ofproto: Add support for specifying a meter in controller actions.

[mirror_ovs.git] / utilities / ovs-ofctl.8.in

.\" -*- nroff -*-
.de IQ
.  br
.  ns
.  IP "\\$1"
..
.TH ovs\-ofctl 8 "@VERSION@" "Open vSwitch" "Open vSwitch Manual"
.ds PN ovs\-ofctl
.
.SH NAME
ovs\-ofctl \- administer OpenFlow switches
.
.SH SYNOPSIS
.B ovs\-ofctl
[\fIoptions\fR] \fIcommand \fR[\fIswitch\fR] [\fIargs\fR\&...]
.
.SH DESCRIPTION
The
.B ovs\-ofctl
program is a command line tool for monitoring and administering
OpenFlow switches.  It can also show the current state of an OpenFlow
switch, including features, configuration, and table entries.
It should work with any OpenFlow switch, not just Open vSwitch.
.
.SS "OpenFlow Switch Management Commands"
.PP
These commands allow \fBovs\-ofctl\fR to monitor and administer an OpenFlow
switch.  It is able to show the current state of a switch, including
features, configuration, and table entries.
.PP
Most of these commands take an argument that specifies the method for
connecting to an OpenFlow switch.  The following connection methods
are supported:
.
.RS
.so lib/vconn-active.man
.
.IP "\fIfile\fR"
This is short for \fBunix:\fIfile\fR, as long as \fIfile\fR does not
contain a colon.
.
.IP \fIbridge\fR
This is short for \fBunix:@RUNDIR@/\fIbridge\fB.mgmt\fR, as long as
\fIbridge\fR does not contain a colon.
.
.IP [\fItype\fB@\fR]\fIdp\fR
Attempts to look up the bridge associated with \fIdp\fR and open as
above.  If \fItype\fR is given, it specifies the datapath provider of
\fIdp\fR, otherwise the default provider \fBsystem\fR is assumed.
.RE
.
.TP
\fBshow \fIswitch\fR
Prints to the console information on \fIswitch\fR, including
information on its flow tables and ports.
.
.TP
\fBdump\-tables \fIswitch\fR
Prints to the console statistics for each of the flow tables used by
\fIswitch\fR.
.TP
\fBdump\-table\-features \fIswitch\fR
Prints to the console features for each of the flow tables used by
\fIswitch\fR.
.TP
\fBdump\-table\-desc \fIswitch\fR
Prints to the console configuration for each of the flow tables used
by \fIswitch\fR for OpenFlow 1.4+.
.IP "\fBmod\-table \fIswitch\fR \fItable\fR \fIsetting\fR"
This command configures flow table settings in \fIswitch\fR for
OpenFlow table \fItable\fR, which may be expressed as a number or
(unless \fB\-\-no\-names\fR is specified) a name.
.IP
The available settings depend on
the OpenFlow version in use.  In OpenFlow 1.1 and 1.2 (which must be
enabled with the \fB\-O\fR option) only, \fBmod\-table\fR configures
behavior when no flow is found when a packet is looked up in a flow
table.  The following \fIsetting\fR values are available:
.RS
.IP \fBdrop\fR
Drop the packet.
.IP \fBcontinue\fR
Continue to the next table in the pipeline.  (This is how an OpenFlow
1.0 switch always handles packets that do not match any flow, in
tables other than the last one.)
.IP \fBcontroller\fR
Send to controller.  (This is how an OpenFlow 1.0 switch always
handles packets that do not match any flow in the last table.)
.RE
.IP
In OpenFlow 1.4 and later (which must be enabled with the \fB\-O\fR
option) only, \fBmod\-table\fR configures the behavior when a
controller attempts to add a flow to a flow table that is full.  The
following \fIsetting\fR values are available:
.RS
.IP \fBevict\fR
Delete some existing flow from the flow table, according to the
algorithm described for the \fBFlow_Table\fR table in
\fBovs-vswitchd.conf.db\fR(5).
.IP \fBnoevict\fR
Refuse to add the new flow.  (Eviction might still be enabled through
the \fBoverflow_policy\fR column in the \fBFlow_Table\fR table
documented in \fBovs-vswitchd.conf.db\fR(5).)
.IP \fBvacancy:\fIlow\fB,\fIhigh\fR
Enables sending vacancy events to controllers using \fBTABLE_STATUS\fR
messages, based on percentage thresholds \fIlow\fR and \fIhigh\fR.
.IP \fBnovacancy\fR
Disables vacancy events.
.RE
.
.TP
\fBdump\-ports \fIswitch\fR [\fInetdev\fR]
Prints to the console statistics for network devices associated with 
\fIswitch\fR.  If \fInetdev\fR is specified, only the statistics
associated with that device will be printed.  \fInetdev\fR can be an
OpenFlow assigned port number or device name, e.g. \fBeth0\fR.
.
.IP "\fBdump\-ports\-desc \fIswitch\fR [\fIport\fR]"
Prints to the console detailed information about network devices
associated with \fIswitch\fR.  To dump only a specific port, specify
its number as \fIport\fR.  Otherwise, if \fIport\fR is omitted, or if
it is specified as \fBANY\fR, then all ports are printed.  This is a
subset of the information provided by the \fBshow\fR command.
.IP
If the connection to \fIswitch\fR negotiates OpenFlow 1.0, 1.2, or
1.2, this command uses an OpenFlow extension only implemented in Open
vSwitch (version 1.7 and later).
.IP
Only OpenFlow 1.5 and later support dumping a specific port.  Earlier
versions of OpenFlow always dump all ports.
.
.IP "\fBmod\-port \fIswitch\fR \fIport\fR \fIaction\fR"
Modify characteristics of port \fBport\fR in \fIswitch\fR.  \fIport\fR
may be an OpenFlow port number or name (unless \fB\-\-no\-names\fR is
specified) or the keyword \fBLOCAL\fR (the
preferred way to refer to the OpenFlow local port).  The \fIaction\fR
may be any one of the following:
.
.RS
.IQ \fBup\fR
.IQ \fBdown\fR
Enable or disable the interface.  This is equivalent to \fBip
link set up\fR or \fBip link set down\fR on a Unix system.
.
.IP \fBstp\fR
.IQ \fBno\-stp\fR
Enable or disable 802.1D spanning tree protocol (STP) on the
interface.  OpenFlow implementations that don't support STP will
refuse to enable it.
.
.IP \fBreceive\fR
.IQ \fBno\-receive\fR
.IQ \fBreceive\-stp\fR
.IQ \fBno\-receive\-stp\fR
Enable or disable OpenFlow processing of packets received on this
interface.  When packet processing is disabled, packets will be
dropped instead of being processed through the OpenFlow table.  The
\fBreceive\fR or \fBno\-receive\fR setting applies to all packets
except 802.1D spanning tree packets, which are separately controlled
by \fBreceive\-stp\fR or \fBno\-receive\-stp\fR.
.
.IP \fBforward\fR
.IQ \fBno\-forward\fR
Allow or disallow forwarding of traffic to this interface.  By
default, forwarding is enabled.
.
.IP \fBflood\fR
.IQ \fBno\-flood\fR
Controls whether an OpenFlow \fBflood\fR action will send traffic out
this interface.  By default, flooding is enabled.  Disabling flooding
is primarily useful to prevent loops when a spanning tree protocol is
not in use.
.
.IP \fBpacket\-in\fR
.IQ \fBno\-packet\-in\fR
Controls whether packets received on this interface that do not match
a flow table entry generate a ``packet in'' message to the OpenFlow
controller.  By default, ``packet in'' messages are enabled.
.RE
.IP
The \fBshow\fR command displays (among other information) the
configuration that \fBmod\-port\fR changes.
.
.IP "\fBget\-frags \fIswitch\fR"
Prints \fIswitch\fR's fragment handling mode.  See \fBset\-frags\fR,
below, for a description of each fragment handling mode.
.IP
The \fBshow\fR command also prints the fragment handling mode among
its other output.
.
.IP "\fBset\-frags \fIswitch frag_mode\fR"
Configures \fIswitch\fR's treatment of IPv4 and IPv6 fragments.  The
choices for \fIfrag_mode\fR are:
.RS
.IP "\fBnormal\fR"
Fragments pass through the flow table like non-fragmented packets.
The TCP ports, UDP ports, and ICMP type and code fields are always set
to 0, even for fragments where that information would otherwise be
available (fragments with offset 0).  This is the default fragment
handling mode for an OpenFlow switch.
.IP "\fBdrop\fR"
Fragments are dropped without passing through the flow table.
.IP "\fBreassemble\fR"
The switch reassembles fragments into full IP packets before passing
them through the flow table.  Open vSwitch does not implement this
fragment handling mode.
.IP "\fBnx\-match\fR"
Fragments pass through the flow table like non-fragmented packets.
The TCP ports, UDP ports, and ICMP type and code fields are available
for matching for fragments with offset 0, and set to 0 in fragments
with nonzero offset.  This mode is a Nicira extension.
.RE
.IP
See the description of \fBip_frag\fR, below, for a way to match on
whether a packet is a fragment and on its fragment offset.
.
.TP
\fBdump\-flows \fIswitch \fR[\fIflows\fR]
Prints to the console all flow entries in \fIswitch\fR's
tables that match \fIflows\fR.  If \fIflows\fR is omitted, all flows
in the switch are retrieved.  See \fBFlow Syntax\fR, below, for the
syntax of \fIflows\fR.  The output format is described in
\fBTable Entry Output\fR.
.
.IP
By default, \fBovs\-ofctl\fR prints flow entries in the same order
that the switch sends them, which is unlikely to be intuitive or
consistent.  Use \fB\-\-sort\fR and \fB\-\-rsort\fR to control display
order.  The \fB\-\-names\fR/\fB\-\-no\-names\fR and
\fB\-\-stats\fR/\fB\-\-no\-stats\fR options also affect output
formatting.  See the descriptions of these options, under
\fBOPTIONS\fR below, for more information
.
