ovs-ofctl: Free leaked minimatch

[mirror_ovs.git] / utilities / ovs-ofctl.8.in

.\" -*- nroff -*-
.so lib/ovs.tmac
.TH ovs\-ofctl 8 "@VERSION@" "Open vSwitch" "Open vSwitch Manual"
.ds PN ovs\-ofctl
.
.SH NAME
ovs\-ofctl \- administer OpenFlow switches
.
.SH SYNOPSIS
.B ovs\-ofctl
[\fIoptions\fR] \fIcommand \fR[\fIswitch\fR] [\fIargs\fR\&...]
.
.SH DESCRIPTION
The
.B ovs\-ofctl
program is a command line tool for monitoring and administering
OpenFlow switches.  It can also show the current state of an OpenFlow
switch, including features, configuration, and table entries.
It should work with any OpenFlow switch, not just Open vSwitch.
.
.SS "OpenFlow Switch Management Commands"
.PP
These commands allow \fBovs\-ofctl\fR to monitor and administer an OpenFlow
switch.  It is able to show the current state of a switch, including
features, configuration, and table entries.
.PP
Most of these commands take an argument that specifies the method for
connecting to an OpenFlow switch.  The following connection methods
are supported:
.
.RS
.so lib/vconn-active.man
.
.IP "\fIfile\fR"
This is short for \fBunix:\fIfile\fR, as long as \fIfile\fR does not
contain a colon.
.
.IP \fIbridge\fR
This is short for \fBunix:@RUNDIR@/\fIbridge\fB.mgmt\fR, as long as
\fIbridge\fR does not contain a colon.
.
.IP [\fItype\fB@\fR]\fIdp\fR
Attempts to look up the bridge associated with \fIdp\fR and open as
above.  If \fItype\fR is given, it specifies the datapath provider of
\fIdp\fR, otherwise the default provider \fBsystem\fR is assumed.
.RE
.
.TP
\fBshow \fIswitch\fR
Prints to the console information on \fIswitch\fR, including
information on its flow tables and ports.
.
.TP
\fBdump\-tables \fIswitch\fR
Prints to the console statistics for each of the flow tables used by
\fIswitch\fR.
.TP
\fBdump\-table\-features \fIswitch\fR
Prints to the console features for each of the flow tables used by
\fIswitch\fR.
.TP
\fBdump\-table\-desc \fIswitch\fR
Prints to the console configuration for each of the flow tables used
by \fIswitch\fR for OpenFlow 1.4+.
.IP "\fBmod\-table \fIswitch\fR \fItable\fR \fIsetting\fR"
This command configures flow table settings in \fIswitch\fR for
OpenFlow table \fItable\fR, which may be expressed as a number or
(unless \fB\-\-no\-names\fR is specified) a name.
.IP
The available settings depend on
the OpenFlow version in use.  In OpenFlow 1.1 and 1.2 (which must be
enabled with the \fB\-O\fR option) only, \fBmod\-table\fR configures
behavior when no flow is found when a packet is looked up in a flow
table.  The following \fIsetting\fR values are available:
.RS
.IP \fBdrop\fR
Drop the packet.
.IP \fBcontinue\fR
Continue to the next table in the pipeline.  (This is how an OpenFlow
1.0 switch always handles packets that do not match any flow, in
tables other than the last one.)
.IP \fBcontroller\fR
Send to controller.  (This is how an OpenFlow 1.0 switch always
handles packets that do not match any flow in the last table.)
.RE
.IP
In OpenFlow 1.3 and later (which must be enabled with the \fB\-O\fR
option) and Open vSwitch 2.11 and later only, \fBmod\-table\fR can
change the name of a table:
.RS
.IP \fBname:\fInew-name\fR
Changes the name of the table to \fInew-name\fR.  Use an empty
\fInew-name\fR to clear the name.  (This will be ineffective if the
name is set via the \fBname\fR column in the \fBFlow_Table\fR table in
the \fBOpen_vSwitch\fR database as described in
\fBovs\-vswitchd.conf.db\fR(5).)
.RE
.IP
In OpenFlow 1.4 and later (which must be enabled with the \fB\-O\fR
option) only, \fBmod\-table\fR configures the behavior when a
controller attempts to add a flow to a flow table that is full.  The
following \fIsetting\fR values are available:
.RS
.IP \fBevict\fR
Delete some existing flow from the flow table, according to the
algorithm described for the \fBFlow_Table\fR table in
\fBovs-vswitchd.conf.db\fR(5).
.IP \fBnoevict\fR
Refuse to add the new flow.  (Eviction might still be enabled through
the \fBoverflow_policy\fR column in the \fBFlow_Table\fR table
documented in \fBovs-vswitchd.conf.db\fR(5).)
.IP \fBvacancy:\fIlow\fB,\fIhigh\fR
Enables sending vacancy events to controllers using \fBTABLE_STATUS\fR
messages, based on percentage thresholds \fIlow\fR and \fIhigh\fR.
.IP \fBnovacancy\fR
Disables vacancy events.
.RE
.
.TP
\fBdump\-ports \fIswitch\fR [\fInetdev\fR]
Prints to the console statistics for network devices associated with 
\fIswitch\fR.  If \fInetdev\fR is specified, only the statistics
associated with that device will be printed.  \fInetdev\fR can be an
OpenFlow assigned port number or device name, e.g. \fBeth0\fR.
.
.IP "\fBdump\-ports\-desc \fIswitch\fR [\fIport\fR]"
Prints to the console detailed information about network devices
associated with \fIswitch\fR.  To dump only a specific port, specify
its number as \fIport\fR.  Otherwise, if \fIport\fR is omitted, or if
it is specified as \fBANY\fR, then all ports are printed.  This is a
subset of the information provided by the \fBshow\fR command.
.IP
If the connection to \fIswitch\fR negotiates OpenFlow 1.0, 1.2, or
1.2, this command uses an OpenFlow extension only implemented in Open
vSwitch (version 1.7 and later).
.IP
Only OpenFlow 1.5 and later support dumping a specific port.  Earlier
versions of OpenFlow always dump all ports.
.
.IP "\fBmod\-port \fIswitch\fR \fIport\fR \fIaction\fR"
Modify characteristics of port \fBport\fR in \fIswitch\fR.  \fIport\fR
may be an OpenFlow port number or name (unless \fB\-\-no\-names\fR is
specified) or the keyword \fBLOCAL\fR (the
preferred way to refer to the OpenFlow local port).  The \fIaction\fR
may be any one of the following:
.
.RS
.IQ \fBup\fR
.IQ \fBdown\fR
Enable or disable the interface.  This is equivalent to \fBip
link set up\fR or \fBip link set down\fR on a Unix system.
.
.IP \fBstp\fR
.IQ \fBno\-stp\fR
Enable or disable 802.1D spanning tree protocol (STP) on the
interface.  OpenFlow implementations that don't support STP will
refuse to enable it.
.
.IP \fBreceive\fR
.IQ \fBno\-receive\fR
.IQ \fBreceive\-stp\fR
.IQ \fBno\-receive\-stp\fR
Enable or disable OpenFlow processing of packets received on this
interface.  When packet processing is disabled, packets will be
dropped instead of being processed through the OpenFlow table.  The
\fBreceive\fR or \fBno\-receive\fR setting applies to all packets
except 802.1D spanning tree packets, which are separately controlled
by \fBreceive\-stp\fR or \fBno\-receive\-stp\fR.
.
.IP \fBforward\fR
.IQ \fBno\-forward\fR
Allow or disallow forwarding of traffic to this interface.  By
default, forwarding is enabled.
.
.IP \fBflood\fR
.IQ \fBno\-flood\fR
Controls whether an OpenFlow \fBflood\fR action will send traffic out
this interface.  By default, flooding is enabled.  Disabling flooding
is primarily useful to prevent loops when a spanning tree protocol is
not in use.
.
.IP \fBpacket\-in\fR
.IQ \fBno\-packet\-in\fR
Controls whether packets received on this interface that do not match
a flow table entry generate a ``packet in'' message to the OpenFlow
controller.  By default, ``packet in'' messages are enabled.
.RE
.IP
The \fBshow\fR command displays (among other information) the
configuration that \fBmod\-port\fR changes.
.
.IP "\fBget\-frags \fIswitch\fR"
Prints \fIswitch\fR's fragment handling mode.  See \fBset\-frags\fR,
below, for a description of each fragment handling mode.
.IP
The \fBshow\fR command also prints the fragment handling mode among
its other output.
.
.IP "\fBset\-frags \fIswitch frag_mode\fR"
Configures \fIswitch\fR's treatment of IPv4 and IPv6 fragments.  The
choices for \fIfrag_mode\fR are:
.RS
.IP "\fBnormal\fR"
