[ovs.git] / utilities / ovs-ofctl.8.in

.TH ovs\-ofctl 8 "June 2009" "Open vSwitch" "Open vSwitch Manual"
.ds PN ovs\-ofctl

.SH NAME
ovs\-ofctl \- administer OpenFlow switches

.SH SYNOPSIS
.B ovs\-ofctl
[\fIoptions\fR] \fIcommand \fR[\fIswitch\fR] [\fIargs\fR\&...]

.SH DESCRIPTION
The
.B ovs\-ofctl
program is a command line tool for monitoring and administering
OpenFlow switches.  It can also show the current state of an OpenFlow
switch, including features, configuration, and table entries.

.SS "OpenFlow Switch Management Commands"

These commands allow \fBovs\-ofctl\fR to monitor and administer an OpenFlow
switch.  It is able to show the current state of a switch, including
features, configuration, and table entries.

Most of these commands take an argument that specifies the method for
connecting to an OpenFlow switch.  The following connection methods
are supported:

.RS
.IP "\fBssl:\fIip\fR[\fB:\fIport\fR]"
The specified SSL \fIport\fR (default: 6633) on the host at the given
\fIip\fR, which must be expressed as an IP address (not a DNS name).
The \fB--private-key\fR, \fB--certificate\fR, and \fB--ca-cert\fR
options are mandatory when this form is used.

.IP "\fBtcp:\fIip\fR[\fB:\fIport\fR]"
The specified TCP \fIport\fR (default: 6633) on the host at the given
\fIip\fR, which must be expressed as an IP address (not a DNS name).

.TP
\fBunix:\fIfile\fR
The Unix domain server socket named \fIfile\fR.  

.IP "\fIfile\fR"
This is short for \fBunix:\fIfile\fR, as long as \fIfile\fR does not
contain a colon.

.IP \fIdp\fR
This is short for \fBunix:@RUNDIR@/\fIdp\fB.mgmt\fR, as long as
\fIdp\fR does not contain a colon.
.RE

.TP
\fBshow \fIswitch\fR
Prints to the console information on \fIswitch\fR, including
information on its flow tables and ports.

.TP
\fBstatus \fIswitch\fR [\fIkey\fR]
Prints to the console a series of key-value pairs that report the
status of \fIswitch\fR.  If \fIkey\fR is specified, only the key-value
pairs whose key names begin with \fIkey\fR are printed.  If \fIkey\fR is
omitted, all key-value pairs are printed.

.TP
\fBdump-tables \fIswitch\fR
Prints to the console statistics for each of the flow tables used by
\fIswitch\fR.

.TP
\fBdump-ports \fIswitch\fR
Prints to the console statistics for each of the network devices
associated with \fIswitch\fR.

.TP
\fBmod-port \fIswitch\fR \fInetdev\fR \fIaction\fR
Modify characteristics of an interface monitored by \fIswitch\fR.  
\fInetdev\fR can be referred to by its OpenFlow assigned port number or 
the device name, e.g. \fBeth0\fR.  The \fIaction\fR may be any one of the
following:

.RS
.IP \fBup\fR
Enables the interface.  This is equivalent to ``ifconfig up'' on a Unix
system.

.IP \fBdown\fR
Disables the interface.  This is equivalent to ``ifconfig down'' on a Unix
system.

.IP \fBflood\fR
When a \fIflood\fR action is specified, traffic will be sent out this
interface.  This is the default posture for monitored ports.

.IP \fBnoflood\fR
When a \fIflood\fR action is specified, traffic will not be sent out 
this interface.  This is primarily useful to prevent loops when a
spanning tree protocol is not in use.

.RE

.TP
\fBdump-flows \fIswitch \fR[\fIflows\fR]
Prints to the console all flow entries in \fIswitch\fR's
tables that match \fIflows\fR.  If \fIflows\fR is omitted, all flows
in the switch are retrieved.  See \fBFlow Syntax\fR, below, for the
syntax of \fIflows\fR.  The output format is described in 
\fBTable Entry Output\fR.

.TP
\fBdump-aggregate \fIswitch \fR[\fIflows\fR]
Prints to the console aggregate statistics for flows in 
\fIswitch\fR's tables that match \fIflows\fR.  If \fIflows\fR is omitted, 
the statistics are aggregated across all flows in the switch's flow
tables.  See \fBFlow Syntax\fR, below, for the syntax of \fIflows\fR.
The output format is descrbed in \fBTable Entry Output\fR.

.TP
\fBadd-flow \fIswitch flow\fR
Add the flow entry as described by \fIflow\fR to the \fIswitch\fR's 
tables.  The flow entry is in the format described in \fBFlow Syntax\fR, 
below.

.TP
\fBadd-flows \fIswitch file\fR
Add flow entries as described in \fIfile\fR to \fIswitch\fR's 
tables.  Each line in \fIfile\fR is a flow entry in the format
described in \fBFlow Syntax\fR, below.

.TP
\fBmod-flows \fIswitch flow\fR
Modify the actions in entries from the \fIswitch\fR's tables 
that match \fIflow\fR.  When invoked with the \fB--strict\fR option,
wildcards are not treated as active for matching purposes.  See 
\fBFlow Syntax\fR, below, for the syntax of \fIflows\fR.