.TP
\fBdump\-aggregate \fIswitch \fR[\fIflows\fR]
Prints to the console aggregate statistics for flows in
\fIswitch\fR's tables that match \fIflows\fR.  If \fIflows\fR is omitted, 
the statistics are aggregated across all flows in the switch's flow
tables.  See \fBFlow Syntax\fR, below, for the syntax of \fIflows\fR.
The output format is described in \fBTable Entry Output\fR.
.
.IP "\fBqueue\-stats \fIswitch \fR[\fIport \fR[\fIqueue\fR]]"
Prints to the console statistics for the specified \fIqueue\fR on
\fIport\fR within \fIswitch\fR.  \fIport\fR can be an OpenFlow port
number or name, the keyword \fBLOCAL\fR (the preferred way to refer to
the OpenFlow local port), or the keyword \fBALL\fR.  Either of
\fIport\fR or \fIqueue\fR or both may be omitted (or equivalently the
keyword \fBALL\fR).  If both are omitted, statistics are printed for
all queues on all ports.  If only \fIqueue\fR is omitted, then
statistics are printed for all queues on \fIport\fR; if only
\fIport\fR is omitted, then statistics are printed for \fIqueue\fR on
every port where it exists.
.
.IP "\fBqueue\-get\-config \fIswitch [\fIport \fR[\fIqueue\fR]]"
Prints to the console the configuration of \fIqueue\fR on \fIport\fR
in \fIswitch\fR.  If \fIport\fR is omitted or \fBANY\fR, reports
queues for all port.  If \fIqueue\fR is omitted or \fBANY\fR, reports
all queues.  For OpenFlow 1.3 and earlier, the output always includes
all queues, ignoring \fIqueue\fR if specified.
.IP
This command has limited usefulness, because ports often have no
configured queues and because the OpenFlow protocol provides only very
limited information about the configuration of a queue.
.
.IP "\fBdump\-ipfix\-bridge \fIswitch\fR"
Prints to the console the statistics of bridge IPFIX for \fIswitch\fR.
If bridge IPFIX is configured on the \fIswitch\fR, IPFIX statistics
can be retrieved.  Otherwise, error message will be printed.
.IP
This command uses an Open vSwitch extension that is only in Open
vSwitch 2.6 and later.
.
.IP "\fBdump\-ipfix\-flow \fIswitch\fR"
Prints to the console the statistics of flow-based IPFIX for
\fIswitch\fR.  If flow-based IPFIX is configured on the \fIswitch\fR,
statistics of all the collector set ids on the \fIswitch\fR will be
printed.  Otherwise, print error message.
.IP
Refer to \fBovs\-vswitchd.conf.db\fR(5) for more details on configuring
flow based IPFIX and collector set ids.
.IP
This command uses an Open vSwitch extension that is only in Open
vSwitch 2.6 and later.
.
.IP "\fBct\-flush\-zone \fIswitch zone\fR
Flushes the connection tracking entries in \fIzone\fR on \fIswitch\fR.
.IP
This command uses an Open vSwitch extension that is only in Open
vSwitch 2.6 and later.
.
.SS "OpenFlow Switch Flow Table Commands"
.
These commands manage the flow table in an OpenFlow switch.  In each
case, \fIflow\fR specifies a flow entry in the format described in
\fBFlow Syntax\fR, below, \fIfile\fR is a text file that contains zero
or more flows in the same syntax, one per line, and the optional
\fB\-\-bundle\fR option operates the command as a single atomic
transation, see option \fB\-\-bundle\fR, below.
.
.IP "[\fB\-\-bundle\fR] \fBadd\-flow \fIswitch flow\fR"
.IQ "[\fB\-\-bundle\fR] \fBadd\-flow \fIswitch \fB\- < \fIfile\fR"
.IQ "[\fB\-\-bundle\fR] \fBadd\-flows \fIswitch file\fR"
Add each flow entry to \fIswitch\fR's tables.
.
Each flow specification (e.g., each line in \fIfile\fR) may start with
\fBadd\fR, \fBmodify\fR, \fBdelete\fR, \fBmodify_strict\fR, or
\fBdelete_strict\fR keyword to specify whether a flow is to be added,
modified, or deleted, and whether the modify or delete is strict or
not.  For backwards compatibility a flow specification without one of
these keywords is treated as a flow add.  All flow mods are executed
in the order specified.
.
.IP "[\fB\-\-bundle\fR] [\fB\-\-strict\fR] \fBmod\-flows \fIswitch flow\fR"
.IQ "[\fB\-\-bundle\fR] [\fB\-\-strict\fR] \fBmod\-flows \fIswitch \fB\- < \fIfile\fR"
Modify the actions in entries from \fIswitch\fR's tables that match
the specified flows.  With \fB\-\-strict\fR, wildcards are not treated
as active for matching purposes.
.
.IP "[\fB\-\-bundle\fR] \fBdel\-flows \fIswitch\fR"
.IQ "[\fB\-\-bundle\fR] [\fB\-\-strict\fR] \fBdel\-flows \fIswitch \fR[\fIflow\fR]"
.IQ "[\fB\-\-bundle\fR] [\fB\-\-strict\fR] \fBdel\-flows \fIswitch \fB\- < \fIfile\fR"
Deletes entries from \fIswitch\fR's flow table.  With only a
\fIswitch\fR argument, deletes all flows.  Otherwise, deletes flow
entries that match the specified flows.  With \fB\-\-strict\fR,
wildcards are not treated as active for matching purposes.
.
.IP "[\fB\-\-bundle\fR] [\fB\-\-readd\fR] \fBreplace\-flows \fIswitch file\fR"
Reads flow entries from \fIfile\fR (or \fBstdin\fR if \fIfile\fR is
\fB\-\fR) and queries the flow table from \fIswitch\fR.  Then it fixes
up any differences, adding flows from \fIflow\fR that are missing on
\fIswitch\fR, deleting flows from \fIswitch\fR that are not in
\fIfile\fR, and updating flows in \fIswitch\fR whose actions, cookie,
or timeouts differ in \fIfile\fR.
.
.IP
With \fB\-\-readd\fR, \fBovs\-ofctl\fR adds all the flows from
\fIfile\fR, even those that exist with the same actions, cookie, and
timeout in \fIswitch\fR.  In OpenFlow 1.0 and 1.1, re-adding a flow
always resets the flow's packet and byte counters to 0, and in
OpenFlow 1.2 and later, it does so only if the \fBreset_counts\fR flag
is set.
.
.IP "\fBdiff\-flows \fIsource1 source2\fR"
Reads flow entries from \fIsource1\fR and \fIsource2\fR and prints the
differences.  A flow that is in \fIsource1\fR but not in \fIsource2\fR
is printed preceded by a \fB\-\fR, and a flow that is in \fIsource2\fR
but not in \fIsource1\fR is printed preceded by a \fB+\fR.  If a flow
exists in both \fIsource1\fR and \fIsource2\fR with different actions,
cookie, or timeouts, then both versions are printed preceded by
\fB\-\fR and \fB+\fR, respectively.
.IP
\fIsource1\fR and \fIsource2\fR may each name a file or a switch.  If
a name begins with \fB/\fR or \fB.\fR, then it is considered to be a
file name.  A name that contains \fB:\fR is considered to be a switch.
Otherwise, it is a file if a file by that name exists, a switch if
not.
.IP
For this command, an exit status of 0 means that no differences were
found, 1 means that an error occurred, and 2 means that some
differences were found.
.
.IP "\fBpacket\-out \fIswitch\fR \fIpacket-out\fR"
Connects to \fIswitch\fR and instructs it to execute the
\fIpacket-out\fR OpenFlow message, specified as defined in
\fBPacket\-Out Syntax\fR section.
.
.SS "Group Table Commands"
.
These commands manage the group table in an OpenFlow switch.  In each
case, \fIgroup\fR specifies a group entry in the format described in
\fBGroup Syntax\fR, below, and \fIfile\fR is a text file that contains
zero or more groups in the same syntax, one per line, and the optional
\fB\-\-bundle\fR option operates the command as a single atomic
transation, see option \fB\-\-bundle\fR, below.
.PP
The group commands work only with switches that support OpenFlow 1.1
or later or the Open vSwitch group extensions to OpenFlow 1.0 (added
in Open vSwitch 2.9.90).  For OpenFlow 1.1 or later, it is necessary
to explicitly enable these protocol versions in \fBovs\-ofctl\fR
(using \fB\-O\fR).  For more information, see ``Q: What versions of
OpenFlow does Open vSwitch support?'' in the Open vSwitch FAQ.
.
.IP "[\fB\-\-bundle\fR] \fBadd\-group \fIswitch group\fR"
.IQ "[\fB\-\-bundle\fR] \fBadd\-group \fIswitch \fB\- < \fIfile\fR"
.IQ "[\fB\-\-bundle\fR] \fBadd\-groups \fIswitch file\fR"
Add each group entry to \fIswitch\fR's tables.
.
Each group specification (e.g., each line in \fIfile\fR) may start
with \fBadd\fR, \fBmodify\fR, \fBadd_or_mod\fR, \fBdelete\fR,
\fBinsert_bucket\fR, or \fBremove_bucket\fR keyword to specify whether
a flow is to be added, modified, or deleted, or whether a group bucket
is to be added or removed.  For backwards compatibility a group
specification without one of these keywords is treated as a group add.
All group mods are executed in the order specified.
.
.IP "[\fB\-\-bundle\fR] [\fB\-\-may\-create\fR] \fBmod\-group \fIswitch group\fR"
.IQ "[\fB\-\-bundle\fR] [\fB\-\-may\-create\fR] \fBmod\-group \fIswitch \fB\- < \fIfile\fR"
Modify the action buckets in entries from \fIswitch\fR's tables for
each group entry.  If a specified group does not already exist, then
without \fB\-\-may\-create\fR, this command has no effect; with
\fB\-\-may\-create\fR, it creates a new group.  The
\fB\-\-may\-create\fR option uses an Open vSwitch extension to
OpenFlow only implemented in Open vSwitch 2.6 and later.