Fragments pass through the flow table like non-fragmented packets.
The TCP ports, UDP ports, and ICMP type and code fields are always set
to 0, even for fragments where that information would otherwise be
available (fragments with offset 0).  This is the default fragment
handling mode for an OpenFlow switch.
.IP "\fBdrop\fR"
Fragments are dropped without passing through the flow table.
.IP "\fBreassemble\fR"
The switch reassembles fragments into full IP packets before passing
them through the flow table.  Open vSwitch does not implement this
fragment handling mode.
.IP "\fBnx\-match\fR"
Fragments pass through the flow table like non-fragmented packets.
The TCP ports, UDP ports, and ICMP type and code fields are available
for matching for fragments with offset 0, and set to 0 in fragments
with nonzero offset.  This mode is a Nicira extension.
.RE
.IP
See the description of \fBip_frag\fR, in \fBovs\-fields\fR(7), for a way to
match on whether a packet is a fragment and on its fragment offset.
.
.TP
\fBdump\-flows \fIswitch \fR[\fIflows\fR]
Prints to the console all flow entries in \fIswitch\fR's
tables that match \fIflows\fR.  If \fIflows\fR is omitted, all flows
in the switch are retrieved.  See \fBFlow Syntax\fR, below, for the
syntax of \fIflows\fR.  The output format is described in
\fBTable Entry Output\fR.
.
.IP
By default, \fBovs\-ofctl\fR prints flow entries in the same order
that the switch sends them, which is unlikely to be intuitive or
consistent.  Use \fB\-\-sort\fR and \fB\-\-rsort\fR to control display
order.  The \fB\-\-names\fR/\fB\-\-no\-names\fR and
\fB\-\-stats\fR/\fB\-\-no\-stats\fR options also affect output
formatting.  See the descriptions of these options, under
\fBOPTIONS\fR below, for more information
.
.TP
\fBdump\-aggregate \fIswitch \fR[\fIflows\fR]
Prints to the console aggregate statistics for flows in
\fIswitch\fR's tables that match \fIflows\fR.  If \fIflows\fR is omitted, 
the statistics are aggregated across all flows in the switch's flow
tables.  See \fBFlow Syntax\fR, below, for the syntax of \fIflows\fR.
The output format is described in \fBTable Entry Output\fR.
.
.IP "\fBqueue\-stats \fIswitch \fR[\fIport \fR[\fIqueue\fR]]"
Prints to the console statistics for the specified \fIqueue\fR on
\fIport\fR within \fIswitch\fR.  \fIport\fR can be an OpenFlow port
number or name, the keyword \fBLOCAL\fR (the preferred way to refer to
the OpenFlow local port), or the keyword \fBALL\fR.  Either of
\fIport\fR or \fIqueue\fR or both may be omitted (or equivalently the
keyword \fBALL\fR).  If both are omitted, statistics are printed for
all queues on all ports.  If only \fIqueue\fR is omitted, then
statistics are printed for all queues on \fIport\fR; if only
\fIport\fR is omitted, then statistics are printed for \fIqueue\fR on
every port where it exists.
.
.IP "\fBqueue\-get\-config \fIswitch [\fIport \fR[\fIqueue\fR]]"
Prints to the console the configuration of \fIqueue\fR on \fIport\fR
in \fIswitch\fR.  If \fIport\fR is omitted or \fBANY\fR, reports
queues for all port.  If \fIqueue\fR is omitted or \fBANY\fR, reports
all queues.  For OpenFlow 1.3 and earlier, the output always includes
all queues, ignoring \fIqueue\fR if specified.
.IP
This command has limited usefulness, because ports often have no
configured queues and because the OpenFlow protocol provides only very
limited information about the configuration of a queue.
.
.IP "\fBdump\-ipfix\-bridge \fIswitch\fR"
Prints to the console the statistics of bridge IPFIX for \fIswitch\fR.
If bridge IPFIX is configured on the \fIswitch\fR, IPFIX statistics
can be retrieved.  Otherwise, error message will be printed.
.IP
This command uses an Open vSwitch extension that is only in Open
vSwitch 2.6 and later.
.
.IP "\fBdump\-ipfix\-flow \fIswitch\fR"
Prints to the console the statistics of flow-based IPFIX for
\fIswitch\fR.  If flow-based IPFIX is configured on the \fIswitch\fR,
statistics of all the collector set ids on the \fIswitch\fR will be
printed.  Otherwise, print error message.
.IP
Refer to \fBovs\-vswitchd.conf.db\fR(5) for more details on configuring
flow based IPFIX and collector set ids.
.IP
This command uses an Open vSwitch extension that is only in Open
vSwitch 2.6 and later.
.
.IP "\fBct\-flush\-zone \fIswitch zone\fR
Flushes the connection tracking entries in \fIzone\fR on \fIswitch\fR.
.IP
This command uses an Open vSwitch extension that is only in Open
vSwitch 2.6 and later.
.
.SS "OpenFlow Switch Flow Table Commands"
.
These commands manage the flow table in an OpenFlow switch.  In each
case, \fIflow\fR specifies a flow entry in the format described in
\fBFlow Syntax\fR, below, \fIfile\fR is a text file that contains zero
or more flows in the same syntax, one per line, and the optional
\fB\-\-bundle\fR option operates the command as a single atomic
transation, see option \fB\-\-bundle\fR, below.
.
.IP "[\fB\-\-bundle\fR] \fBadd\-flow \fIswitch flow\fR"
.IQ "[\fB\-\-bundle\fR] \fBadd\-flow \fIswitch \fB\- < \fIfile\fR"
.IQ "[\fB\-\-bundle\fR] \fBadd\-flows \fIswitch file\fR"
Add each flow entry to \fIswitch\fR's tables.
.
Each flow specification (e.g., each line in \fIfile\fR) may start with
\fBadd\fR, \fBmodify\fR, \fBdelete\fR, \fBmodify_strict\fR, or
\fBdelete_strict\fR keyword to specify whether a flow is to be added,
modified, or deleted, and whether the modify or delete is strict or
not.  For backwards compatibility a flow specification without one of
these keywords is treated as a flow add.  All flow mods are executed
in the order specified.
.
.IP "[\fB\-\-bundle\fR] [\fB\-\-strict\fR] \fBmod\-flows \fIswitch flow\fR"
.IQ "[\fB\-\-bundle\fR] [\fB\-\-strict\fR] \fBmod\-flows \fIswitch \fB\- < \fIfile\fR"
Modify the actions in entries from \fIswitch\fR's tables that match
the specified flows.  With \fB\-\-strict\fR, wildcards are not treated
as active for matching purposes.
.
.IP "[\fB\-\-bundle\fR] \fBdel\-flows \fIswitch\fR"
.IQ "[\fB\-\-bundle\fR] [\fB\-\-strict\fR] \fBdel\-flows \fIswitch \fR[\fIflow\fR]"
.IQ "[\fB\-\-bundle\fR] [\fB\-\-strict\fR] \fBdel\-flows \fIswitch \fB\- < \fIfile\fR"
Deletes entries from \fIswitch\fR's flow table.  With only a
\fIswitch\fR argument, deletes all flows.  Otherwise, deletes flow
entries that match the specified flows.  With \fB\-\-strict\fR,
wildcards are not treated as active for matching purposes.
.
.IP "[\fB\-\-bundle\fR] [\fB\-\-readd\fR] \fBreplace\-flows \fIswitch file\fR"
Reads flow entries from \fIfile\fR (or \fBstdin\fR if \fIfile\fR is
\fB\-\fR) and queries the flow table from \fIswitch\fR.  Then it fixes
up any differences, adding flows from \fIflow\fR that are missing on
\fIswitch\fR, deleting flows from \fIswitch\fR that are not in
\fIfile\fR, and updating flows in \fIswitch\fR whose actions, cookie,
or timeouts differ in \fIfile\fR.
.
.IP
With \fB\-\-readd\fR, \fBovs\-ofctl\fR adds all the flows from
\fIfile\fR, even those that exist with the same actions, cookie, and
timeout in \fIswitch\fR.  In OpenFlow 1.0 and 1.1, re-adding a flow
always resets the flow's packet and byte counters to 0, and in
OpenFlow 1.2 and later, it does so only if the \fBreset_counts\fR flag
is set.
.
.IP "\fBdiff\-flows \fIsource1 source2\fR"
Reads flow entries from \fIsource1\fR and \fIsource2\fR and prints the
differences.  A flow that is in \fIsource1\fR but not in \fIsource2\fR
is printed preceded by a \fB\-\fR, and a flow that is in \fIsource2\fR
but not in \fIsource1\fR is printed preceded by a \fB+\fR.  If a flow
exists in both \fIsource1\fR and \fIsource2\fR with different actions,
cookie, or timeouts, then both versions are printed preceded by
\fB\-\fR and \fB+\fR, respectively.
.IP