.TP
\fBdel-flows \fIswitch \fR[\fIflow\fR]
Deletes entries from the \fIswitch\fR's tables that match
\fIflow\fR.  When invoked with the \fB--strict\fR option, wildcards are 
not treated as active for matching purposes.  If \fIflow\fR is 
omitted and the \fB--strict\fR option is not used, all flows in the 
switch's tables are removed.  See \fBFlow Syntax\fR, below, for the 
syntax of \fIflows\fR.

.TP
\fBmonitor \fIswitch\fR [\fImiss-len\fR [\fIsend-exp]]
Connects to \fIswitch\fR and prints to the console all OpenFlow
messages received.  Usually, \fIswitch\fR should specify a connection
named on \fBovs\-openflowd\fR(8)'s \fB-l\fR or \fB--listen\fR command line
option.

If \fImiss-len\fR is provided, \fBovs\-ofctl\fR sends an OpenFlow ``set
configuration'' message at connection setup time that requests
\fImiss-len\fR bytes of each packet that misses the flow table.  The
OpenFlow reference implementation does not send these messages to the
\fBovs\-ofctl monitor\fR client connection unless a nonzero value is
specified on this argument.

If \fIsend-exp\fR is specified as \fB1\fR, \fBovs\-ofctl\fR will also
request to be sent flow expiration messages.  If this argument is
omitted, or \fB0\fR is specified, then \fRovs\-ofctl\fR will not request
flow expirations.

This command may be useful for debugging switch or controller
implementations.

.TP
\fBexecute \fIswitch command \fR[\fIarg\fR...]
Sends a request to \fIswitch\fR to execute \fIcommand\fR along with
each \fIarg\fR, if any, then waits for the command to complete and
reports its completion status on \fBstderr\fR and its output, if any,
on \fBstdout\fR.  The set of available commands and their argument is
switch-dependent.  (This command uses a Nicira extension to OpenFlow
that may not be available on all switches.)

.SS "OpenFlow Switch and Controller Commands"

The following commands, like those in the previous section, may be
applied to OpenFlow switches, using any of the connection methods
described in that section.  Unlike those commands, these may also be
applied to OpenFlow controllers.

.TP
\fBprobe \fItarget\fR
Sends a single OpenFlow echo-request message to \fItarget\fR and waits
for the response.  With the \fB-t\fR or \fB--timeout\fR option, this
command can test whether an OpenFlow switch or controller is up and
running.

.TP
\fBping \fItarget \fR[\fIn\fR]
Sends a series of 10 echo request packets to \fItarget\fR and times
each reply.  The echo request packets consist of an OpenFlow header
plus \fIn\fR bytes (default: 64) of randomly generated payload.  This
measures the latency of individual requests.

.TP
\fBbenchmark \fItarget n count\fR
Sends \fIcount\fR echo request packets that each consist of an
OpenFlow header plus \fIn\fR bytes of payload and waits for each
response.  Reports the total time required.  This is a measure of the
maximum bandwidth to \fItarget\fR for round-trips of \fIn\fR-byte
messages.

.SS "Flow Syntax"

Some \fBovs\-ofctl\fR commands accept an argument that describes a flow or
flows.  Such flow descriptions comprise a series
\fIfield\fB=\fIvalue\fR assignments, separated by commas or white
space.  (Embedding spaces into a flow description normally requires
quoting to prevent the shell from breaking the description into
multiple arguments.)

The following field assignments describe how a flow matches a packet.
If any of these assignments is omitted from the flow syntax, the field
is treated as a wildcard; thus, if all of them are omitted, the
resulting flow matches all packets.  The string \fB*\fR or \fBANY\fR
may be specified to explicitly mark any of these fields as a wildcard.  
(\fB*\fR should be quoted to protect it from shell expansion.)

.IP \fBin_port=\fIport_no\fR
Matches physical port \fIport_no\fR.  Switch ports are numbered as
displayed by \fBovs\-ofctl show\fR.

.IP \fBdl_vlan=\fIvlan\fR
Matches IEEE 802.1q Virtual LAN tag \fIvlan\fR.  Specify \fB0xffff\fR
as \fIvlan\fR to match packets that are not tagged with a Virtual LAN;
otherwise, specify a number between 0 and 4095, inclusive, as the
12-bit VLAN ID to match.

.IP \fBdl_src=\fImac\fR
Matches Ethernet source address \fImac\fR, which is specified as 6 pairs 
of hexadecimal digits delimited by colons (e.g. \fB00:0A:E4:25:6B:B0\fR).

.IP \fBdl_dst=\fImac\fR
Matches Ethernet destination address \fImac\fR.

.IP \fBdl_type=\fIethertype\fR
Matches Ethernet protocol type \fIethertype\fR, which is specified as an
integer between 0 and 65535, inclusive, either in decimal or as a 
hexadecimal number prefixed by \fB0x\fR (e.g. \fB0x0806\fR to match ARP 
packets).

.IP \fBnw_src=\fIip\fR[\fB/\fInetmask\fR]
Matches IPv4 source address \fIip\fR, which may be specified as an
IP address or host name (e.g. \fB192.168.1.1\fR or
\fBwww.example.com\fR).  The optional \fInetmask\fR allows restricting a
match to an IPv4 address prefix.  The netmask may be specified as a dotted 
quad (e.g. \fB192.168.1.0/255.255.255.0\fR) or as a CIDR block 
(e.g. \fB192.168.1.0/24\fR).