.
.IP "[\fB\-\-bundle\fR] \fBdel\-groups \fIswitch\fR"
.IQ "[\fB\-\-bundle\fR] \fBdel\-groups \fIswitch \fR[\fIgroup\fR]"
.IQ "[\fB\-\-bundle\fR] \fBdel\-groups \fIswitch \fB\- < \fIfile\fR"
Deletes entries from \fIswitch\fR's group table.  With only a
\fIswitch\fR argument, deletes all groups.  Otherwise, deletes the group
for each group entry.
.
.IP "[\fB\-\-bundle\fR] \fBinsert\-buckets \fIswitch group\fR"
.IQ "[\fB\-\-bundle\fR] \fBinsert\-buckets \fIswitch \fB\- < \fIfile\fR"
Add buckets to an existing group present in the \fIswitch\fR's group table.
If no \fIcommand_bucket_id\fR is present in the group specification then all
buckets of the group are removed.
.
.IP "[\fB\-\-bundle\fR] \fBremove\-buckets \fIswitch group\fR"
.IQ "[\fB\-\-bundle\fR] \fBremove\-buckets \fIswitch \fB\- < \fIfile\fR"
Remove buckets to an existing group present in the \fIswitch\fR's group table.
If no \fIcommand_bucket_id\fR is present in the group specification then all
buckets of the group are removed.
.
.IP "\fBdump\-groups \fIswitch\fR [\fIgroup\fR]"
Prints group entries in \fIswitch\fR's tables to console.  To dump
only a specific group, specify its number as \fIgroup\fR.  Otherwise,
if \fIgroup\fR is omitted, or if it is specified as \fBALL\fR, then
all groups are printed.
.IP
Only OpenFlow 1.5 and later support dumping a specific group.  Earlier
versions of OpenFlow always dump all groups.
.
.IP "\fBdump\-group\-features \fIswitch"
Prints to the console the group features of the \fIswitch\fR.
.
.IP "\fBdump\-group\-stats \fIswitch \fR[\fIgroup\fR]"
Prints to the console statistics for the specified \fIgroup\fR in
\fIswitch\fR's tables.  If \fIgroup\fR is omitted then statistics for all
groups are printed.
.
.SS "OpenFlow 1.3+ Switch Meter Table Commands"
.
These commands manage the meter table in an OpenFlow switch.  In each
case, \fImeter\fR specifies a meter entry in the format described in
\fBMeter Syntax\fR, below.
.
.PP
OpenFlow 1.3 introduced support for meters, so these commands only work
with switches that support OpenFlow 1.3 or later.  It is necessary to
explicitly enable these protocol versions in \fBovs\-ofctl\fR (using
\fB\-O\fR) and in the switch itself (with the \fBprotocols\fR column in
the \fBBridge\fR table).  For more information, see ``Q: What versions
of OpenFlow does Open vSwitch support?'' in the Open vSwitch FAQ.
.
.IP "\fBadd\-meter \fIswitch meter\fR"
Add a meter entry to \fIswitch\fR's tables. The \fImeter\fR syntax is
described in section \fBMeter Syntax\fR, below.
.
.IP "\fBmod\-meter \fIswitch meter\fR"
Modify an existing meter.
.
.IP "\fBdel\-meters \fIswitch\fR [\fImeter\fR]"
Delete entries from \fIswitch\fR's meter table.  To delete only a
specific meter, specify its number as \fImeter\fR.  Otherwise, if
\fImeter\fR is omitted, or if it is specified as \fBall\fR, then all
meters are deleted.
.
.IP "\fBdump\-meters \fIswitch\fR [\fImeter\fR]"
Print entries from \fIswitch\fR's meter table.  To print only a
specific meter, specify its number as \fImeter\fR.  Otherwise, if
\fImeter\fR is omitted, or if it is specified as \fBall\fR, then all
meters are printed.
.
.IP "\fBmeter\-stats \fIswitch\fR [\fImeter\fR]"
Print meter statistics.  \fImeter\fR can specify a single meter with
syntax \fBmeter=\fIid\fR, or all meters with syntax \fBmeter=all\fR.
.
.IP "\fBmeter\-features \fIswitch\fR"
Print meter features.
.
.SS OpenFlow Switch Bundle Command
.
Transactional updates to both flow and group tables can be made with
the \fBbundle\fR command.  \fIfile\fR is a text file that contains
zero or more flow mods, group mods, or packet-outs in \fBFlow
Syntax\fR, \fBGroup Syntax\fR, or \fBPacket\-Out Syntax\fR, each line
preceded by \fBflow\fR, \fBgroup\fR, or \fBpacket\-out\fR keyword,
correspondingly.  The \fBflow\fR keyword may be optionally followed by
one of the keywords \fBadd\fR, \fBmodify\fR, \fBmodify_strict\fR,
\fBdelete\fR, or \fBdelete_strict\fR, of which the \fBadd\fR is
assumed if a bare \fBflow\fR is given.  Similarly, the \fBgroup\fR
keyword may be optionally followed by one of the keywords \fBadd\fR,
\fBmodify\fR, \fBadd_or_mod\fR, \fBdelete\fR, \fBinsert_bucket\fR, or
\fBremove_bucket\fR, of which the \fBadd\fR is assumed if a bare
\fBgroup\fR is given.
.
.IP "\fBbundle \fIswitch file\fR"
Execute all flow and group mods in \fIfile\fR as a single atomic
transaction against \fIswitch\fR's tables.  All bundled mods are
executed in the order specified.
.
.SS "OpenFlow Switch Tunnel TLV Table Commands"
.
Open vSwitch maintains a mapping table between tunnel option TLVs (defined
by <class, type, length>) and NXM fields \fBtun_metadata\fIn\fR,
where \fIn\fR ranges from 0 to 63, that can be operated on for the
purposes of matches, actions, etc. This TLV table can be used for
Geneve option TLVs or other protocols with options in same TLV format
as Geneve options. This mapping must be explicitly specified by the user
through the following commands.

A TLV mapping is specified with the syntax
\fB{class=\fIclass\fB,type=\fItype\fB,len=\fIlength\fB}->tun_metadata\fIn\fR.
When an option mapping exists for a given \fBtun_metadata\fIn\fR,
matching on the defined field becomes possible, e.g.:

.RS
ovs-ofctl add-tlv-map br0 "{class=0xffff,type=0,len=4}->tun_metadata0"
.PP
ovs-ofctl add-flow br0 tun_metadata0=1234,actions=controller
.RE

A mapping should not be changed while it is in active
use by a flow. The result of doing so is undefined.

These commands are Nicira extensions to OpenFlow and require Open vSwitch
2.5 or later.

.IP "\fBadd\-tlv\-map \fIswitch option\fR[\fB,\fIoption\fR]..."
Add each \fIoption\fR to \fIswitch\fR's tables. Duplicate fields are
rejected.
.
.IP "\fBdel\-tlv\-map \fIswitch \fR[\fIoption\fR[\fB,\fIoption\fR]]..."
Delete each \fIoption\fR from \fIswitch\fR's table, or all option TLV
mapping if no \fIoption\fR is specified.
Fields that aren't mapped are ignored.
.
.IP "\fBdump\-tlv\-map \fIswitch\fR"
Show the currently mapped fields in the switch's option table as well
as switch capabilities.
.
.SS "OpenFlow Switch Monitoring Commands"
.
.IP "\fBsnoop \fIswitch\fR"
Connects to \fIswitch\fR and prints to the console all OpenFlow
messages received.  Unlike other \fBovs\-ofctl\fR commands, if
\fIswitch\fR is the name of a bridge, then the \fBsnoop\fR command
connects to a Unix domain socket named
\fB@RUNDIR@/\fIswitch\fB.snoop\fR.  \fBovs\-vswitchd\fR listens on
such a socket for each bridge and sends to it all of the OpenFlow
messages sent to or received from its configured OpenFlow controller.
Thus, this command can be used to view OpenFlow protocol activity
between a switch and its controller.
.IP
When a switch has more than one controller configured, only the
traffic to and from a single controller is output.  If none of the
controllers is configured as a master or a slave (using a Nicira
extension to OpenFlow 1.0 or 1.1, or a standard request in OpenFlow
1.2 or later), then a controller is chosen arbitrarily among
them.  If there is a master controller, it is chosen; otherwise, if
there are any controllers that are not masters or slaves, one is
chosen arbitrarily; otherwise, a slave controller is chosen
arbitrarily.  This choice is made once at connection time and does not
change as controllers reconfigure their roles.
.IP
If a switch has no controller configured, or if
the configured controller is disconnected, no traffic is sent, so
monitoring will not show any traffic.
.
.IP "\fBmonitor \fIswitch\fR [\fImiss-len\fR] [\fBinvalid_ttl\fR] [\fBwatch:\fR[\fIspec\fR...]]"
Connects to \fIswitch\fR and prints to the console all OpenFlow
messages received.  Usually, \fIswitch\fR should specify the name of a
bridge in the \fBovs\-vswitchd\fR database.
.IP
If \fImiss-len\fR is provided, \fBovs\-ofctl\fR sends an OpenFlow ``set
configuration'' message at connection setup time that requests
\fImiss-len\fR bytes of each packet that misses the flow table.  Open vSwitch
does not send these and other asynchronous messages to an
\fBovs\-ofctl monitor\fR client connection unless a nonzero value is
specified on this argument.  (Thus, if \fImiss\-len\fR is not
specified, very little traffic will ordinarily be printed.)
.IP
If \fBinvalid_ttl\fR is passed, \fBovs\-ofctl\fR sends an OpenFlow ``set
configuration'' message at connection setup time that requests
\fBINVALID_TTL_TO_CONTROLLER\fR, so that \fBovs\-ofctl monitor\fR can
receive ``packet-in'' messages when TTL reaches zero on \fBdec_ttl\fR action.
Only OpenFlow 1.1 and 1.2 support \fBinvalid_ttl\fR; Open vSwitch also
implements it for OpenFlow 1.0 as an extension.