\fIsource1\fR and \fIsource2\fR may each name a file or a switch.  If
a name begins with \fB/\fR or \fB.\fR, then it is considered to be a
file name.  A name that contains \fB:\fR is considered to be a switch.
Otherwise, it is a file if a file by that name exists, a switch if
not.
.IP
For this command, an exit status of 0 means that no differences were
found, 1 means that an error occurred, and 2 means that some
differences were found.
.
.IP "\fBpacket\-out \fIswitch\fR \fIpacket-out\fR"
Connects to \fIswitch\fR and instructs it to execute the
\fIpacket-out\fR OpenFlow message, specified as defined in
\fBPacket\-Out Syntax\fR section.
.
.SS "Group Table Commands"
.
These commands manage the group table in an OpenFlow switch.  In each
case, \fIgroup\fR specifies a group entry in the format described in
\fBGroup Syntax\fR, below, and \fIfile\fR is a text file that contains
zero or more groups in the same syntax, one per line, and the optional
\fB\-\-bundle\fR option operates the command as a single atomic
transation, see option \fB\-\-bundle\fR, below.
.PP
The group commands work only with switches that support OpenFlow 1.1
or later or the Open vSwitch group extensions to OpenFlow 1.0 (added
in Open vSwitch 2.9.90).  For OpenFlow 1.1 or later, it is necessary
to explicitly enable these protocol versions in \fBovs\-ofctl\fR
(using \fB\-O\fR).  For more information, see ``Q: What versions of
OpenFlow does Open vSwitch support?'' in the Open vSwitch FAQ.
.
.IP "[\fB\-\-bundle\fR] \fBadd\-group \fIswitch group\fR"
.IQ "[\fB\-\-bundle\fR] \fBadd\-group \fIswitch \fB\- < \fIfile\fR"
.IQ "[\fB\-\-bundle\fR] \fBadd\-groups \fIswitch file\fR"
Add each group entry to \fIswitch\fR's tables.
.
Each group specification (e.g., each line in \fIfile\fR) may start
with \fBadd\fR, \fBmodify\fR, \fBadd_or_mod\fR, \fBdelete\fR,
\fBinsert_bucket\fR, or \fBremove_bucket\fR keyword to specify whether
a flow is to be added, modified, or deleted, or whether a group bucket
is to be added or removed.  For backwards compatibility a group
specification without one of these keywords is treated as a group add.
All group mods are executed in the order specified.
.
.IP "[\fB\-\-bundle\fR] [\fB\-\-may\-create\fR] \fBmod\-group \fIswitch group\fR"
.IQ "[\fB\-\-bundle\fR] [\fB\-\-may\-create\fR] \fBmod\-group \fIswitch \fB\- < \fIfile\fR"
Modify the action buckets in entries from \fIswitch\fR's tables for
each group entry.  If a specified group does not already exist, then
without \fB\-\-may\-create\fR, this command has no effect; with
\fB\-\-may\-create\fR, it creates a new group.  The
\fB\-\-may\-create\fR option uses an Open vSwitch extension to
OpenFlow only implemented in Open vSwitch 2.6 and later.
.
.IP "[\fB\-\-bundle\fR] \fBdel\-groups \fIswitch\fR"
.IQ "[\fB\-\-bundle\fR] \fBdel\-groups \fIswitch \fR[\fIgroup\fR]"
.IQ "[\fB\-\-bundle\fR] \fBdel\-groups \fIswitch \fB\- < \fIfile\fR"
Deletes entries from \fIswitch\fR's group table.  With only a
\fIswitch\fR argument, deletes all groups.  Otherwise, deletes the group
for each group entry.
.
.IP "[\fB\-\-bundle\fR] \fBinsert\-buckets \fIswitch group\fR"
.IQ "[\fB\-\-bundle\fR] \fBinsert\-buckets \fIswitch \fB\- < \fIfile\fR"
Add buckets to an existing group present in the \fIswitch\fR's group table.
If no \fIcommand_bucket_id\fR is present in the group specification then all
buckets of the group are removed.
.
.IP "[\fB\-\-bundle\fR] \fBremove\-buckets \fIswitch group\fR"
.IQ "[\fB\-\-bundle\fR] \fBremove\-buckets \fIswitch \fB\- < \fIfile\fR"
Remove buckets to an existing group present in the \fIswitch\fR's group table.
If no \fIcommand_bucket_id\fR is present in the group specification then all
buckets of the group are removed.
.
.IP "\fBdump\-groups \fIswitch\fR [\fIgroup\fR]"
Prints group entries in \fIswitch\fR's tables to console.  To dump
only a specific group, specify its number as \fIgroup\fR.  Otherwise,
if \fIgroup\fR is omitted, or if it is specified as \fBALL\fR, then
all groups are printed.
.IP
Only OpenFlow 1.5 and later support dumping a specific group.  Earlier
versions of OpenFlow always dump all groups.
.
.IP "\fBdump\-group\-features \fIswitch"
Prints to the console the group features of the \fIswitch\fR.
.
.IP "\fBdump\-group\-stats \fIswitch \fR[\fIgroup\fR]"
Prints to the console statistics for the specified \fIgroup\fR in
\fIswitch\fR's tables.  If \fIgroup\fR is omitted then statistics for all
groups are printed.
.
.SS "OpenFlow 1.3+ Switch Meter Table Commands"
.
These commands manage the meter table in an OpenFlow switch.  In each
case, \fImeter\fR specifies a meter entry in the format described in
\fBMeter Syntax\fR, below.
.
.PP
OpenFlow 1.3 introduced support for meters, so these commands only work
with switches that support OpenFlow 1.3 or later.  It is necessary to
explicitly enable these protocol versions in \fBovs\-ofctl\fR (using
\fB\-O\fR) and in the switch itself (with the \fBprotocols\fR column in
the \fBBridge\fR table).  For more information, see ``Q: What versions
of OpenFlow does Open vSwitch support?'' in the Open vSwitch FAQ.
.
.IP "\fBadd\-meter \fIswitch meter\fR"
Add a meter entry to \fIswitch\fR's tables. The \fImeter\fR syntax is
described in section \fBMeter Syntax\fR, below.
.
.IP "\fBmod\-meter \fIswitch meter\fR"
Modify an existing meter.
.
.IP "\fBdel\-meters \fIswitch\fR [\fImeter\fR]"
Delete entries from \fIswitch\fR's meter table.  To delete only a
specific meter, specify its number as \fImeter\fR.  Otherwise, if
\fImeter\fR is omitted, or if it is specified as \fBall\fR, then all
meters are deleted.
.
.IP "\fBdump\-meters \fIswitch\fR [\fImeter\fR]"
Print entries from \fIswitch\fR's meter table.  To print only a
specific meter, specify its number as \fImeter\fR.  Otherwise, if
\fImeter\fR is omitted, or if it is specified as \fBall\fR, then all
meters are printed.
.
.IP "\fBmeter\-stats \fIswitch\fR [\fImeter\fR]"
Print meter statistics.  \fImeter\fR can specify a single meter with
syntax \fBmeter=\fIid\fR, or all meters with syntax \fBmeter=all\fR.
.
.IP "\fBmeter\-features \fIswitch\fR"
Print meter features.
.
.SS OpenFlow Switch Bundle Command
.
Transactional updates to both flow and group tables can be made with
the \fBbundle\fR command.  \fIfile\fR is a text file that contains
zero or more flow mods, group mods, or packet-outs in \fBFlow
Syntax\fR, \fBGroup Syntax\fR, or \fBPacket\-Out Syntax\fR, each line
preceded by \fBflow\fR, \fBgroup\fR, or \fBpacket\-out\fR keyword,
correspondingly.  The \fBflow\fR keyword may be optionally followed by
one of the keywords \fBadd\fR, \fBmodify\fR, \fBmodify_strict\fR,
\fBdelete\fR, or \fBdelete_strict\fR, of which the \fBadd\fR is
assumed if a bare \fBflow\fR is given.  Similarly, the \fBgroup\fR
keyword may be optionally followed by one of the keywords \fBadd\fR,
\fBmodify\fR, \fBadd_or_mod\fR, \fBdelete\fR, \fBinsert_bucket\fR, or
\fBremove_bucket\fR, of which the \fBadd\fR is assumed if a bare
\fBgroup\fR is given.
.
.IP "\fBbundle \fIswitch file\fR"
Execute all flow and group mods in \fIfile\fR as a single atomic
transaction against \fIswitch\fR's tables.  All bundled mods are
executed in the order specified.
.
.SS "OpenFlow Switch Tunnel TLV Table Commands"
.
Open vSwitch maintains a mapping table between tunnel option TLVs (defined
by <class, type, length>) and NXM fields \fBtun_metadata\fIn\fR,
where \fIn\fR ranges from 0 to 63, that can be operated on for the
purposes of matches, actions, etc. This TLV table can be used for
Geneve option TLVs or other protocols with options in same TLV format
as Geneve options. This mapping must be explicitly specified by the user
through the following commands.