.IP \fBnw_dst=\fIip\fR[\fB/\fInetmask\fR]
Matches IPv4 destination address \fIip\fR.

.IP \fBnw_proto=\fIproto\fR
Matches IP protocol type \fIproto\fR, which is specified as a decimal 
number between 0 and 255, inclusive (e.g. 6 to match TCP packets).

.IP \fBtp_src=\fIport\fR
Matches UDP or TCP source port \fIport\fR, which is specified as a decimal 
number between 0 and 65535, inclusive (e.g. 80 to match packets originating 
from a HTTP server).

.IP \fBtp_dst=\fIport\fR
Matches UDP or TCP destination port \fIport\fR.

.IP \fBicmp_type=\fItype\fR
Matches ICMP message with \fItype\fR, which is specified as a decimal 
number between 0 and 255, inclusive.

.IP \fBicmp_code=\fIcode\fR
Matches ICMP messages with \fIcode\fR.

.PP
The following shorthand notations are also available:

.IP \fBip\fR
Same as \fBdl_type=0x0800\fR.

.IP \fBicmp\fR
Same as \fBdl_type=0x0800,nw_proto=1\fR.

.IP \fBtcp\fR
Same as \fBdl_type=0x0800,nw_proto=6\fR.

.IP \fBudp\fR
Same as \fBdl_type=0x0800,nw_proto=17\fR.

.IP \fBarp\fR
Same as \fBdl_type=0x0806\fR.

.PP
The \fBadd-flow\fR and \fBadd-flows\fR commands require an additional field:

.IP \fBactions=\fR[\fItarget\fR][\fB,\fItarget\fR...]\fR
Specifies a comma-separated list of actions to take on a packet when the 
flow entry matches.  If no \fItarget\fR is specified, then packets
matching the flow are dropped.  The \fItarget\fR may be a decimal port 
number designating the physical port on which to output the packet, or one 
of the following keywords:

.RS
.IP \fBoutput\fR:\fIport\fR
Outputs the packet on the port specified by \fIport\fR.

.IP \fBnormal\fR
Subjects the packet to the device's normal L2/L3 processing.  (This
action is not implemented by all OpenFlow switches.)

.IP \fBflood\fR
Outputs the packet on all switch physical ports other than the port on
which it was received and any ports on which flooding is disabled
(typically, these would be ports disabled by the IEEE 802.1D spanning
tree protocol).

.IP \fBall\fR
Outputs the packet on all switch physical ports other than the port on
which it was received.

.IP \fBcontroller\fR:\fImax_len\fR
Sends the packet to the OpenFlow controller as a ``packet in''
message.  If \fImax_len\fR is a number, then it specifies the maximum
number of bytes that should be sent.  If \fImax_len\fR is \fBALL\fR or
omitted, then the entire packet is sent.

.IP \fBlocal\fR
Outputs the packet on the ``local port,'' which corresponds to the
\fBof\fIn\fR network device (see \fBCONTACTING THE CONTROLLER\fR in
\fBovs\-openflowd\fR(8) for information on the \fBof\fIn\fR network device).

.IP \fBdrop\fR
Discards the packet, so no further processing or forwarding takes place.
If a drop action is used, no other actions may be specified.

.IP \fBmod_vlan_vid\fR:\fIvlan_vid\fR
Modifies the VLAN id on a packet.  The VLAN tag is added or modified 
as necessary to match the value specified.  If the VLAN tag is added,
a priority of zero is used (see the \fBmod_vlan_pcp\fR action to set
this).

.IP \fBmod_vlan_pcp\fR:\fIvlan_pcp\fR
Modifies the VLAN priority on a packet.  The VLAN tag is added or modified 
as necessary to match the value specified.  Valid values are between 0
(lowest) and 7 (highest).  If the VLAN tag is added, a vid of zero is used 
(see the \fBmod_vlan_vid\fR action to set this).

.IP \fBstrip_vlan\fR
Strips the VLAN tag from a packet if it is present.

.IP \fBmod_dl_src\fB:\fImac\fR
Sets the source Ethernet address to \fImac\fR.

.IP \fBmod_dl_dst\fB:\fImac\fR
Sets the destination Ethernet address to \fImac\fR.
.RE

.IP
(The OpenFlow protocol supports other actions that \fBovs\-ofctl\fR does
not yet expose to the user.)

.PP
The \fBadd-flow\fR, \fBadd-flows\fR, and \fBdel-flows\fR commands
support an additional optional field:

.IP \fBpriority=\fIvalue\fR
The priority at which a wildcarded entry will match in comparison to
others.  \fIvalue\fR is a number between 0 and 65535, inclusive.  A higher 
\fIvalue\fR will match before a lower one.  An exact-match entry will always 
have priority over an entry containing wildcards, so it has an implicit 
priority value of 65535.  When adding a flow, if the field is not specified, 
the flow's priority will default to 32768.

.PP
The \fBadd-flow\fR and \fBadd-flows\fR commands support additional
optional fields:

.TP
\fBidle_timeout=\fIseconds\fR
Causes the flow to expire after the given number of seconds of
inactivity.  A value of 0 prevents a flow from expiring due to
inactivity.  The default is 60 seconds.