.IP
\fBwatch:\fR[\fB\fIspec\fR...] causes \fBovs\-ofctl\fR to send a
``monitor request'' Nicira extension message to the switch at
connection setup time.  This message causes the switch to send
information about flow table changes as they occur.  The following
comma-separated \fIspec\fR syntax is available:
.RS
.IP "\fB!initial\fR"
Do not report the switch's initial flow table contents.
.IP "\fB!add\fR"
Do not report newly added flows.
.IP "\fB!delete\fR"
Do not report deleted flows.
.IP "\fB!modify\fR"
Do not report modifications to existing flows.
.IP "\fB!own\fR"
Abbreviate changes made to the flow table by \fBovs\-ofctl\fR's own
connection to the switch.  (These could only occur using the
\fBofctl/send\fR command described below under \fBRUNTIME MANAGEMENT
COMMANDS\fR.)
.IP "\fB!actions\fR"
Do not report actions as part of flow updates.
.IP "\fBtable=\fItable\fR"
Limits the monitoring to the table with the given \fItable\fR, which
may be expressed as a number between 0 and 254 or (unless
\fB\-\-no\-names\fR is specified) a name.  By default, all tables are
monitored.
.IP "\fBout_port=\fIport\fR"
If set, only flows that output to \fIport\fR are monitored.  The
\fIport\fR may be an OpenFlow port number or keyword
(e.g. \fBLOCAL\fR).
.IP "\fIfield\fB=\fIvalue\fR"
Monitors only flows that have \fIfield\fR specified as the given
\fIvalue\fR.  Any syntax valid for matching on \fBdump\-flows\fR may
be used.
.RE
.IP
This command may be useful for debugging switch or controller
implementations.  With \fBwatch:\fR, it is particularly useful for
observing how a controller updates flow tables.
.
.SS "OpenFlow Switch and Controller Commands"
.
The following commands, like those in the previous section, may be
applied to OpenFlow switches, using any of the connection methods
described in that section.  Unlike those commands, these may also be
applied to OpenFlow controllers.
.
.TP
\fBprobe \fItarget\fR
Sends a single OpenFlow echo-request message to \fItarget\fR and waits
for the response.  With the \fB\-t\fR or \fB\-\-timeout\fR option, this
command can test whether an OpenFlow switch or controller is up and
running.
.
.TP
\fBping \fItarget \fR[\fIn\fR]
Sends a series of 10 echo request packets to \fItarget\fR and times
each reply.  The echo request packets consist of an OpenFlow header
plus \fIn\fR bytes (default: 64) of randomly generated payload.  This
measures the latency of individual requests.
.
.TP
\fBbenchmark \fItarget n count\fR
Sends \fIcount\fR echo request packets that each consist of an
OpenFlow header plus \fIn\fR bytes of payload and waits for each
response.  Reports the total time required.  This is a measure of the
maximum bandwidth to \fItarget\fR for round-trips of \fIn\fR-byte
messages.
.
.SS "Other Commands"
.
.IP "\fBofp\-parse\fR \fIfile\fR"
Reads \fIfile\fR (or \fBstdin\fR if \fIfile\fR is \fB\-\fR) as a
series of OpenFlow messages in the binary format used on an OpenFlow
connection, and prints them to the console.  This can be useful for
printing OpenFlow messages captured from a TCP stream.
.
.IP "\fBofp\-parse\-pcap\fR \fIfile\fR [\fIport\fR...]"
Reads \fIfile\fR, which must be in the PCAP format used by network
capture tools such as \fBtcpdump\fR or \fBwireshark\fR, extracts all
the TCP streams for OpenFlow connections, and prints the OpenFlow
messages in those connections in human-readable format on
\fBstdout\fR.
.IP
OpenFlow connections are distinguished by TCP port number.
Non-OpenFlow packets are ignored.  By default, data on TCP ports 6633
and 6653 are considered to be OpenFlow.  Specify one or more
\fIport\fR arguments to override the default.
.IP
This command cannot usefully print SSL encrypted traffic.  It does not
understand IPv6.
.
.SS "Flow Syntax"
.PP
Some \fBovs\-ofctl\fR commands accept an argument that describes a flow or
flows.  Such flow descriptions comprise a series of
\fIfield\fB=\fIvalue\fR assignments, separated by commas or white
space.  (Embedding spaces into a flow description normally requires
quoting to prevent the shell from breaking the description into
multiple arguments.)
.PP
Flow descriptions should be in \fBnormal form\fR.  This means that a
flow may only specify a value for an L3 field if it also specifies a
particular L2 protocol, and that a flow may only specify an L4 field
if it also specifies particular L2 and L3 protocol types.  For
example, if the L2 protocol type \fBdl_type\fR is wildcarded, then L3
fields \fBnw_src\fR, \fBnw_dst\fR, and \fBnw_proto\fR must also be
wildcarded.  Similarly, if \fBdl_type\fR or \fBnw_proto\fR (the L3
protocol type) is wildcarded, so must be the L4 fields \fBtcp_dst\fR and
\fBtcp_src\fR.  \fBovs\-ofctl\fR will warn about
flows not in normal form.
.PP
\fBovs\-fields\fR(7) describes the supported fields and how to match
them.  In addition to match fields, commands that operate on flows
accept a few additional key-value pairs:
.
.IP \fBtable=\fItable\fR
For flow dump commands, limits the flows dumped to those in
\fItable\fR, which may be expressed as a number between 0 and 255 or
(unless \fB\-\-no\-names\fR is specified) a name.  If not specified
(or if 255 is specified as \fItable\fR), then flows in all tables are
dumped.
.
.IP
For flow table modification commands, behavior varies based on the
OpenFlow version used to connect to the switch:
.
.RS
.IP "OpenFlow 1.0"
OpenFlow 1.0 does not support \fBtable\fR for modifying flows.
\fBovs\-ofctl\fR will exit with an error if \fBtable\fR (other than
\fBtable=255\fR) is specified for a switch that only supports OpenFlow
1.0.
.IP
In OpenFlow 1.0, the switch chooses the table into which to insert a
new flow.  The Open vSwitch software switch always chooses table 0.
Other Open vSwitch datapaths and other OpenFlow implementations may
choose different tables.
.IP
The OpenFlow 1.0 behavior in Open vSwitch for modifying or removing
flows depends on whether \fB\-\-strict\fR is used.  Without
\fB\-\-strict\fR, the command applies to matching flows in all tables.
With \fB\-\-strict\fR, the command will operate on any single matching
flow in any table; it will do nothing if there are matches in more
than one table.  (The distinction between these behaviors only matters
if non-OpenFlow 1.0 commands were also used, because OpenFlow 1.0
alone cannot add flows with the same matching criteria to multiple
tables.)
.
.IP "OpenFlow 1.0 with table_id extension"
Open vSwitch implements an OpenFlow extension that allows the
controller to specify the table on which to operate.  \fBovs\-ofctl\fR
automatically enables the extension when \fBtable\fR is specified and
OpenFlow 1.0 is used.  \fBovs\-ofctl\fR automatically detects whether
the switch supports the extension.  As of this writing, this extension
is only known to be implemented by Open vSwitch.
.
.IP
With this extension, \fBovs\-ofctl\fR operates on the requested table
when \fBtable\fR is specified, and acts as described for OpenFlow 1.0
above when no \fBtable\fR is specified (or for \fBtable=255\fR).
.
.IP "OpenFlow 1.1"
OpenFlow 1.1 requires flow table modification commands to specify a
table.  When \fBtable\fR is not specified (or \fBtable=255\fR is
specified), \fBovs\-ofctl\fR defaults to table 0.
.
.IP "OpenFlow 1.2 and later"
OpenFlow 1.2 and later allow flow deletion commands, but not other
flow table modification commands, to operate on all flow tables, with
the behavior described above for OpenFlow 1.0.
.RE
.IP "\fBduration=\fR..."
.IQ "\fBn_packet=\fR..."
.IQ "\fBn_bytes=\fR..."
\fBovs\-ofctl\fR ignores assignments to these ``fields'' to allow
output from the \fBdump\-flows\fR command to be used as input for
other commands that parse flows.
.
.PP
The \fBadd\-flow\fR, \fBadd\-flows\fR, and \fBmod\-flows\fR commands
require an additional field, which must be the final field specified:
.
.IP \fBactions=\fR[\fIaction\fR][\fB,\fIaction\fR...]\fR
Specifies a comma-separated list of actions to take on a packet when the 
flow entry matches.  If no \fIaction\fR is specified, then packets
matching the flow are dropped.  The following forms of \fIaction\fR
are supported:
.
.RS
.IP \fIport\fR
.IQ \fBoutput:\fIport\fR
Outputs the packet to OpenFlow port number \fIport\fR.  If \fIport\fR
is the packet's input port, the packet is not output.
.
.IP \fBoutput:\fIsrc\fB[\fIstart\fB..\fIend\fB]
Outputs the packet to the OpenFlow port number read from \fIsrc\fR,
which may be an NXM field name, as described above, or a match field name.
\fBoutput:reg0[16..31]\fR outputs to the OpenFlow port number
written in the upper half of register 0.  If the port number is the
packet's input port, the packet is not output.
.IP
This form of \fBoutput\fR was added in Open vSwitch 1.3.0.  This form
of \fBoutput\fR uses an OpenFlow extension that is not supported by
standard OpenFlow switches.
.
.IP \fBoutput(port=\fIport\fR\fB,max_len=\fInbytes\fR)
Outputs the packet to the OpenFlow port number read from \fIport\fR,
with maximum packet size set to \fInbytes\fR.  \fIport\fR may be OpenFlow
port number, \fBlocal\fR, or \fBin_port\fR.  Patch port is not supported.
Packets larger than \fInbytes\fR will be trimmed to \fInbytes\fR while
packets smaller than \fInbytes\fR remains the original size.
.