A TLV mapping is specified with the syntax
\fB{class=\fIclass\fB,type=\fItype\fB,len=\fIlength\fB}->tun_metadata\fIn\fR.
When an option mapping exists for a given \fBtun_metadata\fIn\fR,
matching on the defined field becomes possible, e.g.:

.RS
ovs-ofctl add-tlv-map br0 "{class=0xffff,type=0,len=4}->tun_metadata0"
.PP
ovs-ofctl add-flow br0 tun_metadata0=1234,actions=controller
.RE

A mapping should not be changed while it is in active
use by a flow. The result of doing so is undefined.

These commands are Nicira extensions to OpenFlow and require Open vSwitch
2.5 or later.

.IP "\fBadd\-tlv\-map \fIswitch option\fR[\fB,\fIoption\fR]..."
Add each \fIoption\fR to \fIswitch\fR's tables. Duplicate fields are
rejected.
.
.IP "\fBdel\-tlv\-map \fIswitch \fR[\fIoption\fR[\fB,\fIoption\fR]]..."
Delete each \fIoption\fR from \fIswitch\fR's table, or all option TLV
mapping if no \fIoption\fR is specified.
Fields that aren't mapped are ignored.
.
.IP "\fBdump\-tlv\-map \fIswitch\fR"
Show the currently mapped fields in the switch's option table as well
as switch capabilities.
.
.SS "OpenFlow Switch Monitoring Commands"
.
.IP "\fBsnoop \fIswitch\fR"
Connects to \fIswitch\fR and prints to the console all OpenFlow
messages received.  Unlike other \fBovs\-ofctl\fR commands, if
\fIswitch\fR is the name of a bridge, then the \fBsnoop\fR command
connects to a Unix domain socket named
\fB@RUNDIR@/\fIswitch\fB.snoop\fR.  \fBovs\-vswitchd\fR listens on
such a socket for each bridge and sends to it all of the OpenFlow
messages sent to or received from its configured OpenFlow controller.
Thus, this command can be used to view OpenFlow protocol activity
between a switch and its controller.
.IP
When a switch has more than one controller configured, only the
traffic to and from a single controller is output.  If none of the
controllers is configured as a master or a slave (using a Nicira
extension to OpenFlow 1.0 or 1.1, or a standard request in OpenFlow
1.2 or later), then a controller is chosen arbitrarily among
them.  If there is a master controller, it is chosen; otherwise, if
there are any controllers that are not masters or slaves, one is
chosen arbitrarily; otherwise, a slave controller is chosen
arbitrarily.  This choice is made once at connection time and does not
change as controllers reconfigure their roles.
.IP
If a switch has no controller configured, or if
the configured controller is disconnected, no traffic is sent, so
monitoring will not show any traffic.
.
.IP "\fBmonitor \fIswitch\fR [\fImiss-len\fR] [\fBinvalid_ttl\fR] [\fBwatch:\fR[\fIspec\fR...]]"
Connects to \fIswitch\fR and prints to the console all OpenFlow
messages received.  Usually, \fIswitch\fR should specify the name of a
bridge in the \fBovs\-vswitchd\fR database.
.IP
If \fImiss-len\fR is provided, \fBovs\-ofctl\fR sends an OpenFlow ``set
configuration'' message at connection setup time that requests
\fImiss-len\fR bytes of each packet that misses the flow table.  Open vSwitch
does not send these and other asynchronous messages to an
\fBovs\-ofctl monitor\fR client connection unless a nonzero value is
specified on this argument.  (Thus, if \fImiss\-len\fR is not
specified, very little traffic will ordinarily be printed.)
.IP
If \fBinvalid_ttl\fR is passed, \fBovs\-ofctl\fR sends an OpenFlow ``set
configuration'' message at connection setup time that requests
\fBINVALID_TTL_TO_CONTROLLER\fR, so that \fBovs\-ofctl monitor\fR can
receive ``packet-in'' messages when TTL reaches zero on \fBdec_ttl\fR action.
Only OpenFlow 1.1 and 1.2 support \fBinvalid_ttl\fR; Open vSwitch also
implements it for OpenFlow 1.0 as an extension.
.IP
\fBwatch:\fR[\fB\fIspec\fR...] causes \fBovs\-ofctl\fR to send a
``monitor request'' Nicira extension message to the switch at
connection setup time.  This message causes the switch to send
information about flow table changes as they occur.  The following
comma-separated \fIspec\fR syntax is available:
.RS
.IP "\fB!initial\fR"
Do not report the switch's initial flow table contents.
.IP "\fB!add\fR"
Do not report newly added flows.
.IP "\fB!delete\fR"
Do not report deleted flows.
.IP "\fB!modify\fR"
Do not report modifications to existing flows.
.IP "\fB!own\fR"
Abbreviate changes made to the flow table by \fBovs\-ofctl\fR's own
connection to the switch.  (These could only occur using the
\fBofctl/send\fR command described below under \fBRUNTIME MANAGEMENT
COMMANDS\fR.)
.IP "\fB!actions\fR"
Do not report actions as part of flow updates.
.IP "\fBtable=\fItable\fR"
Limits the monitoring to the table with the given \fItable\fR, which
may be expressed as a number between 0 and 254 or (unless
\fB\-\-no\-names\fR is specified) a name.  By default, all tables are
monitored.
.IP "\fBout_port=\fIport\fR"
If set, only flows that output to \fIport\fR are monitored.  The
\fIport\fR may be an OpenFlow port number or keyword
(e.g. \fBLOCAL\fR).
.IP "\fIfield\fB=\fIvalue\fR"
Monitors only flows that have \fIfield\fR specified as the given
\fIvalue\fR.  Any syntax valid for matching on \fBdump\-flows\fR may
be used.
.RE
.IP
This command may be useful for debugging switch or controller
implementations.  With \fBwatch:\fR, it is particularly useful for
observing how a controller updates flow tables.
.
.SS "OpenFlow Switch and Controller Commands"
.
The following commands, like those in the previous section, may be
applied to OpenFlow switches, using any of the connection methods
described in that section.  Unlike those commands, these may also be
applied to OpenFlow controllers.
.
.TP
\fBprobe \fItarget\fR
Sends a single OpenFlow echo-request message to \fItarget\fR and waits
for the response.  With the \fB\-t\fR or \fB\-\-timeout\fR option, this
command can test whether an OpenFlow switch or controller is up and
running.
.
.TP
\fBping \fItarget \fR[\fIn\fR]
Sends a series of 10 echo request packets to \fItarget\fR and times
each reply.  The echo request packets consist of an OpenFlow header
plus \fIn\fR bytes (default: 64) of randomly generated payload.  This
measures the latency of individual requests.
.
.TP
\fBbenchmark \fItarget n count\fR
Sends \fIcount\fR echo request packets that each consist of an
OpenFlow header plus \fIn\fR bytes of payload and waits for each
response.  Reports the total time required.  This is a measure of the
maximum bandwidth to \fItarget\fR for round-trips of \fIn\fR-byte
messages.
.
.SS "Other Commands"
.
.IP "\fBofp\-parse\fR \fIfile\fR"
Reads \fIfile\fR (or \fBstdin\fR if \fIfile\fR is \fB\-\fR) as a
series of OpenFlow messages in the binary format used on an OpenFlow
connection, and prints them to the console.  This can be useful for
printing OpenFlow messages captured from a TCP stream.
.
.IP "\fBofp\-parse\-pcap\fR \fIfile\fR [\fIport\fR...]"
Reads \fIfile\fR, which must be in the PCAP format used by network
capture tools such as \fBtcpdump\fR or \fBwireshark\fR, extracts all
the TCP streams for OpenFlow connections, and prints the OpenFlow
messages in those connections in human-readable format on
\fBstdout\fR.
.IP
OpenFlow connections are distinguished by TCP port number.
Non-OpenFlow packets are ignored.  By default, data on TCP ports 6633
and 6653 are considered to be OpenFlow.  Specify one or more
\fIport\fR arguments to override the default.
.IP
This command cannot usefully print SSL encrypted traffic.  It does not
understand IPv6.
.
.SS "Flow Syntax"
.PP
Some \fBovs\-ofctl\fR commands accept an argument that describes a flow or
flows.  Such flow descriptions comprise a series of
\fIfield\fB=\fIvalue\fR assignments, separated by commas or white
space.  (Embedding spaces into a flow description normally requires
quoting to prevent the shell from breaking the description into
multiple arguments.)
.PP
Flow descriptions should be in \fBnormal form\fR.  This means that a
flow may only specify a value for an L3 field if it also specifies a
particular L2 protocol, and that a flow may only specify an L4 field
if it also specifies particular L2 and L3 protocol types.  For
example, if the L2 protocol type \fBdl_type\fR is wildcarded, then L3
fields \fBnw_src\fR, \fBnw_dst\fR, and \fBnw_proto\fR must also be
wildcarded.  Similarly, if \fBdl_type\fR or \fBnw_proto\fR (the L3
protocol type) is wildcarded, so must be the L4 fields \fBtcp_dst\fR and
\fBtcp_src\fR.  \fBovs\-ofctl\fR will warn about
flows not in normal form.
.PP
\fBovs\-fields\fR(7) describes the supported fields and how to match
them.  In addition to match fields, commands that operate on flows
accept a few additional key-value pairs:
.
.IP \fBtable=\fItable\fR
For flow dump commands, limits the flows dumped to those in
\fItable\fR, which may be expressed as a number between 0 and 255 or
(unless \fB\-\-no\-names\fR is specified) a name.  If not specified
(or if 255 is specified as \fItable\fR), then flows in all tables are
dumped.
.
.IP
For flow table modification commands, behavior varies based on the
OpenFlow version used to connect to the switch:
.
.RS
.IP "OpenFlow 1.0"
OpenFlow 1.0 does not support \fBtable\fR for modifying flows.
\fBovs\-ofctl\fR will exit with an error if \fBtable\fR (other than
\fBtable=255\fR) is specified for a switch that only supports OpenFlow
1.0.
.IP
In OpenFlow 1.0, the switch chooses the table into which to insert a
new flow.  The Open vSwitch software switch always chooses table 0.
Other Open vSwitch datapaths and other OpenFlow implementations may
choose different tables.
.IP
The OpenFlow 1.0 behavior in Open vSwitch for modifying or removing
flows depends on whether \fB\-\-strict\fR is used.  Without
\fB\-\-strict\fR, the command applies to matching flows in all tables.
With \fB\-\-strict\fR, the command will operate on any single matching
flow in any table; it will do nothing if there are matches in more
than one table.  (The distinction between these behaviors only matters
if non-OpenFlow 1.0 commands were also used, because OpenFlow 1.0