.IP \fBhard_timeout=\fIseconds\fR
Causes the flow to expire after the given number of seconds,
regardless of activity.  A value of 0 (the default) gives the flow no
hard expiration deadline.

.PP
The \fBdump-flows\fR, \fBdump-aggregate\fR, \fBdel-flow\fR 
and \fBdel-flows\fR commands support one additional optional field:

.TP
\fBout_port=\fIport\fR
If set, a matching flow must include an output action to \fIport\fR.

.PP
The \fBdump-flows\fR and \fBdump-aggregate\fR commands support an
additional optional field:

.IP \fBtable=\fInumber\fR
If specified, limits the flows about which statistics are gathered to
those in the table with the given \fInumber\fR.  Tables are numbered
as shown by the \fBdump-tables\fR command.

If this field is not specified, or if \fInumber\fR is given as
\fB255\fR, statistics are gathered about flows from all tables.

.SS "Table Entry Output"

The \fBdump-tables\fR and \fBdump-aggregate\fR commands print information 
about the entries in a datapath's tables.  Each line of output is a 
unique flow entry, which begins with some common information:

.IP \fBduration\fR
The number of seconds the entry has been in the table.

.IP \fBtable_id\fR
The table that contains the flow.  When a packet arrives, the switch 
begins searching for an entry at the lowest numbered table.  Tables are 
numbered as shown by the \fBdump-tables\fR command.

.IP \fBpriority\fR
The priority of the entry in relation to other entries within the same
table.  A higher value will match before a lower one.

.IP \fBn_packets\fR
The number of packets that have matched the entry.

.IP \fBn_bytes\fR
The total number of bytes from packets that have matched the entry.

.PP
The rest of the line consists of a description of the flow entry as 
described in \fBFlow Syntax\fR, above.


.SH OPTIONS
.TP
\fB--strict\fR
Uses strict matching when running flow modification commands.

.TP
\fB-t\fR, \fB--timeout=\fIsecs\fR
Limits \fBovs\-ofctl\fR runtime to approximately \fIsecs\fR seconds.  If
the timeout expires, \fBovs\-ofctl\fR will exit with a \fBSIGALRM\fR
signal.

.TP
\fB-p\fR, \fB--private-key=\fIprivkey.pem\fR
Specifies a PEM file containing the private key used as the
identity for SSL connections to a switch.

.TP
\fB-c\fR, \fB--certificate=\fIcert.pem\fR
Specifies a PEM file containing a certificate, signed by the
controller's certificate authority (CA), that certifies the
private key to identify a trustworthy controller.

.TP
\fB-C\fR, \fB--ca-cert=\fIcacert.pem\fR
Specifies a PEM file containing the CA certificate used to verify that
a switch is trustworthy.

.so lib/vlog.man
.so lib/common.man

.SH EXAMPLES

The following examples assume that an OpenFlow switch on the local
host has been configured to listen for management connections on a
Unix domain socket named \fB@RUNDIR@/openflow.sock\fR, e.g. by
specifying \fB--listen=punix:@RUNDIR@/openflow.sock\fR on the
\fBovs\-openflowd\fR(8) command line.

.TP
\fBovs\-ofctl dump-tables unix:@RUNDIR@/openflow.sock\fR
Prints out the switch's table stats.  (This is more interesting after
some traffic has passed through.)

.TP
\fBovs\-ofctl dump-flows unix:@RUNDIR@/openflow.sock\fR
Prints the flow entries in the switch.

.SH "SEE ALSO"