.IP \fBgroup:\fIgroup_id\fR
Outputs the packet to the OpenFlow group \fIgroup_id\fR.  OpenFlow 1.1
introduced support for groups; Open vSwitch 2.6 and later also
supports output to groups as an extension to OpenFlow 1.0.  See
\fBGroup Syntax\fR for more details.
.
.IP \fBnormal\fR
Subjects the packet to the device's normal L2/L3 processing.  (This
action is not implemented by all OpenFlow switches.)
.
.IP \fBflood\fR
Outputs the packet on all switch physical ports other than the port on
which it was received and any ports on which flooding is disabled
(typically, these would be ports disabled by the IEEE 802.1D spanning
tree protocol).
.
.IP \fBall\fR
Outputs the packet on all switch physical ports other than the port on
which it was received.
.
.IP \fBlocal\fR
Outputs the packet on the ``local port,'' which corresponds to the
network device that has the same name as the bridge.
.
.IP \fBin_port\fR
Outputs the packet on the port from which it was received.
.
.IP \fBcontroller(\fIkey\fB=\fIvalue\fR...\fB)
Sends the packet and its metadata to the OpenFlow controller as a ``packet in''
message.  The supported key-value pairs are:
.RS
.IP "\fBmax_len=\fInbytes\fR"
Limit to \fInbytes\fR the number of bytes of the packet to send to
the controller.  By default the entire packet is sent.
.IP "\fBreason=\fIreason\fR"
Specify \fIreason\fR as the reason for sending the message in the
``packet in'' message.  The supported reasons are \fBaction\fR (the
default), \fBno_match\fR, and \fBinvalid_ttl\fR.
.IP "\fBid=\fIcontroller-id\fR"
Specify \fIcontroller-id\fR, a 16-bit integer, as the connection ID of
the OpenFlow controller or controllers to which the ``packet in''
message should be sent.  The default is zero.  Zero is also the
default connection ID for each controller connection, and a given
controller connection will only have a nonzero connection ID if its
controller uses the \fBNXT_SET_CONTROLLER_ID\fR Nicira extension to
OpenFlow.
.IP "\fBuserdata=\fIhh\fR...\fR"
Supplies the bytes represented as hex digits \fIhh\fR as additional
data to the controller in the packet-in message.  Pairs of hex digits
may be separated by periods for readability.
.IP "\fBpause\fR"
Causes the switch to freeze the packet's trip through Open vSwitch
flow tables and serializes that state into the packet-in message as a
``continuation,'' an additional property in the \fBNXT_PACKET_IN2\fR
message.  The controller can later send the continuation back to the
switch in an \fBNXT_RESUME\fR message, which will restart the packet's
traversal from the point where it was interrupted.  This permits an
OpenFlow controller to interpose on a packet midway through processing
in Open vSwitch.
.IP "\fBmeter_id=\fIid\fR"
Use meter \fIid\fR to rate-limit the OpenFlow packet-in messages that
this action sends to the controller.  By default, packets sent to the
controller are associated with the "controller" virtual meter, if one
was configured.
.
.RE
.IP
If any \fIreason\fR other than \fBaction\fR or any nonzero
\fIcontroller-id\fR is supplied, Open vSwitch extension
\fBNXAST_CONTROLLER\fR, supported by Open vSwitch 1.6 and later, is
used.  If \fBuserdata\fR is supplied, then \fBNXAST_CONTROLLER2\fR,
supported by Open vSwitch 2.6 and later, is used.
.
.IP \fBcontroller\fR
.IQ \fBcontroller\fR[\fB:\fInbytes\fR]
Shorthand for \fBcontroller()\fR or
\fBcontroller(max_len=\fInbytes\fB)\fR, respectively.
.
.IP \fBenqueue(\fIport\fB,\fIqueue\fB)\fR
Enqueues the packet on the specified \fIqueue\fR within port
\fIport\fR, which must be an OpenFlow port number or keyword
(e.g. \fBLOCAL\fR).  The number of supported queues depends on the
switch; some OpenFlow implementations do not support queuing at all.
.
.IP \fBdrop\fR
Discards the packet, so no further processing or forwarding takes place.
If a drop action is used, no other actions may be specified.
.
.IP \fBmod_vlan_vid\fR:\fIvlan_vid\fR
Modifies the VLAN id on a packet.  The VLAN tag is added or modified 
as necessary to match the value specified.  If the VLAN tag is added,
a priority of zero is used (see the \fBmod_vlan_pcp\fR action to set
this).
.
.IP \fBmod_vlan_pcp\fR:\fIvlan_pcp\fR
Modifies the VLAN priority on a packet.  The VLAN tag is added or modified 
as necessary to match the value specified.  Valid values are between 0
(lowest) and 7 (highest).  If the VLAN tag is added, a vid of zero is used 
(see the \fBmod_vlan_vid\fR action to set this).
.
.IP \fBstrip_vlan\fR
Strips the VLAN tag from a packet if it is present.
.
.IP \fBpush_vlan\fR:\fIethertype\fR
Push a new VLAN tag onto the packet.  Ethertype is used as the Ethertype
for the tag. Only ethertype 0x8100 should be used. (0x88a8 which the spec
allows isn't supported at the moment.)
A priority of zero and the tag of zero are used for the new tag.
.
.IP \fBpush_mpls\fR:\fIethertype\fR
Changes the packet's Ethertype to \fIethertype\fR, which must be either
\fB0x8847\fR or \fB0x8848\fR, and pushes an MPLS LSE.
.IP
If the packet does not already contain any MPLS labels then an initial
label stack entry is pushed.  The label stack entry's label is 2 if the
packet contains IPv6 and 0 otherwise, its default traffic control value is
the low 3 bits of the packet's DSCP value (0 if the packet is not IP), and
its TTL is copied from the IP TTL (64 if the packet is not IP).
.IP
If the packet does already contain an MPLS label, pushes a new
outermost label as a copy of the existing outermost label.
.IP
A limitation of the implementation is that processing of actions will stop
if \fBpush_mpls\fR follows another \fBpush_mpls\fR unless there is a
\fBpop_mpls\fR in between.
.
.IP \fBpop_mpls\fR:\fIethertype\fR
Strips the outermost MPLS label stack entry.
Currently the implementation restricts \fIethertype\fR to a non-MPLS Ethertype
and thus \fBpop_mpls\fR should only be applied to packets with
an MPLS label stack depth of one. A further limitation is that processing of
actions will stop if \fBpop_mpls\fR follows another \fBpop_mpls\fR unless
there is a \fBpush_mpls\fR in between.
.
.IP \fBmod_dl_src\fB:\fImac\fR
Sets the source Ethernet address to \fImac\fR.
.
.IP \fBmod_dl_dst\fB:\fImac\fR
Sets the destination Ethernet address to \fImac\fR.
.
.IP \fBmod_nw_src\fB:\fIip\fR
Sets the IPv4 source address to \fIip\fR.
.
.IP \fBmod_nw_dst\fB:\fIip\fR
Sets the IPv4 destination address to \fIip\fR.
.
.IP \fBmod_tp_src\fB:\fIport\fR
Sets the TCP or UDP or SCTP source port to \fIport\fR.
.
.IP \fBmod_tp_dst\fB:\fIport\fR
Sets the TCP or UDP or SCTP destination port to \fIport\fR.
.
.IP \fBmod_nw_tos\fB:\fItos\fR
Sets the DSCP bits in the IPv4 ToS/DSCP or IPv6 traffic class field to
\fItos\fR, which must be a multiple of 4 between 0 and 255.  This action
does not modify the two least significant bits of the ToS field (the ECN bits).
.
.IP \fBmod_nw_ecn\fB:\fIecn\fR
Sets the ECN bits in the IPv4 ToS or IPv6 traffic class field to \fIecn\fR,
which must be a value between 0 and 3, inclusive.  This action does not modify
the six most significant bits of the field (the DSCP bits).
.IP
Requires OpenFlow 1.1 or later.
.
.IP \fBmod_nw_ttl\fB:\fIttl\fR
Sets the IPv4 TTL or IPv6 hop limit field to \fIttl\fR, which is specified as
a decimal number between 0 and 255, inclusive.  Switch behavior when setting
\fIttl\fR to zero is not well specified, though.
.IP
Requires OpenFlow 1.1 or later.
.RE
.IP
The following actions are Nicira vendor extensions that, as of this writing, are
only known to be implemented by Open vSwitch:
.
.RS
.
.IP \fBresubmit\fB:\fIport\fR
.IQ \fBresubmit\fB(\fR[\fIport\fR]\fB,\fR[\fItable\fR]\fB)
.IQ \fBresubmit\fB(\fR[\fIport\fR]\fB,\fR[\fItable\fR]\fB,ct)
Re-searches this OpenFlow flow table (or table \fItable\fR, if
specified) with the \fBin_port\fR field replaced by
\fIport\fR (if \fIport\fR is specified) and the packet 5-tuple fields
swapped with the corresponding conntrack original direction tuple
fields (if \fBct\fR is specified, see \fBct_nw_src\fR above), and
executes the actions found, if any, in addition to any other actions
in this flow entry.  The \fBin_port\fR and swapped 5-tuple fields are
restored immediately after the search, before any actions are
executed.
.IP
The \fItable\fR may be expressed as a number between 0 and 254 or
(unless \fB\-\-no\-names\fR is specified) a name.
.IP
The \fBct\fR option requires a valid connection tracking state as a
match prerequisite in the flow where this action is placed.  Examples
of valid connection tracking state matches include
\fBct_state=+new\fR, \fBct_state=+est\fR, \fBct_state=+rel\fR, and
\fBct_state=+trk-inv\fR.
.IP
Recursive \fBresubmit\fR actions are obeyed up to
implementation-defined limits:
.RS
.IP \(bu
Open vSwitch 1.0.1 and earlier did not support recursion.
.IP \(bu
Open vSwitch 1.0.2 and 1.0.3 limited recursion to 8 levels.
.IP \(bu
Open vSwitch 1.1 and 1.2 limited recursion to 16 levels.
.IP \(bu
Open vSwitch 1.2 through 1.8 limited recursion to 32 levels.