alone cannot add flows with the same matching criteria to multiple
tables.)
.
.IP "OpenFlow 1.0 with table_id extension"
Open vSwitch implements an OpenFlow extension that allows the
controller to specify the table on which to operate.  \fBovs\-ofctl\fR
automatically enables the extension when \fBtable\fR is specified and
OpenFlow 1.0 is used.  \fBovs\-ofctl\fR automatically detects whether
the switch supports the extension.  As of this writing, this extension
is only known to be implemented by Open vSwitch.
.
.IP
With this extension, \fBovs\-ofctl\fR operates on the requested table
when \fBtable\fR is specified, and acts as described for OpenFlow 1.0
above when no \fBtable\fR is specified (or for \fBtable=255\fR).
.
.IP "OpenFlow 1.1"
OpenFlow 1.1 requires flow table modification commands to specify a
table.  When \fBtable\fR is not specified (or \fBtable=255\fR is
specified), \fBovs\-ofctl\fR defaults to table 0.
.
.IP "OpenFlow 1.2 and later"
OpenFlow 1.2 and later allow flow deletion commands, but not other
flow table modification commands, to operate on all flow tables, with
the behavior described above for OpenFlow 1.0.
.RE
.IP "\fBduration=\fR..."
.IQ "\fBn_packet=\fR..."
.IQ "\fBn_bytes=\fR..."
\fBovs\-ofctl\fR ignores assignments to these ``fields'' to allow
output from the \fBdump\-flows\fR command to be used as input for
other commands that parse flows.
.
.PP
The \fBadd\-flow\fR, \fBadd\-flows\fR, and \fBmod\-flows\fR commands
require an additional field, which must be the final field specified:
.
.IP \fBactions=\fR[\fIaction\fR][\fB,\fIaction\fR...]\fR
Specifies a comma-separated list of actions to take on a packet when
the flow entry matches.  If no \fIaction\fR is specified, then packets
matching the flow are dropped.  See \fBovs\-actions\fR(7) for details
on the syntax and semantics of actions.
K
.PP
An opaque identifier called a cookie can be used as a handle to identify
a set of flows:
.
.IP \fBcookie=\fIvalue\fR
.
A cookie can be associated with a flow using the \fBadd\-flow\fR,
\fBadd\-flows\fR, and \fBmod\-flows\fR commands.  \fIvalue\fR can be any
64-bit number and need not be unique among flows.  If this field is
omitted, a default cookie value of 0 is used.
.
.IP \fBcookie=\fIvalue\fR\fB/\fImask\fR
.
When using NXM, the cookie can be used as a handle for querying,
modifying, and deleting flows.  \fIvalue\fR and \fImask\fR may be
supplied for the \fBdel\-flows\fR, \fBmod\-flows\fR, \fBdump\-flows\fR, and
\fBdump\-aggregate\fR commands to limit matching cookies.  A 1-bit in
\fImask\fR indicates that the corresponding bit in \fIcookie\fR must
match exactly, and a 0-bit wildcards that bit.  A mask of \-1 may be used
to exactly match a cookie.
.IP
The \fBmod\-flows\fR command can update the cookies of flows that
match a cookie by specifying the \fIcookie\fR field twice (once with a
mask for matching and once without to indicate the new value):
.RS
.IP "\fBovs\-ofctl mod\-flows br0 cookie=1,actions=normal\fR"
Change all flows' cookies to 1 and change their actions to \fBnormal\fR.
.IP "\fBovs\-ofctl mod\-flows br0 cookie=1/\-1,cookie=2,actions=normal\fR"
Update cookies with a value of 1 to 2 and change their actions to
\fBnormal\fR.
.RE
.IP
The ability to match on cookies was added in Open vSwitch 1.5.0.
.
.PP
The following additional field sets the priority for flows added by
the \fBadd\-flow\fR and \fBadd\-flows\fR commands.  For
\fBmod\-flows\fR and \fBdel\-flows\fR when \fB\-\-strict\fR is
specified, priority must match along with the rest of the flow
specification.  For \fBmod-flows\fR without \fB\-\-strict\fR,
priority is only significant if the command creates a new flow, that
is, non-strict \fBmod\-flows\fR does not match on priority and will
not change the priority of existing flows.  Other commands do not
allow priority to be specified.
.
.IP \fBpriority=\fIvalue\fR
The priority at which a wildcarded entry will match in comparison to
others.  \fIvalue\fR is a number between 0 and 65535, inclusive.  A higher 
\fIvalue\fR will match before a lower one.  An exact-match entry will always 
have priority over an entry containing wildcards, so it has an implicit 
priority value of 65535.  When adding a flow, if the field is not specified, 
the flow's priority will default to 32768.
.IP
OpenFlow leaves behavior undefined when two or more flows with the
same priority can match a single packet.  Some users expect
``sensible'' behavior, such as more specific flows taking precedence
over less specific flows, but OpenFlow does not specify this and Open
vSwitch does not implement it.  Users should therefore take care to
use priorities to ensure the behavior that they expect.
.
.PP
The \fBadd\-flow\fR, \fBadd\-flows\fR, and \fBmod\-flows\fR commands
support the following additional options.  These options affect only
new flows.  Thus, for \fBadd\-flow\fR and \fBadd\-flows\fR, these
options are always significant, but for \fBmod\-flows\fR they are
significant only if the command creates a new flow, that is, their
values do not update or affect existing flows.
.
.IP "\fBidle_timeout=\fIseconds\fR"
Causes the flow to expire after the given number of seconds of
inactivity.  A value of 0 (the default) prevents a flow from expiring
due to inactivity.
.
.IP \fBhard_timeout=\fIseconds\fR
Causes the flow to expire after the given number of seconds,
regardless of activity.  A value of 0 (the default) gives the flow no
hard expiration deadline.
.
.IP "\fBimportance=\fIvalue\fR"
Sets the importance of a flow.  The flow entry eviction mechanism can
use importance as a factor in deciding which flow to evict.  A value
of 0 (the default) makes the flow non-evictable on the basis of
importance.  Specify a value between 0 and 65535.
.IP
Only OpenFlow 1.4 and later support \fBimportance\fR.
.
.IP "\fBsend_flow_rem\fR"
Marks the flow with a flag that causes the switch to generate a ``flow
removed'' message and send it to interested controllers when the flow
later expires or is removed.
.
.IP "\fBcheck_overlap\fR"
Forces the switch to check that the flow match does not overlap that
of any different flow with the same priority in the same table.  (This
check is expensive so it is best to avoid it.)
.
.IP "\fBreset_counts\fR"
When this flag is specified on a flow being added to a switch, and the
switch already has a flow with an identical match, an OpenFlow 1.2 (or
later) switch resets the flow's packet and byte counters to 0.
Without the flag, the packet and byte counters are preserved.
.IP
OpenFlow 1.0 and 1.1 switches always reset counters in this situation,
as if \fBreset_counts\fR were always specified.
.IP
Open vSwitch 1.10 added support for \fBreset_counts\fR.
.
.IP "\fBno_packet_counts\fR"
.IQ "\fBno_byte_counts\fR"
Adding these flags to a flow advises an OpenFlow 1.3 (or later) switch
that the controller does not need packet or byte counters,
respectively, for the flow.  Some switch implementations might achieve
higher performance or reduce resource consumption when these flags are
used.  These flags provide no benefit to the Open vSwitch software
switch implementation.
.IP
OpenFlow 1.2 and earlier do not support these flags.
.IP
Open vSwitch 1.10 added support for \fBno_packet_counts\fR and
\fBno_byte_counts\fR.
.
.PP
The \fBdump\-flows\fR, \fBdump\-aggregate\fR, \fBdel\-flow\fR 
and \fBdel\-flows\fR commands support these additional optional fields:
.
.TP
\fBout_port=\fIport\fR
If set, a matching flow must include an output action to \fIport\fR,
which must be an OpenFlow port number or name (e.g. \fBlocal\fR).
.
.TP
\fBout_group=\fIgroup\fR
If set, a matching flow must include an \fBgroup\fR action naming
\fIgroup\fR, which must be an OpenFlow group number.  This field
is supported in Open vSwitch 2.5 and later and requires OpenFlow 1.1
or later.
.
.SS "Table Entry Output"
.
The \fBdump\-tables\fR and \fBdump\-aggregate\fR commands print information 
about the entries in a datapath's tables.  Each line of output is a 
flow entry as described in \fBFlow Syntax\fR, above, plus some
additional fields:
.
.IP \fBduration=\fIsecs\fR
The time, in seconds, that the entry has been in the table.
\fIsecs\fR includes as much precision as the switch provides, possibly
to nanosecond resolution.
.
.IP \fBn_packets\fR
The number of packets that have matched the entry.
.
.IP \fBn_bytes\fR
The total number of bytes from packets that have matched the entry.
.
.PP
The following additional fields are included only if the switch is
Open vSwitch 1.6 or later and the NXM flow format is used to dump the
flow (see the description of the \fB\-\-flow-format\fR option below).
The values of these additional fields are approximations only and in
particular \fBidle_age\fR will sometimes become nonzero even for busy
flows.
.
.IP \fBhard_age=\fIsecs\fR
The integer number of seconds since the flow was added or modified.
\fBhard_age\fR is displayed only if it differs from the integer part
of \fBduration\fR.  (This is separate from \fBduration\fR because
\fBmod\-flows\fR restarts the \fBhard_timeout\fR timer without zeroing
\fBduration\fR.)
.
.IP \fBidle_age=\fIsecs\fR
The integer number of seconds that have passed without any packets
passing through the flow.
.
.SS "Packet\-Out Syntax"
.PP
\fBovs\-ofctl bundle\fR command accepts packet-outs to be specified in
the bundle file.  Each packet-out comprises of a series of
\fIfield\fB=\fIvalue\fR assignments, separated by commas or white
space.  (Embedding spaces into a packet-out description normally
requires quoting to prevent the shell from breaking the description
into multiple arguments.).  Unless noted otherwise only the last
instance of each field is honoured.  This same syntax is also
supported by the \fBovs\-ofctl packet-out\fR command.
.PP
.IP \fBin_port=\fIport\fR
The port number to be considered the in_port when processing actions.
This can be any valid OpenFlow port number, or any of the \fBLOCAL\fR,
\fBCONTROLLER\fR, or \fBNONE\fR.
.
This field is required.