.BR ovs\-appctl (8),
.BR ovs\-controller (8),
.BR ovs\-vswitchd (8)
Commit	Line	Data
f30f26be	1	.TH ovs\-ofctl 8 "June 2009" "Open vSwitch" "Open vSwitch Manual"
064af421 BP	2	.ds PN ovs\-ofctl
	3
	4	.SH NAME
	5	ovs\-ofctl \- administer OpenFlow switches
	6
	7	.SH SYNOPSIS
	8	.B ovs\-ofctl
	9	[\fIoptions\fR] \fIcommand \fR[\fIswitch\fR] [\fIargs\fR\&...]
	10
	11	.SH DESCRIPTION
	12	The
	13	.B ovs\-ofctl
	14	program is a command line tool for monitoring and administering
	15	OpenFlow switches. It can also show the current state of an OpenFlow
	16	switch, including features, configuration, and table entries.
	17
	18	.SS "OpenFlow Switch Management Commands"
	19
	20	These commands allow \fBovs\-ofctl\fR to monitor and administer an OpenFlow
	21	switch. It is able to show the current state of a switch, including
	22	features, configuration, and table entries.
	23
	24	Most of these commands take an argument that specifies the method for
	25	connecting to an OpenFlow switch. The following connection methods
	26	are supported:
	27
	28	.RS
2b35e147 BP	29	.IP "\fBssl:\fIip\fR[\fB:\fIport\fR]"
	30	The specified SSL \fIport\fR (default: 6633) on the host at the given
	31	\fIip\fR, which must be expressed as an IP address (not a DNS name).
	32	The \fB--private-key\fR, \fB--certificate\fR, and \fB--ca-cert\fR
	33	options are mandatory when this form is used.
	34
	35	.IP "\fBtcp:\fIip\fR[\fB:\fIport\fR]"
	36	The specified TCP \fIport\fR (default: 6633) on the host at the given
	37	\fIip\fR, which must be expressed as an IP address (not a DNS name).
064af421 BP	38
	39	.TP
	40	\fBunix:\fIfile\fR
	41	The Unix domain server socket named \fIfile\fR.
	42
	43	.IP "\fIfile\fR"
	44	This is short for \fBunix:\fIfile\fR, as long as \fIfile\fR does not
	45	contain a colon.
	46
	47	.IP \fIdp\fR
	48	This is short for \fBunix:@RUNDIR@/\fIdp\fB.mgmt\fR, as long as
	49	\fIdp\fR does not contain a colon.
	50	.RE
	51
	52	.TP
	53	\fBshow \fIswitch\fR
	54	Prints to the console information on \fIswitch\fR, including
	55	information on its flow tables and ports.
	56
	57	.TP
	58	\fBstatus \fIswitch\fR [\fIkey\fR]
	59	Prints to the console a series of key-value pairs that report the
	60	status of \fIswitch\fR. If \fIkey\fR is specified, only the key-value
	61	pairs whose key names begin with \fIkey\fR are printed. If \fIkey\fR is
	62	omitted, all key-value pairs are printed.
	63
	64	.TP
	65	\fBdump-tables \fIswitch\fR
	66	Prints to the console statistics for each of the flow tables used by
	67	\fIswitch\fR.
	68
	69	.TP
	70	\fBdump-ports \fIswitch\fR
	71	Prints to the console statistics for each of the network devices
	72	associated with \fIswitch\fR.
	73
	74	.TP
	75	\fBmod-port \fIswitch\fR \fInetdev\fR \fIaction\fR
	76	Modify characteristics of an interface monitored by \fIswitch\fR.
	77	\fInetdev\fR can be referred to by its OpenFlow assigned port number or
	78	the device name, e.g. \fBeth0\fR. The \fIaction\fR may be any one of the
	79	following:
	80
	81	.RS
	82	.IP \fBup\fR
	83	Enables the interface. This is equivalent to ``ifconfig up'' on a Unix
	84	system.
	85
	86	.IP \fBdown\fR
	87	Disables the interface. This is equivalent to ``ifconfig down'' on a Unix
	88	system.
	89
	90	.IP \fBflood\fR
	91	When a \fIflood\fR action is specified, traffic will be sent out this
	92	interface. This is the default posture for monitored ports.
	93
	94	.IP \fBnoflood\fR
	95	When a \fIflood\fR action is specified, traffic will not be sent out
	96	this interface. This is primarily useful to prevent loops when a
	97	spanning tree protocol is not in use.
	98
	99	.RE
	100
	101	.TP
102	\fBdump-flows \fIswitch \fR[\fIflows\fR]
103	Prints to the console all flow entries in \fIswitch\fR's
104	tables that match \fIflows\fR. If \fIflows\fR is omitted, all flows
105	in the switch are retrieved. See \fBFlow Syntax\fR, below, for the
106	syntax of \fIflows\fR. The output format is described in
107	\fBTable Entry Output\fR.
108
109	.TP
110	\fBdump-aggregate \fIswitch \fR[\fIflows\fR]
111	Prints to the console aggregate statistics for flows in
112	\fIswitch\fR's tables that match \fIflows\fR. If \fIflows\fR is omitted,
113	the statistics are aggregated across all flows in the switch's flow
114	tables. See \fBFlow Syntax\fR, below, for the syntax of \fIflows\fR.
115	The output format is descrbed in \fBTable Entry Output\fR.
116
117	.TP
118	\fBadd-flow \fIswitch flow\fR
119	Add the flow entry as described by \fIflow\fR to the \fIswitch\fR's
120	tables. The flow entry is in the format described in \fBFlow Syntax\fR,
121	below.
122
123	.TP
124	\fBadd-flows \fIswitch file\fR
125	Add flow entries as described in \fIfile\fR to \fIswitch\fR's
126	tables. Each line in \fIfile\fR is a flow entry in the format
127	described in \fBFlow Syntax\fR, below.
128
129	.TP
130	\fBmod-flows \fIswitch flow\fR
131	Modify the actions in entries from the \fIswitch\fR's tables