.IP \(bu
Open vSwitch 1.9 through 2.0 limited recursion to 64 levels.
.IP \(bu
Open vSwitch 2.1 through 2.5 limited recursion to 64 levels and impose
a total limit of 4,096 resubmits per flow translation (earlier versions
did not impose any total limit).
.IP \(bu
Open vSwitch 2.6 and later imposes the same limits as 2.5, with one
exception: \fBresubmit\fR from table \fIx\fR to any table \fIy\fR >
\fIx\fR does not count against the recursion limit.
.RE
.IP
Open vSwitch before 1.2.90 did not support \fItable\fR.  Open vSwitch
before 2.7 did not support \fBct\fR.
.
.IP \fBset_tunnel\fB:\fIid\fR
.IQ \fBset_tunnel64\fB:\fIid\fR
If outputting to a port that encapsulates the packet in a tunnel and
supports an identifier (such as GRE), sets the identifier to \fIid\fR.
If the \fBset_tunnel\fR form is used and \fIid\fR fits in 32 bits,
then this uses an action extension that is supported by Open vSwitch
1.0 and later.  Otherwise, if \fIid\fR is a 64-bit value, it requires
Open vSwitch 1.1 or later.
.
.IP \fBset_queue\fB:\fIqueue\fR
Sets the queue that should be used to \fIqueue\fR when packets are
output.  The number of supported queues depends on the switch; some
OpenFlow implementations do not support queuing at all.
.
.IP \fBpop_queue\fR
Restores the queue to the value it was before any \fBset_queue\fR
actions were applied.
.
.IP \fBct\fR
.IQ \fBct(\fR[\fIargument\fR][\fB,\fIargument\fR...]\fB)
Send the packet through the connection tracker.  Refer to the \fBct_state\fR
documentation above for possible packet and connection states. A \fBct\fR
action always sets the packet to an untracked state and clears out the
\fBct_state\fR fields for the current processing path.  Those fields are
only available for the processing path pointed to by the \fBtable\fR
argument.  The following arguments are supported:
.RS
.IP \fBcommit\fR
.RS
Commit the connection to the connection tracking module. Information about the
connection will be stored beyond the lifetime of the packet in the pipeline.
Some \fBct_state\fR flags are only available for committed connections.
.RE
.IP \fBforce\fR
.RS
A committed connection always has the directionality of the packet
that caused the connection to be committed in the first place.  This
is the ``original direction'' of the connection, and the opposite
direction is the ``reply direction''.  If a connection is already
committed, but it is in the wrong direction, \fBforce\fR flag may be
used in addition to \fBcommit\fR flag to effectively terminate the
existing connection and start a new one in the current direction.
This flag has no effect if the original direction of the connection is
already the same as that of the current packet.
.RE
.IP \fBtable=\fItable\fR
Fork pipeline processing in two. The original instance of the packet will
continue processing the current actions list as an untracked packet. An
additional instance of the packet will be sent to the connection tracker, which
will be re-injected into the OpenFlow pipeline to resume processing in table
\fInumber\fR (which may be specified as a number between 0 and 254 or,
unless \fB\-\-no\-names\fR is specified, a name), with the
\fBct_state\fR and other ct match fields set. If
\fBtable\fR is not specified, then the packet which is submitted to the
connection tracker is not re-injected into the OpenFlow pipeline. It is
strongly recommended to specify a table later than the current table to prevent
loops.
.IP \fBzone=\fIvalue\fR
.IQ \fBzone=\fIsrc\fB[\fIstart\fB..\fIend\fB]\fR
A 16-bit context id that can be used to isolate connections into separate
domains, allowing overlapping network addresses in different zones. If a zone
is not provided, then the default is to use zone zero. The \fBzone\fR may be
specified either as an immediate 16-bit \fIvalue\fR, or may be provided from an
NXM field \fIsrc\fR. The \fIstart\fR and \fIend\fR pair are inclusive, and must
specify a 16-bit range within the field. This value is copied to the
\fBct_zone\fR match field for packets which are re-injected into the pipeline
using the \fBtable\fR option.
.IP \fBexec\fB(\fR[\fIaction\fR][\fB,\fIaction\fR...]\fB)\fR
Perform actions within the context of connection tracking. This is a restricted
set of actions which are in the same format as their specifications as part
of a flow. Only actions which modify the \fBct_mark\fR or \fBct_label\fR
fields are accepted within the \fBexec\fR action, and these fields may only be
modified with this option. For example:
.
.RS
.IP \fBset_field:\fIvalue\fR[\fB/\fImask\fR]->ct_mark\fR
Store a 32-bit metadata value with the connection.  Subsequent lookups
for packets in this connection will populate the \fBct_mark\fR flow
field when the packet is sent to the connection tracker with the
\fBtable\fR specified.
.IP \fBset_field:\fIvalue\fR[\fB/\fImask\fR]->ct_label\fR
Store a 128-bit metadata value with the connection.  Subsequent
lookups for packets in this connection will populate the
\fBct_label\fR flow field when the packet is sent to the connection
tracker with the \fBtable\fR specified.
.RE
.IP
The \fBcommit\fR parameter must be specified to use \fBexec(...)\fR.
.
.IP \fBalg=\fIalg\fR
Specify application layer gateway \fIalg\fR to track specific connection
types. If subsequent related connections are sent through the \fBct\fR
action, then the \fBrel\fR flag in the \fBct_state\fR field will be set.
Supported types include:
.RS
.IP \fBftp\fR
Look for negotiation of FTP data connections. Specify this option for FTP
control connections to detect related data connections and populate the
\fBrel\fR flag for the data connections.
.
.IP \fBtftp\fR
Look for negotiation of TFTP data connections. Specify this option for TFTP
control connections to detect related data connections and populate the
\fBrel\fR flag for the data connections.
.RE
.
.IP
The \fBcommit\fR parameter must be specified to use \fBalg=\fIalg\fR.
.
.IP
When committing related connections, the \fBct_mark\fR for that connection is
inherited from the current \fBct_mark\fR stored with the original connection
(ie, the connection created by \fBct(alg=...)\fR).
.
.IP
Note that with the Linux datapath, global sysctl options affect the usage of
the \fBct\fR action. In particular, if \fBnet.netfilter.nf_conntrack_helper\fR
is enabled then application layer gateway helpers may be executed even if the
\fBalg\fR option is not specified. This is the default setting until Linux 4.7.
For security reasons, the netfilter team recommends users to disable this
option. See this blog post for further details:
.
http://www.netfilter.org/news.html#2012-04-03
.
.IP \fBnat\fR[\fB(\fR(\fBsrc\fR|\fBdst\fR)\fB=\fIaddr1\fR[\fB-\fIaddr2\fR][\fB:\fIport1\fR[\fB-\fIport2\fR]][\fB,\fIflags\fR]\fB)\fR]
.
Specify address and port translation for the connection being tracked.
For new connections either \fBsrc\fR or \fBdst\fR argument must be
provided to set up either source address/port translation (SNAT) or
destination address/port translation (DNAT), respectively.  Setting up
address translation for a new connection takes effect only if the
\fBcommit\fR flag is also provided for the enclosing \fBct\fR action.
A bare \fBnat\fR action will only translate the packet being processed
in the way the connection has been set up with an earlier \fBct\fR
action.  Also a \fBnat\fR action with \fBsrc\fR or \fBdst\fR, when
applied to a packet belonging to an established (rather than new)
connection, will behave the same as a bare \fBnat\fR.
.IP
\fBsrc\fR and \fBdst\fR options take the following arguments:
.RS
.IP \fIaddr1\fR[\fB-\fIaddr2\fR]
The address range from which the translated address should be
selected.  If only one address is given, then that address will always
be selected, otherwise the address selection can be informed by the
optional \fBpersistent\fR flag as described below.  Either IPv4 or
IPv6 addresses can be provided, but both addresses must be of the same
type, and the datapath behavior is undefined in case of providing IPv4
address range for an IPv6 packet, or IPv6 address range for an IPv4
packet.  IPv6 addresses must be bracketed with '[' and ']' if a port
range is also given.
.RE
.
.RS
.IP \fIport1\fR[\fB-\fIport2\fR]
The port range from which the translated port should be selected.  If
only one port number is provided, then that should be selected.  In
case of a mapping conflict the datapath may choose any other
non-conflicting port number instead, even when no port range is
specified.  The port number selection can be informed by the optional
\fBrandom\fR and \fBhash\fR flags as described below.
.RE
.IP
The optional flags are:
.RS
.IP \fBrandom\fR
The selection of the port from the given range should be done using a
fresh random number.  This flag is mutually exclusive with \fBhash\fR.
.RE
.
.RS
.IP \fBhash\fR
The selection of the port from the given range should be done using a
datapath specific hash of the packet's IP addresses and the other,
non-mapped port number.  This flag is mutually exclusive with
\fBrandom\fR.
.RE
.
.RS
.IP \fBpersistent\fR
The selection of the IP address from the given range should be done so
that the same mapping can be provided after the system restarts.
.RE
.IP
If an \fBalg\fR is specified for the committing \fBct\fR action that
also includes \fBnat\fR with a \fBsrc\fR or \fBdst\fR attribute,
then the datapath tries to set up the helper to be NAT aware.  This
functionality is datapath specific and may not be supported by all
datapaths.
.IP
\fBnat\fR was introduced in Open vSwitch 2.6.  The first datapath that
implements \fBct nat\fR support is the one that ships with Linux 4.6.
.RE
.IP
The \fBct\fR action may be used as a primitive to construct stateful firewalls
by selectively committing some traffic, then matching the \fBct_state\fR to
allow established connections while denying new connections. The following
flows provide an example of how to implement a simple firewall that allows new
connections from port 1 to port 2, and only allows established connections to
send traffic from port 2 to port 1:
    \fBtable=0,priority=1,action=drop
    table=0,priority=10,arp,action=normal
    table=0,priority=100,ip,ct_state=-trk,action=ct(table=1)
    table=1,in_port=1,ip,ct_state=+trk+new,action=ct(commit),2
    table=1,in_port=1,ip,ct_state=+trk+est,action=2
    table=1,in_port=2,ip,ct_state=+trk+new,action=drop
    table=1,in_port=2,ip,ct_state=+trk+est,action=1\fR
.IP
If \fBct\fR is executed on IP (or IPv6) fragments, then the message is
implicitly reassembled before sending to the connection tracker and
refragmented upon \fBoutput\fR, to the original maximum received fragment size.