.IP \fIpipeline_field\fR=\fIvalue\fR
Optionally, user can specify a list of pipeline fields for a packet-out
message. The supported pipeline fields includes \fBtunnel fields\fR and
\fBregister fields\fR as defined in \fBovs\-fields\fR(7).

.IP \fBpacket=\fIhex-string\fR
The actual packet to send, expressed as a string of hexadecimal bytes.
.
This field is required.

.IP \fBactions=\fR[\fIaction\fR][\fB,\fIaction\fR...]\fR
The syntax of actions are identical to the \fBactions=\fR field
described in \fBFlow Syntax\fR above.  Specifying \fBactions=\fR is
optional, but omitting actions is interpreted as a drop, so the packet
will not be sent anywhere from the switch.
.
\fBactions\fR must be specified at the end of each line, like for flow mods.
.RE
.
.SS "Group Syntax"
.PP
Some \fBovs\-ofctl\fR commands accept an argument that describes a group or
groups.  Such flow descriptions comprise a series
\fIfield\fB=\fIvalue\fR assignments, separated by commas or white
space.  (Embedding spaces into a group description normally requires
quoting to prevent the shell from breaking the description into
multiple arguments.). Unless noted otherwise only the last instance
of each field is honoured.
.PP
.IP \fBgroup_id=\fIid\fR
The integer group id of group.
When this field is specified in \fBdel\-groups\fR or \fBdump\-groups\fR,
the keyword "all" may be used to designate all groups.
.
This field is required.


.IP \fBtype=\fItype\fR
The type of the group.  The \fBadd-group\fR, \fBadd-groups\fR and
\fBmod-groups\fR commands require this field.  It is prohibited for
other commands. The following keywords designated the allowed types:
.RS
.IP \fBall\fR
Execute all buckets in the group.
.IP \fBselect\fR
Execute one bucket in the group, balancing across the buckets
according to their weights.  To select a bucket, for each live bucket,
Open vSwitch hashes flow data with the bucket ID and multiplies by the
bucket weight to obtain a ``score,'' and then selects the bucket with
the highest score.  Use \fBselection_method\fR to control the flow
data used for selection.
.IP \fBindirect\fR
Executes the one bucket in the group.
.IP \fBff\fR
.IQ \fBfast_failover\fR
Executes the first live bucket in the group which is associated with
a live port or group.
.RE

.IP \fBcommand_bucket_id=\fIid\fR
The bucket to operate on.  The \fBinsert-buckets\fR and \fBremove-buckets\fR
commands require this field.  It is prohibited for other commands.
\fIid\fR may be an integer or one of the following keywords:
.RS
.IP \fBall\fR
Operate on all buckets in the group.
Only valid when used with the \fBremove-buckets\fR command in which
case the effect is to remove all buckets from the group.
.IP \fBfirst\fR
Operate on the first bucket present in the group.
In the case of the \fBinsert-buckets\fR command the effect is to
insert new bucets just before the first bucket already present in the group;
or to replace the buckets of the group if there are no buckets already present
in the group.
In the case of the \fBremove-buckets\fR command the effect is to
remove the first bucket of the group; or do nothing if there are no
buckets present in the group.
.IP \fBlast\fR
Operate on the last bucket present in the group.
In the case of the \fBinsert-buckets\fR command the effect is to
insert new bucets just after the last bucket already present in the group;
or to replace the buckets of the group if there are no buckets already present
in the group.
In the case of the \fBremove-buckets\fR command the effect is to
remove the last bucket of the group; or do nothing if there are no
buckets present in the group.
.RE
.IP
If \fIid\fR is an integer then it should correspond to the \fBbucket_id\fR
of a bucket present in the group.
In case of the \fBinsert-buckets\fR command the effect is to
insert buckets just before the bucket in the group whose \fBbucket_id\fR is
\fIid\fR.
In case of the \fBiremove-buckets\fR command the effect is to
remove the in the group whose \fBbucket_id\fR is \fIid\fR.
It is an error if there is no bucket persent group in whose \fBbucket_id\fR is
\fIid\fR.

.IP \fBselection_method\fR=\fImethod\fR
The selection method used to select a bucket for a select group.
This is a string of 1 to 15 bytes in length known to lower layers.
This field is optional for \fBadd\-group\fR, \fBadd\-groups\fR and
\fBmod\-group\fR commands on groups of type \fBselect\fR. Prohibited
otherwise.  If no selection method is specified, Open vSwitch up to
release 2.9 applies the \fBhash\fR method with default fields. From
2.10 onwards Open vSwitch defaults to the \fBdp_hash\fR method with symmetric
L3/L4 hash algorithm, unless the weighted group buckets cannot be mapped to
a maximum of 64 dp_hash values with sufficient accuracy.
In those rare cases Open vSwitch 2.10 and later fall back to the \fBhash\fR
method with the default set of hash fields.
.RS
.IP \fBdp_hash\fR
Use a datapath computed hash value.  The hash algorithm varies accross
different datapath implementations.  \fBdp_hash\fR uses the upper 32
bits of the \fBselection_method_param\fR as the datapath hash
algorithm selector.  The supported values are \fB0\fR (corresponding to
hash computation over the IP 5-tuple) and \fB1\fR (corresponding to a
\fIsymmetric\fR hash computation over the IP 5-tuple).  Selecting specific
fields with the \fBfields\fR option is not supported with \fBdp_hash\fR).
The lower 32 bits are used as the hash basis.
.IP
Using \fBdp_hash\fR has the advantage that it does not require the
generated datapath flows to exact match any additional packet header
fields.  For example, even if multiple TCP connections thus hashed to
different select group buckets have different source port numbers,
generally all of them would be handled with a small set of already
established datapath flows, resulting in less latency for TCP SYN
packets.  The downside is that the shared datapath flows must match
each packet twice, as the datapath hash value calculation happens only
when needed, and a second match is required to match some bits of its
value.  This double-matching incurs a small additional latency cost
for each packet, but this latency is orders of magnitude less than the
latency of creating new datapath flows for new TCP connections.
.IP \fBhash\fR
Use a hash computed over the fields specified with the \fBfields\fR
option, see below.  If no hash fields are specified, \fBhash\fR defaults
to a symmetric hash over the combination of MAC addresses, VLAN tags,
Ether type, IP addresses and L4 port numbers.  \fBhash\fR uses the
\fBselection_method_param\fR as the hash basis.
.IP
Note that the hashed fields become exact matched by the datapath
flows.  For example, if the TCP source port is hashed, the created
datapath flows will match the specific TCP source port value present
in the packet received.  Since each TCP connection generally has a
different source port value, a separate datapath flow will be need to
be inserted for each TCP connection thus hashed to a select group
bucket.
.RE
.IP
This option uses a Netronome OpenFlow extension which is only supported
when using Open vSwitch 2.4 and later with OpenFlow 1.5 and later.

.IP \fBselection_method_param\fR=\fIparam\fR
64-bit integer parameter to the selection method selected by the
\fBselection_method\fR field.  The parameter's use is defined by the
lower-layer that implements the \fBselection_method\fR.  It is optional if
the \fBselection_method\fR field is specified as a non-empty string.
Prohibited otherwise. The default value is zero.
.IP
This option uses a Netronome OpenFlow extension which is only supported
when using Open vSwitch 2.4 and later with OpenFlow 1.5 and later.

.IP \fBfields\fR=\fIfield\fR
.IQ \fBfields(\fIfield\fR[\fB=\fImask\fR]\fR...\fB)\fR
The field parameters to selection method selected by the
\fBselection_method\fR field.  The syntax is described in \fBFlow
Syntax\fR with the additional restrictions that if a value is provided
it is treated as a wildcard mask and wildcard masks following a slash
are prohibited. The pre-requisites of fields must be provided by any
flows that output to the group.  The use of the fields is defined by
the lower-layer that implements the \fBselection_method\fR.  They are
optional if the \fBselection_method\fR field is specified as ``hash',
prohibited otherwise.  The default is no fields.
.IP
This option will use a Netronome OpenFlow extension which is only supported
when using Open vSwitch 2.4 and later with OpenFlow 1.5 and later.