132	that match \fIflow\fR. When invoked with the \fB--strict\fR option,
133	wildcards are not treated as active for matching purposes. See
134	\fBFlow Syntax\fR, below, for the syntax of \fIflows\fR.
135
136	.TP
137	\fBdel-flows \fIswitch \fR[\fIflow\fR]
138	Deletes entries from the \fIswitch\fR's tables that match
139	\fIflow\fR. When invoked with the \fB--strict\fR option, wildcards are
140	not treated as active for matching purposes. If \fIflow\fR is
141	omitted and the \fB--strict\fR option is not used, all flows in the
142	switch's tables are removed. See \fBFlow Syntax\fR, below, for the
143	syntax of \fIflows\fR.
144
145	.TP
146	\fBmonitor \fIswitch\fR [\fImiss-len\fR [\fIsend-exp]]
147	Connects to \fIswitch\fR and prints to the console all OpenFlow
148	messages received. Usually, \fIswitch\fR should specify a connection
8cd4882f	149	named on \fBovs\-openflowd\fR(8)'s \fB-l\fR or \fB--listen\fR command line
064af421 BP	150	option.
	151
	152	If \fImiss-len\fR is provided, \fBovs\-ofctl\fR sends an OpenFlow ``set
	153	configuration'' message at connection setup time that requests
	154	\fImiss-len\fR bytes of each packet that misses the flow table. The
cae40bbd	155	OpenFlow reference implementation does not send these messages to the
064af421 BP	156	\fBovs\-ofctl monitor\fR client connection unless a nonzero value is
	157	specified on this argument.
	158
	159	If \fIsend-exp\fR is specified as \fB1\fR, \fBovs\-ofctl\fR will also
	160	request to be sent flow expiration messages. If this argument is
	161	omitted, or \fB0\fR is specified, then \fRovs\-ofctl\fR will not request
	162	flow expirations.
	163
	164	This command may be useful for debugging switch or controller
	165	implementations.
	166
	167	.TP
	168	\fBexecute \fIswitch command \fR[\fIarg\fR...]
	169	Sends a request to \fIswitch\fR to execute \fIcommand\fR along with
	170	each \fIarg\fR, if any, then waits for the command to complete and
	171	reports its completion status on \fBstderr\fR and its output, if any,
	172	on \fBstdout\fR. The set of available commands and their argument is
	173	switch-dependent. (This command uses a Nicira extension to OpenFlow
	174	that may not be available on all switches.)
	175
	176	.SS "OpenFlow Switch and Controller Commands"
	177
	178	The following commands, like those in the previous section, may be
	179	applied to OpenFlow switches, using any of the connection methods
	180	described in that section. Unlike those commands, these may also be
	181	applied to OpenFlow controllers.
	182
	183	.TP
	184	\fBprobe \fItarget\fR
	185	Sends a single OpenFlow echo-request message to \fItarget\fR and waits
	186	for the response. With the \fB-t\fR or \fB--timeout\fR option, this
	187	command can test whether an OpenFlow switch or controller is up and
	188	running.
	189
	190	.TP
	191	\fBping \fItarget \fR[\fIn\fR]
	192	Sends a series of 10 echo request packets to \fItarget\fR and times
	193	each reply. The echo request packets consist of an OpenFlow header
	194	plus \fIn\fR bytes (default: 64) of randomly generated payload. This
	195	measures the latency of individual requests.
	196
	197	.TP
	198	\fBbenchmark \fItarget n count\fR
	199	Sends \fIcount\fR echo request packets that each consist of an
	200	OpenFlow header plus \fIn\fR bytes of payload and waits for each
	201	response. Reports the total time required. This is a measure of the
	202	maximum bandwidth to \fItarget\fR for round-trips of \fIn\fR-byte
	203	messages.
	204
	205	.SS "Flow Syntax"
	206
	207	Some \fBovs\-ofctl\fR commands accept an argument that describes a flow or
	208	flows. Such flow descriptions comprise a series
	209	\fIfield\fB=\fIvalue\fR assignments, separated by commas or white
	210	space. (Embedding spaces into a flow description normally requires
	211	quoting to prevent the shell from breaking the description into
	212	multiple arguments.)
	213
	214	The following field assignments describe how a flow matches a packet.
	215	If any of these assignments is omitted from the flow syntax, the field
	216	is treated as a wildcard; thus, if all of them are omitted, the
	217	resulting flow matches all packets. The string \fB*\fR or \fBANY\fR
	218	may be specified to explicitly mark any of these fields as a wildcard.
	219	(\fB*\fR should be quoted to protect it from shell expansion.)
220
221	.IP \fBin_port=\fIport_no\fR
222	Matches physical port \fIport_no\fR. Switch ports are numbered as
223	displayed by \fBovs\-ofctl show\fR.
224
225	.IP \fBdl_vlan=\fIvlan\fR
f30f26be JP	226	Matches IEEE 802.1q Virtual LAN tag \fIvlan\fR. Specify \fB0xffff\fR
f30f26be JP	227	as \fIvlan\fR to match packets that are not tagged with a Virtual LAN;
064af421 BP	228	otherwise, specify a number between 0 and 4095, inclusive, as the
	229	12-bit VLAN ID to match.
	230
	231	.IP \fBdl_src=\fImac\fR
	232	Matches Ethernet source address \fImac\fR, which is specified as 6 pairs