Reassembly occurs within the context of the \fBzone\fR, meaning that IP
fragments in different zones are not assembled together. Pipeline processing
for the initial fragments is halted; When the final fragment is received, the
message is assembled and pipeline processing will continue for that flow.
Because packet ordering is not guaranteed by IP protocols, it is not possible
to determine which IP fragment will cause message reassembly (and therefore
continue pipeline processing). As such, it is strongly recommended that
multiple flows should not execute \fBct\fR to reassemble fragments from the
same IP message.
.IP
The \fBct\fR action was introduced in Open vSwitch 2.5.
.
.IP \fBct_clear\fR
Clears connection tracking state from the flow, zeroing
\fBct_state\fR, \fBct_zone\fR, \fBct_mark\fR, and \fBct_label\fR.
.IP
This action was introduced in Open vSwitch 2.6.90.
.
.IP \fBdec_ttl\fR
.IQ \fBdec_ttl(\fIid1\fR[\fB,\fIid2\fR]...\fB)\fR
Decrement TTL of IPv4 packet or hop limit of IPv6 packet.  If the
TTL or hop limit is initially zero or decrementing would make it so, no
decrement occurs, as packets reaching TTL zero must be rejected.  Instead,
a ``packet-in'' message with reason code \fBOFPR_INVALID_TTL\fR is
sent to each connected controller that has enabled receiving them,
if any.  Processing the current set of actions then stops.  However,
if the current set of actions was reached through ``resubmit'' then
remaining actions in outer levels resume processing.
.IP
This action also optionally supports the ability to specify a list of
valid controller ids.  Each of the controllers in the list will receive
the ``packet_in'' message only if they have registered to receive the
invalid ttl packets.  If controller ids are not specified, the
``packet_in'' message will be sent only to the controllers having
controller id zero which have registered for the invalid ttl packets.
.
.IP \fBset_mpls_label\fR:\fIlabel\fR
Set the label of the outer MPLS label stack entry of a packet.
\fIlabel\fR should be a 20-bit value that is decimal by default;
use a \fB0x\fR prefix to specify them in hexadecimal.
.
.IP \fBset_mpls_tc\fR:\fItc\fR
Set the traffic-class of the outer MPLS label stack entry of a packet.
\fItc\fR should be a in the range 0 to 7 inclusive.
.
.IP \fBset_mpls_ttl\fR:\fIttl\fR
Set the TTL of the outer MPLS label stack entry of a packet.
\fIttl\fR should be in the range 0 to 255 inclusive.
.
.IP \fBdec_mpls_ttl\fR
Decrement TTL of the outer MPLS label stack entry of a packet.  If the TTL
is initially zero or decrementing would make it so, no decrement occurs.
Instead, a ``packet-in'' message with reason code \fBOFPR_INVALID_TTL\fR
is sent to the main controller (id zero), if it has enabled receiving them.
Processing the current set of actions then stops.  However, if the current
set of actions was reached through ``resubmit'' then remaining actions in
outer levels resume processing.
.
.IP \fBdec_nsh_ttl\fR
Decrement TTL of the outer NSH header of a packet.  If the TTL
is initially zero or decrementing would make it so, no decrement occurs.
Instead, a ``packet-in'' message with reason code \fBOFPR_INVALID_TTL\fR
is sent to the main controller (id zero), if it has enabled receiving them.
Processing the current set of actions then stops.  However, if the current
set of actions was reached through ``resubmit'' then remaining actions in
outer levels resume processing.
.
.IP \fBnote:\fR[\fIhh\fR]...
Does nothing at all.  Any number of bytes represented as hex digits
\fIhh\fR may be included.  Pairs of hex digits may be separated by
periods for readability.
The \fBnote\fR action's format doesn't include an exact length for its
payload, so the provided bytes will be padded on the right by enough
bytes with value 0 to make the total number 6 more than a multiple of
8.
.
.IP "\fBmove:\fIsrc\fB[\fIstart\fB..\fIend\fB]\->\fIdst\fB[\fIstart\fB..\fIend\fB]\fR"
Copies the named bits from field \fIsrc\fR to field \fIdst\fR.
\fIsrc\fR and \fIdst\fR may be NXM field names as defined in
\fBnicira\-ext.h\fR, e.g. \fBNXM_OF_UDP_SRC\fR or \fBNXM_NX_REG0\fR,
or a match field name, e.g. \fBreg0\fR.  Each
\fIstart\fR and \fIend\fR pair, which are inclusive, must specify the
same number of bits and must fit within its respective field.
Shorthands for \fB[\fIstart\fB..\fIend\fB]\fR exist: use
\fB[\fIbit\fB]\fR to specify a single bit or \fB[]\fR to specify an
entire field (in the latter case the brackets can also be left off).
.IP
Examples: \fBmove:NXM_NX_REG0[0..5]\->NXM_NX_REG1[26..31]\fR copies the
six bits numbered 0 through 5, inclusive, in register 0 into bits 26
through 31, inclusive;
\fBmove:reg0[0..15]\->vlan_tci\fR copies the least
significant 16 bits of register 0 into the VLAN TCI field.
.IP
In OpenFlow 1.0 through 1.4, \fBmove\fR ordinarily uses an Open
vSwitch extension to OpenFlow.  In OpenFlow 1.5, \fBmove\fR uses the
OpenFlow 1.5 standard \fBcopy_field\fR action.  The ONF has
also made \fBcopy_field\fR available as an extension to OpenFlow 1.3.
Open vSwitch 2.4 and later understands this extension and uses it if a
controller uses it, but for backward compatibility with older versions
of Open vSwitch, \fBovs\-ofctl\fR does not use it.
.
.IP "\fBset_field:\fIvalue\fR[/\fImask\fR]\fB\->\fIdst"
.IQ "\fBload:\fIvalue\fB\->\fIdst\fB[\fIstart\fB..\fIend\fB]"
Loads a literal value into a field or part of a field.  With
\fBset_field\fR, \fBvalue\fR and the optional \fBmask\fR are given in
the customary syntax for field \fIdst\fR, which is expressed as a
field name.  For example, \fBset_field:00:11:22:33:44:55->eth_src\fR
sets the Ethernet source address to 00:11:22:33:44:55.  With
\fBload\fR, \fIvalue\fR must be an integer value (in decimal or
prefixed by \fB0x\fR for hexadecimal) and \fIdst\fR can also be the
NXM or OXM name for the field.  For example,
\fBload:0x001122334455->OXM_OF_ETH_SRC[]\fR has the same effect as the
prior \fBset_field\fR example.
.IP
The two forms exist for historical reasons.  Open vSwitch 1.1
introduced \fBNXAST_REG_LOAD\fR as a Nicira extension to OpenFlow 1.0
and used \fBload\fR to express it.  Later, OpenFlow 1.2 introduced a
standard \fBOFPAT_SET_FIELD\fR action that was restricted to loading
entire fields, so Open vSwitch added the form \fBset_field\fR with
this restriction.  OpenFlow 1.5 extended \fBOFPAT_SET_FIELD\fR to the
point that it became a superset of \fBNXAST_REG_LOAD\fR.  Open vSwitch
translates either syntax as necessary for the OpenFlow version in use:
in OpenFlow 1.0 and 1.1, \fBNXAST_REG_LOAD\fR; in OpenFlow 1.2, 1.3,
and 1.4, \fBNXAST_REG_LOAD\fR for \fBload\fR or for loading a
subfield, \fBOFPAT_SET_FIELD\fR otherwise; and OpenFlow 1.5 and later,
\fBOFPAT_SET_FIELD\fR.
.
.IP "\fBpush:\fIsrc\fB[\fIstart\fB..\fIend\fB]"
.IQ "\fBpop:\fIdst\fB[\fIstart\fB..\fIend\fB]"
These Open vSwitch extension actions act on bits \fIstart\fR to
\fIend\fR, inclusive, in the named field, pushing or popping the bits
on a general-purpose stack of fields or subfields.  Controllers can
use this stack for saving and restoring data or metadata around
\fBresubmit\fR actions, for swapping or rearranging data and metadata,
or for other purposes.  Any data or metadata field, or part of one,
may be pushed, and any modifiable field or subfield may be popped.
.IP
The number of bits pushed in a stack entry do not have to match the
number of bits later popped from that entry.  If more bits are popped
from an entry than were pushed, then the entry is conceptually
left-padded with 0-bits as needed.  If fewer bits are popped than
pushed, then bits are conceptually trimmed from the left side of the
entry.
.IP
The stack's size is intended to have a large enough limit that
``normal'' use will not pose problems.  Stack overflow or underflow is
an error that causes action execution to stop.
.IP
Example: \fBpush:NXM_NX_REG2[0..5]\fR or \fBpush:reg2[0..5]\fR push
the value stored in register 2 bits 0 through 5, inclusive, on the
internal stack, and \fBpop:NXM_NX_REG2[0..5]\fR or
\fBpop:reg2[0..5]\fR pops the value from top of the stack and sets
register 2 bits 0 through 5, inclusive, based on bits 0 through 5 from
the value just popped.
.
.IP "\fBmultipath(\fIfields\fB, \fIbasis\fB, \fIalgorithm\fB, \fIn_links\fB, \fIarg\fB, \fIdst\fB[\fIstart\fB..\fIend\fB])\fR"
Hashes \fIfields\fR using \fIbasis\fR as a universal hash parameter,
then the applies multipath link selection \fIalgorithm\fR (with
parameter \fIarg\fR) to choose one of \fIn_links\fR output links
numbered 0 through \fIn_links\fR minus 1, and stores the link into
\fIdst\fB[\fIstart\fB..\fIend\fB]\fR, which must be an NXM field as
described above.