.IP \fBbucket\fR=\fIbucket_parameters\fR
The \fBadd-group\fR, \fBadd-groups\fR and \fBmod-group\fR commands
require at least one bucket field. Bucket fields must appear after
all other fields.
.
Multiple bucket fields to specify multiple buckets.
The order in which buckets are specified corresponds to their order in
the group. If the type of the group is "indirect" then only one group may
be specified.
.
\fIbucket_parameters\fR consists of a list of \fIfield\fB=\fIvalue\fR
assignments, separated by commas or white space followed by a
comma-separated list of actions.
The fields for \fIbucket_parameters\fR are:
.
.RS
.IP \fBbucket_id=\fIid\fR
The 32-bit integer group id of the bucket.  Values greater than
0xffffff00 are reserved.
.
This field was added in Open vSwitch 2.4 to conform with the OpenFlow
1.5 specification. It is not supported when earlier versions
of OpenFlow are used.  Open vSwitch will automatically allocate bucket
ids when they are not specified.
.IP \fBactions=\fR[\fIaction\fR][\fB,\fIaction\fR...]\fR
The syntax of actions are identical to the \fBactions=\fR field described in
\fBFlow Syntax\fR above. Specifying \fBactions=\fR is optional, any unknown
bucket parameter will be interpreted as an action.
.IP \fBweight=\fIvalue\fR
The relative weight of the bucket as an integer. This may be used by the switch
during bucket select for groups whose \fBtype\fR is \fBselect\fR.
.IP \fBwatch_port=\fIport\fR
Port used to determine liveness of group.
This or the \fBwatch_group\fR field is required
for groups whose \fBtype\fR is \fBff\fR or \fBfast_failover\fR.
This or the \fBwatch_group\fR field can also be used
for groups whose \fBtype\fR is \fBselect\fR.
.IP \fBwatch_group=\fIgroup_id\fR
Group identifier of group used to determine liveness of group.
This or the \fBwatch_port\fR field is required
for groups whose \fBtype\fR is \fBff\fR or \fBfast_failover\fR.
This or the \fBwatch_port\fR field can also be used
for groups whose \fBtype\fR is \fBselect\fR.
.RE
.
.SS "Meter Syntax"
.PP
The meter table commands accept an argument that describes a meter.
Such meter descriptions comprise a series \fIfield\fB=\fIvalue\fR
assignments, separated by commas or white space.
(Embedding spaces into a group description normally requires
quoting to prevent the shell from breaking the description into
multiple arguments.). Unless noted otherwise only the last instance
of each field is honoured.
.PP
.IP \fBmeter=\fIid\fR
The identifier for the meter.  An integer is used to specify a
user-defined meter.  In addition, the keywords "all", "controller", and
"slowpath", are also supported as virtual meters.  The "controller" and
"slowpath" virtual meters apply to packets sent to the controller and to
the OVS userspace, respectively.
.IP
When this field is specified in \fBdel-meter\fR, \fBdump-meter\fR, or
\fBmeter-stats\fR, the keyword "all" may be used to designate all
meters.  This field is required, except for \fBmeter-stats\fR, which
dumps all stats when this field is not specified.
.IP \fBkbps\fR
.IQ \fBpktps\fR
The unit for the \fBrate\fR and \fBburst_size\fR band parameters.
\fBkbps\fR specifies kilobits per second, and \fBpktps\fR specifies
packets per second.  A unit is required for the \fBadd-meter\fR and
\fBmod-meter\fR commands.

.IP \fBburst\fR
If set, enables burst support for meter bands through the \fBburst_size\fR
parameter.

.IP \fBstats\fR
If set, enables the collection of meter and band statistics.