	233	of hexadecimal digits delimited by colons (e.g. \fB00:0A:E4:25:6B:B0\fR).
	234
	235	.IP \fBdl_dst=\fImac\fR
	236	Matches Ethernet destination address \fImac\fR.
	237
	238	.IP \fBdl_type=\fIethertype\fR
	239	Matches Ethernet protocol type \fIethertype\fR, which is specified as an
	240	integer between 0 and 65535, inclusive, either in decimal or as a
	241	hexadecimal number prefixed by \fB0x\fR (e.g. \fB0x0806\fR to match ARP
	242	packets).
	243
	244	.IP \fBnw_src=\fIip\fR[\fB/\fInetmask\fR]
	245	Matches IPv4 source address \fIip\fR, which may be specified as an
	246	IP address or host name (e.g. \fB192.168.1.1\fR or
	247	\fBwww.example.com\fR). The optional \fInetmask\fR allows restricting a
	248	match to an IPv4 address prefix. The netmask may be specified as a dotted
	249	quad (e.g. \fB192.168.1.0/255.255.255.0\fR) or as a CIDR block
	250	(e.g. \fB192.168.1.0/24\fR).
	251
	252	.IP \fBnw_dst=\fIip\fR[\fB/\fInetmask\fR]
	253	Matches IPv4 destination address \fIip\fR.
	254
	255	.IP \fBnw_proto=\fIproto\fR
	256	Matches IP protocol type \fIproto\fR, which is specified as a decimal
	257	number between 0 and 255, inclusive (e.g. 6 to match TCP packets).
	258
	259	.IP \fBtp_src=\fIport\fR
	260	Matches UDP or TCP source port \fIport\fR, which is specified as a decimal
	261	number between 0 and 65535, inclusive (e.g. 80 to match packets originating
	262	from a HTTP server).
	263
	264	.IP \fBtp_dst=\fIport\fR
	265	Matches UDP or TCP destination port \fIport\fR.
	266
	267	.IP \fBicmp_type=\fItype\fR
	268	Matches ICMP message with \fItype\fR, which is specified as a decimal
	269	number between 0 and 255, inclusive.
	270
	271	.IP \fBicmp_code=\fIcode\fR
	272	Matches ICMP messages with \fIcode\fR.
	273
	274	.PP
	275	The following shorthand notations are also available:
	276
	277	.IP \fBip\fR
	278	Same as \fBdl_type=0x0800\fR.
	279
	280	.IP \fBicmp\fR
	281	Same as \fBdl_type=0x0800,nw_proto=1\fR.
	282
	283	.IP \fBtcp\fR
	284	Same as \fBdl_type=0x0800,nw_proto=6\fR.
	285
	286	.IP \fBudp\fR
	287	Same as \fBdl_type=0x0800,nw_proto=17\fR.
	288
	289	.IP \fBarp\fR
	290	Same as \fBdl_type=0x0806\fR.
	291
292	.PP
293	The \fBadd-flow\fR and \fBadd-flows\fR commands require an additional field:
294
295	.IP \fBactions=\fR[\fItarget\fR][\fB,\fItarget\fR...]\fR
296	Specifies a comma-separated list of actions to take on a packet when the
297	flow entry matches. If no \fItarget\fR is specified, then packets
298	matching the flow are dropped. The \fItarget\fR may be a decimal port
299	number designating the physical port on which to output the packet, or one
300	of the following keywords:
301
302	.RS
303	.IP \fBoutput\fR:\fIport\fR
304	Outputs the packet on the port specified by \fIport\fR.
305
306	.IP \fBnormal\fR
307	Subjects the packet to the device's normal L2/L3 processing. (This
308	action is not implemented by all OpenFlow switches.)
309
310	.IP \fBflood\fR
311	Outputs the packet on all switch physical ports other than the port on
312	which it was received and any ports on which flooding is disabled
313	(typically, these would be ports disabled by the IEEE 802.1D spanning
314	tree protocol).
315
316	.IP \fBall\fR
317	Outputs the packet on all switch physical ports other than the port on
318	which it was received.
319
320	.IP \fBcontroller\fR:\fImax_len\fR
321	Sends the packet to the OpenFlow controller as a ``packet in''
322	message. If \fImax_len\fR is a number, then it specifies the maximum
323	number of bytes that should be sent. If \fImax_len\fR is \fBALL\fR or
324	omitted, then the entire packet is sent.
325
326	.IP \fBlocal\fR
327	Outputs the packet on the ``local port,'' which corresponds to the
328	\fBof\fIn\fR network device (see \fBCONTACTING THE CONTROLLER\fR in
8cd4882f	329	\fBovs\-openflowd\fR(8) for information on the \fBof\fIn\fR network device).
064af421 BP	330
	331	.IP \fBdrop\fR
	332	Discards the packet, so no further processing or forwarding takes place.
	333	If a drop action is used, no other actions may be specified.
	334
	335	.IP \fBmod_vlan_vid\fR:\fIvlan_vid\fR
	336	Modifies the VLAN id on a packet. The VLAN tag is added or modified
	337	as necessary to match the value specified. If the VLAN tag is added,
	338	a priority of zero is used (see the \fBmod_vlan_pcp\fR action to set
	339	this).
	340
	341	.IP \fBmod_vlan_pcp\fR:\fIvlan_pcp\fR
	342	Modifies the VLAN priority on a packet. The VLAN tag is added or modified
	343	as necessary to match the value specified. Valid values are between 0
	344	(lowest) and 7 (highest). If the VLAN tag is added, a vid of zero is used
	345	(see the \fBmod_vlan_vid\fR action to set this).
	346
	347	.IP \fBstrip_vlan\fR
	348	Strips the VLAN tag from a packet if it is present.
	349
	350	.IP \fBmod_dl_src\fB:\fImac\fR
	351	Sets the source Ethernet address to \fImac\fR.
	352
	353	.IP \fBmod_dl_dst\fB:\fImac\fR
