, beyond 262,144 with a 64-bit ker‐
1561 nel. (ovs-vswitchd should never install anywhere near that many
1562 flows.)
1563 · OpenFlow flows are limited only by available memory. Perfor‐
1565 mance is linear in the number of unique wildcard patterns. That
1566 is, an OpenFlow table that contains many flows that all match on
1567 the same fields in the same way has a constant-time lookup, but
1568 a table that contains many flows that match on different fields
1569 requires lookup time linear in the number of flows.
1570 · 255 ports per bridge participating in 802.1D Spanning Tree Pro‐
1572 tocol.
1573 · 32 mirrors per bridge.
1575 · 15 bytes for the name of a port, for ports implemented in the
1577 Linux kernel. Ports implemented in userspace, such as patch
1578 ports, do not have an arbitrary length limitation. OpenFlow
1579 also limit port names to 15 bytes.
1580
1582 ovs-appctl(8), ovsdb-server(1).
1583Open vSwitch 2.15.0 ovs-vswitchd(8)