.IP \fBbands\fR=\fIband_parameters\fR
The \fBadd-meter\fR and \fBmod-meter\fR commands require at least one
band specification. Bands must appear after all other fields.
.RS
.IP \fBtype=\fItype\fR
The type of the meter band.  This keyword starts a new band specification.
Each band specifies a rate above which the band is to take some action. The
action depends on the band type.  If multiple bands' rate is exceeded, then
the band with the highest rate among the exceeded bands is selected.
The following keywords designate the allowed
meter band types:
.RS
.IP \fBdrop\fR
Drop packets exceeding the band's rate limit.
.RE
.
.IP "The other \fIband_parameters\fR are:"
.IP \fBrate=\fIvalue\fR
The relative rate limit for this band, in kilobits per second or packets per
second, depending on whether \fBkbps\fR or \fBpktps\fR was specified.
.IP \fBburst_size=\fIsize\fR
If \fBburst\fR is specified for the meter entry, configures the maximum
burst allowed for the band in kilobits or packets, depending on whether
\fBkbps\fR or \fBpktps\fR was specified.  If unspecified, the switch is
free to select some reasonable value depending on its configuration.
.RE
.
.SH OPTIONS
.TP
\fB\-\-strict\fR
Uses strict matching when running flow modification commands.
.
.IP "\fB\-\-names\fR"
.IQ "\fB\-\-no\-names\fR"
Every OpenFlow port has a name and a number, and every OpenFlow flow
table has a number and sometimes a name.  By default, \fBovs\-ofctl\fR
commands accept both port and table names and numbers, and they
display port and table names if \fBovs\-ofctl\fR is running on an
interactive console, numbers otherwise.  With \fB\-\-names\fR,
\fBovs\-ofctl\fR commands both accept and display port and table
names; with \fB\-\-no\-names\fR, commands neither accept nor display
port and table names.
.IP
If a port or table name contains special characters or might be
confused with a keyword within a flow, it may be enclosed in double
quotes (escaped from the shell).  If necessary, JSON-style escape
sequences may be used inside quotes, as specified in RFC 7159.  When
it displays port and table names, \fBovs\-ofctl\fR quotes any name
that does not start with a letter followed by letters or digits.
.IP
Open vSwitch added support for port names and these options.  Open
vSwitch 2.10 added support for table names.  Earlier versions always
behaved as if \fB\-\-no\-names\fR were specified.
.IP
Open vSwitch does not place its own limit on the length of port names,
but OpenFlow limits port names to 15 bytes.
Because \fRovs\-ofctl\fR uses OpenFlow to
retrieve the mapping between port names and numbers, names longer than
this limit will be truncated for both display and acceptance.
Truncation can also cause long names that are different to appear to
be the same; when a switch has two ports with the same (truncated)
name, \fBovs\-ofctl\fR refuses to display or accept the name, using
the number instead.
.IP
OpenFlow and Open vSwitch limit table names to 32 bytes.
.
.IP "\fB\-\-stats\fR"
.IQ "\fB\-\-no\-stats\fR"
The \fBdump\-flows\fR command by default, or with \fB\-\-stats\fR,
includes flow duration, packet and byte counts, and idle and hard age
in its output.  With \fB\-\-no\-stats\fR, it omits all of these, as
well as cookie values and table IDs if they are zero.
.
.IP "\fB\-\-read-only\fR"
Do not execute read/write commands.
.
.IP "\fB\-\-bundle\fR"
Execute flow mods as an OpenFlow 1.4 atomic bundle transaction.
.RS
.IP \(bu
Within a bundle, all flow mods are processed in the order they appear
and as a single atomic transaction, meaning that if one of them fails,
the whole transaction fails and none of the changes are made to the
\fIswitch\fR's flow table, and that each given datapath packet
traversing the OpenFlow tables sees the flow tables either as before
the transaction, or after all the flow mods in the bundle have been
successfully applied.
.IP \(bu
The beginning and the end of the flow table modification commands in a
bundle are delimited with OpenFlow 1.4 bundle control messages, which
makes it possible to stream the included commands without explicit
OpenFlow barriers, which are otherwise used after each flow table
modification command.  This may make large modifications execute
faster as a bundle.
.IP \(bu
Bundles require OpenFlow 1.4 or higher.  An explicit \fB-O
OpenFlow14\fR option is not needed, but you may need to enable
OpenFlow 1.4 support for OVS by setting the OVSDB \fIprotocols\fR
column in the \fIbridge\fR table.
.RE
.
.so lib/ofp-version.man
.
.IP "\fB\-F \fIformat\fR[\fB,\fIformat\fR...]"
.IQ "\fB\-\-flow\-format=\fIformat\fR[\fB,\fIformat\fR...]"
\fBovs\-ofctl\fR supports the following individual flow formats, any
number of which may be listed as \fIformat\fR:
.RS
.IP "\fBOpenFlow10\-table_id\fR"
This is the standard OpenFlow 1.0 flow format.  All OpenFlow switches
and all versions of Open vSwitch support this flow format.
.
.IP "\fBOpenFlow10+table_id\fR"
This is the standard OpenFlow 1.0 flow format plus a Nicira extension
that allows \fBovs\-ofctl\fR to specify the flow table in which a
particular flow should be placed.  Open vSwitch 1.2 and later supports
this flow format.
.
.IP "\fBNXM\-table_id\fR (Nicira Extended Match)"
This Nicira extension to OpenFlow is flexible and extensible.  It
supports all of the Nicira flow extensions, such as \fBtun_id\fR and
registers.  Open vSwitch 1.1 and later supports this flow format.
.
.IP "\fBNXM+table_id\fR (Nicira Extended Match)"
This combines Nicira Extended match with the ability to place a flow
in a specific table.  Open vSwitch 1.2 and later supports this flow
format.
.
.IP "\fBOXM-OpenFlow12\fR"
.IQ "\fBOXM-OpenFlow13\fR"
.IQ "\fBOXM-OpenFlow14\fR"
.IQ "\fBOXM-OpenFlow15\fR"
These are the standard OXM (OpenFlow Extensible Match) flow format in
OpenFlow 1.2 and later.
.RE
.
.IP
\fBovs\-ofctl\fR also supports the following abbreviations for
collections of flow formats:
.RS
.IP "\fBany\fR"
Any supported flow format.
.IP "\fBOpenFlow10\fR"
\fBOpenFlow10\-table_id\fR or \fBOpenFlow10+table_id\fR.
.IP "\fBNXM\fR"
\fBNXM\-table_id\fR or \fBNXM+table_id\fR.
.IP "\fBOXM\fR"
\fBOXM-OpenFlow12\fR, \fBOXM-OpenFlow13\fR, or \fBOXM-OpenFlow14\fR.
.RE
.
.IP
For commands that modify the flow table, \fBovs\-ofctl\fR by default
negotiates the most widely supported flow format that supports the
flows being added.  For commands that query the flow table,
\fBovs\-ofctl\fR by default uses the most advanced format supported by
the switch.
.IP
This option, where \fIformat\fR is a comma-separated list of one or
more of the formats listed above, limits \fBovs\-ofctl\fR's choice of
flow format.  If a command cannot work as requested using one of the
specified flow formats, \fBovs\-ofctl\fR will report a fatal error.
.
.IP "\fB\-P \fIformat\fR"
.IQ "\fB\-\-packet\-in\-format=\fIformat\fR"
\fBovs\-ofctl\fR supports the following ``packet-in'' formats, in order of
increasing capability:
.RS
.IP "\fBstandard\fR"
This uses the \fBOFPT_PACKET_IN\fR message, the standard ``packet-in''
message for any given OpenFlow version.  Every OpenFlow switch that
supports a given OpenFlow version supports this format.
.
.IP "\fBnxt_packet_in\fR"
This uses the \fBNXT_PACKET_IN\fR message, which adds many of the
capabilities of the OpenFlow 1.1 and later ``packet-in'' messages
before those OpenFlow versions were available in Open vSwitch.  Open
vSwitch 1.1 and later support this format.  Only Open vSwitch 2.6 and
later, however, support it for OpenFlow 1.1 and later (but there is
little reason to use it with those versions of OpenFlow).
.
.IP "\fBnxt_packet_in2\fR"
This uses the \fBNXT_PACKET_IN2\fR message, which is extensible and
should avoid the need to define new formats later.  In particular,
this format supports passing arbitrary user-provided data to a
controller using the \fBuserdata\fB option on the \fBcontroller\fR
action.  Open vSwitch 2.6 and later support this format.
.
.RE
.IP
Without this option, \fBovs\-ofctl\fR prefers \fBnxt_packet_in2\fR if
the switch supports it.  Otherwise, if OpenFlow 1.0 is in use,
\fBovs\-ofctl\fR prefers \fBnxt_packet_in\fR if the switch supports
it.  Otherwise, \fBovs\-ofctl\fR falls back to the \fBstandard\fR
packet-in format.  When this option is specified, \fBovs\-ofctl\fR
insists on the selected format.  If the switch does not support the
requested format, \fBovs\-ofctl\fR will report a fatal error.
.IP
Before version 2.6, Open vSwitch called \fBstandard\fR format
\fBopenflow10\fR and \fBnxt_packet_in\fR format \fBnxm\fR, and
\fBovs\-ofctl\fR still accepts these names as synonyms.  (The name
\fBopenflow10\fR was a misnomer because this format actually varies
from one OpenFlow version to another; it is not consistently OpenFlow
1.0 format.  Similarly, when \fBnxt_packet_in2\fR was introduced, the
name \fBnxm\fR became confusing because it also uses OXM/NXM.)
.
.IP
This option affects only the \fBmonitor\fR command.
.
.IP "\fB\-\-timestamp\fR"
Print a timestamp before each received packet.  This option only
affects the \fBmonitor\fR, \fBsnoop\fR, and \fBofp\-parse\-pcap\fR
commands.
.
.IP "\fB\-m\fR"
.IQ "\fB\-\-more\fR"
Increases the verbosity of OpenFlow messages printed and logged by
\fBovs\-ofctl\fR commands.  Specify this option more than once to
increase verbosity further.
.
.IP \fB\-\-sort\fR[\fB=\fIfield\fR]
.IQ \fB\-\-rsort\fR[\fB=\fIfield\fR]
Display output sorted by flow \fIfield\fR in ascending
(\fB\-\-sort\fR) or descending (\fB\-\-rsort\fR) order, where
\fIfield\fR is any of the fields that are allowed for matching or
\fBpriority\fR to sort by priority.  When \fIfield\fR is omitted, the
output is sorted by priority.  Specify these options multiple times to
sort by multiple fields.
.IP
Any given flow will not necessarily specify a value for a given
field.  This requires special treatement:
.RS
.IP \(bu
A flow that does not specify any part of a field that is used for sorting is
sorted after all the flows that do specify the field.  For example,
\fB\-\-sort=tcp_src\fR will sort all the flows that specify a TCP
source port in ascending order, followed by the flows that do not
specify a TCP source port at all.
.IP \(bu
A flow that only specifies some bits in a field is sorted as if the
wildcarded bits were zero.  For example, \fB\-\-sort=nw_src\fR would
sort a flow that specifies \fBnw_src=192.168.0.0/24\fR the same as
\fBnw_src=192.168.0.0\fR.
.RE
.IP
These options currently affect only \fBdump\-flows\fR output.
.
.SS "Daemon Options"
.ds DD \
\fBovs\-ofctl\fR detaches only when executing the \fBmonitor\fR or \
\fBsnoop\fR commands.
.so lib/daemon.man
.so lib/unixctl.man
.SS "Public Key Infrastructure Options"
.so lib/ssl.man
.so lib/vlog.man
.so lib/colors.man
.so lib/common.man
.
.SH "RUNTIME MANAGEMENT COMMANDS"
\fBovs\-appctl\fR(8) can send commands to a running \fBovs\-ofctl\fR
process.  The supported commands are listed below.
.
.IP "\fBexit\fR"
Causes \fBovs\-ofctl\fR to gracefully terminate.  This command applies
only when executing the \fBmonitor\fR or \fBsnoop\fR commands.
.
.IP "\fBofctl/set\-output\-file \fIfile\fR"
Causes all subsequent output to go to \fIfile\fR instead of stderr.
This command applies only when executing the \fBmonitor\fR or
\fBsnoop\fR commands.
.
.IP "\fBofctl/send \fIofmsg\fR..."
Sends each \fIofmsg\fR, specified as a sequence of hex digits that
express an OpenFlow message, on the OpenFlow connection.  This command
is useful only when executing the \fBmonitor\fR command.
.
.IP "\fBofctl/packet\-out \fIpacket-out\fR"
Sends an OpenFlow PACKET_OUT message specified in \fBPacket\-Out
Syntax\fR, on the OpenFlow connection.  See \fBPacket\-Out Syntax\fR
section for more information.  This command is useful only when
executing the \fBmonitor\fR command.
.
.IP "\fBofctl/barrier\fR"
Sends an OpenFlow barrier request on the OpenFlow connection and waits
for a reply.  This command is useful only for the \fBmonitor\fR
command.
.
.SH EXAMPLES
.
The following examples assume that \fBovs\-vswitchd\fR has a bridge
named \fBbr0\fR configured.
.
.TP
\fBovs\-ofctl dump\-tables br0\fR
Prints out the switch's table stats.  (This is more interesting after
some traffic has passed through.)
.
.TP
\fBovs\-ofctl dump\-flows br0\fR
Prints the flow entries in the switch.
.
.TP
\fBovs\-ofctl add\-flow table=0 actions=learn(table=1,hard_timeout=10, NXM_OF_VLAN_TCI[0..11],output:NXM_OF_IN_PORT[]), resubmit(,1)\fR
\fBovs\-ofctl add\-flow  table=1 priority=0 actions=flood\fR
Implements a level 2 MAC learning switch using the learn.
.
.TP
\fBovs\-ofctl add\-flow br0 'table=0,priority=0 actions=load:3->NXM_NX_REG0[0..15],learn(table=0,priority=1,idle_timeout=10,NXM_OF_ETH_SRC[],NXM_OF_VLAN_TCI[0..11],output:NXM_NX_REG0[0..15]),output:2\fR
In this use of a learn action, the first packet from each source MAC
will be sent to port 2. Subsequent packets will be output to port 3,
with an idle timeout of 10 seconds.  NXM field names and match field
names are both accepted, e.g. \fBNXM_NX_REG0\fR or \fBreg0\fR for the
first register, and empty brackets may be omitted.
.IP
Additional examples may be found documented as part of related sections.
.
.SH "SEE ALSO"
.
.BR ovs\-fields (7),
.BR ovs\-actions (7),
.BR ovs\-appctl (8),
.BR ovs\-vswitchd (8),
.BR ovs\-vswitchd.conf.db (8)