	354	Sets the destination Ethernet address to \fImac\fR.
	355	.RE
	356
	357	.IP
	358	(The OpenFlow protocol supports other actions that \fBovs\-ofctl\fR does
	359	not yet expose to the user.)
	360
	361	.PP
	362	The \fBadd-flow\fR, \fBadd-flows\fR, and \fBdel-flows\fR commands
	363	support an additional optional field:
	364
	365	.IP \fBpriority=\fIvalue\fR
	366	The priority at which a wildcarded entry will match in comparison to
	367	others. \fIvalue\fR is a number between 0 and 65535, inclusive. A higher
	368	\fIvalue\fR will match before a lower one. An exact-match entry will always
	369	have priority over an entry containing wildcards, so it has an implicit
	370	priority value of 65535. When adding a flow, if the field is not specified,
	371	the flow's priority will default to 32768.
	372
	373	.PP
	374	The \fBadd-flow\fR and \fBadd-flows\fR commands support additional
	375	optional fields:
	376
	377	.TP
	378	\fBidle_timeout=\fIseconds\fR
	379	Causes the flow to expire after the given number of seconds of
	380	inactivity. A value of 0 prevents a flow from expiring due to
	381	inactivity. The default is 60 seconds.
	382
	383	.IP \fBhard_timeout=\fIseconds\fR
	384	Causes the flow to expire after the given number of seconds,
	385	regardless of activity. A value of 0 (the default) gives the flow no
	386	hard expiration deadline.
	387
	388	.PP
	389	The \fBdump-flows\fR, \fBdump-aggregate\fR, \fBdel-flow\fR
	390	and \fBdel-flows\fR commands support one additional optional field:
	391
	392	.TP
	393	\fBout_port=\fIport\fR
394	If set, a matching flow must include an output action to \fIport\fR.
395
396	.PP
397	The \fBdump-flows\fR and \fBdump-aggregate\fR commands support an
398	additional optional field:
399
400	.IP \fBtable=\fInumber\fR
401	If specified, limits the flows about which statistics are gathered to
402	those in the table with the given \fInumber\fR. Tables are numbered
403	as shown by the \fBdump-tables\fR command.
404
405	If this field is not specified, or if \fInumber\fR is given as
406	\fB255\fR, statistics are gathered about flows from all tables.
407
408	.SS "Table Entry Output"
409
410	The \fBdump-tables\fR and \fBdump-aggregate\fR commands print information
411	about the entries in a datapath's tables. Each line of output is a
412	unique flow entry, which begins with some common information:
413
414	.IP \fBduration\fR
415	The number of seconds the entry has been in the table.
416
417	.IP \fBtable_id\fR
418	The table that contains the flow. When a packet arrives, the switch
419	begins searching for an entry at the lowest numbered table. Tables are
420	numbered as shown by the \fBdump-tables\fR command.
421
422	.IP \fBpriority\fR
423	The priority of the entry in relation to other entries within the same
424	table. A higher value will match before a lower one.
425
426	.IP \fBn_packets\fR
427	The number of packets that have matched the entry.
428
429	.IP \fBn_bytes\fR
430	The total number of bytes from packets that have matched the entry.
431
432	.PP
433	The rest of the line consists of a description of the flow entry as
434	described in \fBFlow Syntax\fR, above.
435
436
437	.SH OPTIONS
438	.TP
439	\fB--strict\fR
440	Uses strict matching when running flow modification commands.
441
442	.TP
443	\fB-t\fR, \fB--timeout=\fIsecs\fR
444	Limits \fBovs\-ofctl\fR runtime to approximately \fIsecs\fR seconds. If
445	the timeout expires, \fBovs\-ofctl\fR will exit with a \fBSIGALRM\fR
446	signal.
447
448	.TP
449	\fB-p\fR, \fB--private-key=\fIprivkey.pem\fR
450	Specifies a PEM file containing the private key used as the
451	identity for SSL connections to a switch.
452
453	.TP
454	\fB-c\fR, \fB--certificate=\fIcert.pem\fR
455	Specifies a PEM file containing a certificate, signed by the
456	controller's certificate authority (CA), that certifies the
457	private key to identify a trustworthy controller.
458
459	.TP
460	\fB-C\fR, \fB--ca-cert=\fIcacert.pem\fR
461	Specifies a PEM file containing the CA certificate used to verify that
462	a switch is trustworthy.
463
464	.so lib/vlog.man
465	.so lib/common.man
466
467	.SH EXAMPLES
468
469	The following examples assume that an OpenFlow switch on the local
470	host has been configured to listen for management connections on a
471	Unix domain socket named \fB@RUNDIR@/openflow.sock\fR, e.g. by
472	specifying \fB--listen=punix:@RUNDIR@/openflow.sock\fR on the
8cd4882f	473	\fBovs\-openflowd\fR(8) command line.
064af421 BP	474
	475	.TP
	476	\fBovs\-ofctl dump-tables unix:@RUNDIR@/openflow.sock\fR
	477	Prints out the switch's table stats. (This is more interesting after
	478	some traffic has passed through.)
	479
	480	.TP
	481	\fBovs\-ofctl dump-flows unix:@RUNDIR@/openflow.sock\fR
	482	Prints the flow entries in the switch.
	483
	484	.SH "SEE ALSO"
	485
	486	.BR ovs\-appctl (8),
	487	.BR ovs\-controller (8),
	488	.BR ovs\-vswitchd (8)