.IP
\fIfields\fR must be one of the following:
.RS
.IP \fBeth_src\fR
Hashes Ethernet source address only.
.IP \fBsymmetric_l4\fR
Hashes Ethernet source, destination, and type, VLAN ID, IPv4/IPv6
source, destination, and protocol, and TCP or SCTP (but not UDP)
ports.  The hash is computed so that pairs of corresponding flows in
each direction hash to the same value, in environments where L2 paths
are the same in each direction.  UDP ports are not included in the
hash to support protocols such as VXLAN that use asymmetric ports in
each direction.
.IP \fBsymmetric_l3l4\fR
Hashes IPv4/IPv6 source, destination, and protocol, and TCP or SCTP
(but not UDP) ports.  Like \fBsymmetric_l4\fR, this is a symmetric
hash, but by excluding L2 headers it is more effective in environments
with asymmetric L2 paths (e.g. paths involving VRRP IP addresses on a
router).  Not an effective hash function for protocols other than IPv4
and IPv6, which hash to a constant zero.
.IP \fBsymmetric_l3l4+udp\fR
Like \fBsymmetric_l3l4+udp\fR, but UDP ports are included in the hash.
This is a more effective hash when asymmetric UDP protocols such as
VXLAN are not a consideration.
.IP \fBnw_src\fR
Hashes Network source address only.
.IP \fBnw_dst\fR
Hashes Network destination address only.
.RE
.IP
\fIalgorithm\fR must be one of \fBmodulo_n\fR,
\fBhash_threshold\fR, \fBhrw\fR, and \fBiter_hash\fR.  Only
the \fBiter_hash\fR algorithm uses \fIarg\fR.
.IP
Refer to \fBnicira\-ext.h\fR for more details.
.
.IP "\fBbundle(\fIfields\fB, \fIbasis\fB, \fIalgorithm\fB, \fIslave_type\fB, slaves:[\fIs1\fB, \fIs2\fB, ...])\fR"
Hashes \fIfields\fR using \fIbasis\fR as a universal hash parameter, then
applies the bundle link selection \fIalgorithm\fR to choose one of the listed
slaves represented as \fIslave_type\fR.  Currently the only supported
\fIslave_type\fR is \fBofport\fR.  Thus, each \fIs1\fR through \fIsN\fR should
be an OpenFlow port number. Outputs to the selected slave.
.IP
Currently, \fIfields\fR must be either \fBeth_src\fR, \fBsymmetric_l4\fR, \fBsymmetric_l3l4\fR, \fBsymmetric_l3l4+udp\fR, 
\fBnw_src\fR, or \fBnw_dst\fR, and \fIalgorithm\fR must be one of \fBhrw\fR and \fBactive_backup\fR.
.IP
Example: \fBbundle(eth_src,0,hrw,ofport,slaves:4,8)\fR uses an Ethernet source
hash with basis 0, to select between OpenFlow ports 4 and 8 using the Highest
Random Weight algorithm.
.IP
Refer to \fBnicira\-ext.h\fR for more details.
.
.IP "\fBbundle_load(\fIfields\fB, \fIbasis\fB, \fIalgorithm\fB, \fIslave_type\fB, \fIdst\fB[\fIstart\fB..\fIend\fB], slaves:[\fIs1\fB, \fIs2\fB, ...])\fR"
Has the same behavior as the \fBbundle\fR action, with one exception.  Instead
of outputting to the selected slave, it writes its selection to
\fIdst\fB[\fIstart\fB..\fIend\fB]\fR, which must be an NXM field as described
above.
.IP
Example: \fBbundle_load(eth_src, 0, hrw, ofport, NXM_NX_REG0[],
slaves:4, 8)\fR uses an Ethernet source hash with basis 0, to select
between OpenFlow ports 4 and 8 using the Highest Random Weight
algorithm, and writes the selection to \fBNXM_NX_REG0[]\fR.  Also the
match field name can be used, for example, instead of 'NXM_NX_REG0'
the name 'reg0' can be used.  When the while field is indicated the
empty brackets can also be left off.
.IP
Refer to \fBnicira\-ext.h\fR for more details.
.
.IP "\fBlearn(\fIargument\fR[\fB,\fIargument\fR]...\fB)\fR"
This action adds or modifies a flow in an OpenFlow table, similar to
\fBovs\-ofctl \-\-strict mod\-flows\fR.  The arguments specify the
flow's match fields, actions, and other properties, as follows.  At
least one match criterion and one action argument should ordinarily be
specified.
.RS
.IP \fBidle_timeout=\fIseconds\fR
.IQ \fBhard_timeout=\fIseconds\fR
.IQ \fBpriority=\fIvalue\fR
.IQ \fBcookie=\fIvalue\fR
.IQ \fBsend_flow_rem\fR
These arguments have the same meaning as in the usual \fBovs\-ofctl\fR
flow syntax.
.
.IP \fBfin_idle_timeout=\fIseconds\fR
.IQ \fBfin_hard_timeout=\fIseconds\fR
Adds a \fBfin_timeout\fR action with the specified arguments to the
new flow.  This feature was added in Open vSwitch 1.5.90.
.
.IP \fBtable=\fItable\fR
The table in which the new flow should be inserted.  Specify a decimal
number between 0 and 254 or (unless \fB\-\-no\-names\fR is specified)
a name.  The default, if \fBtable\fR is unspecified, is table 1.
.
.IP \fBdelete_learned\fR
This flag enables deletion of the learned flows when the flow with the
\fBlearn\fR action is removed.  Specifically, when the last
\fBlearn\fR action with this flag and particular \fBtable\fR and
\fBcookie\fR values is removed, the switch deletes all of the flows in
the specified table with the specified cookie.
.
.IP
This flag was added in Open vSwitch 2.4.
.
.IP \fBlimit=\fInumber\fR
If the number of flows in table \fBtable\fR with cookie id \fBcookie\fR exceeds
\fInumber\fR, a new flow will not be learned by this action.  By default
there's no limit. limit=0 is a long-hand for no limit.
.
.IP
This flag was added in Open vSwitch 2.8.
.
.IP \fBresult_dst=\fIfield\fB[\fIbit\fB]\fR
If learning failed (because the number of flows exceeds \fBlimit\fR),
the action sets \fIfield\fB[\fIbit\fB]\fR to 0, otherwise it will be set to 1.
\fIfield\fB[\fIbit\fB]\fR must be a single bit.
.
.IP
This flag was added in Open vSwitch 2.8.
.
.IP \fIfield\fB=\fIvalue\fR
.IQ \fIfield\fB[\fIstart\fB..\fIend\fB]=\fIsrc\fB[\fIstart\fB..\fIend\fB]\fR
.IQ \fIfield\fB[\fIstart\fB..\fIend\fB]\fR
Adds a match criterion to the new flow.
.IP
The first form specifies that \fIfield\fR must match the literal
\fIvalue\fR, e.g. \fBdl_type=0x0800\fR.  All of the fields and values
for \fBovs\-ofctl\fR flow syntax are available with their usual
meanings.  Shorthand notation matchers (e.g. \fBip\fR in place of
\fBdl_type=0x0800\fR) are not currently implemented.
.IP
The second form specifies that \fIfield\fB[\fIstart\fB..\fIend\fB]\fR
in the new flow must match \fIsrc\fB[\fIstart\fB..\fIend\fB]\fR taken
from the flow currently being processed.
For example, \fINXM_OF_UDP_DST\fB[]\fR=\fINXM_OF_UDP_SRC\fB[]\fR on a
TCP packet for which the UDP src port is \fB53\fR, creates a flow which
matches \fINXM_OF_UDP_DST\fB[]\fR=\fB53\fR.
.IP
The third form is a shorthand for the second form.  It specifies that
\fIfield\fB[\fIstart\fB..\fIend\fB]\fR in the new flow must match the same
\fIfield\fB[\fIstart\fB..\fIend\fB]\fR taken from the flow currently
being processed.
For example, \fINXM_OF_TCP_DST\fB[]\fR on a TCP packet
for which the TCP dst port is \fB80\fR, creates a flow which
matches \fINXM_OF_TCP_DST\fB[]\fR=\fB80\fR.
.
.IP \fBload:\fIvalue\fB\->\fIdst\fB[\fIstart\fB..\fIend\fB]
.IQ \fBload:\fIsrc\fB[\fIstart\fB..\fIend\fB]\->\fIdst\fB[\fIstart\fB..\fIend\fB]
.
Adds a \fBload\fR action to the new flow.
.IP
The first form loads the literal \fIvalue\fR into bits \fIstart\fR
through \fIend\fR, inclusive, in field \fIdst\fR.  Its syntax is the
same as the \fBload\fR action described earlier in this section.
.IP
The second form loads \fIsrc\fB[\fIstart\fB..\fIend\fB]\fR, a value
from the flow currently being processed, into bits \fIstart\fR
through \fIend\fR, inclusive, in field \fIdst\fR.
.
.IP \fBoutput:\fIfield\fB[\fIstart\fB..\fIend\fB]\fR
Add an \fBoutput\fR action to the new flow's actions, that outputs to
the OpenFlow port taken from \fIfield\fB[\fIstart\fB..\fIend\fB]\fR,
which must be an NXM field as described above.
.RE
.RE
.
.RS
.
.IP \fBclear_actions\fR
Clears all the actions in the action set immediately.
.
.IP \fBwrite_actions(\fR[\fIaction\fR][\fB,\fIaction\fR...]\fB)
Add the specific actions to the action set.  The syntax of
\fIactions\fR is the same as in the \fBactions=\fR field.  The action
set is carried between flow tables and then executed at the end of the
pipeline.
.
.IP
The actions in the action set are applied in the following order, as
required by the OpenFlow specification, regardless of the order in
which they were added to the action set.  Except as specified
otherwise below, the action set only holds at most a single action of
each type.  When more than one action of a single type is written to
the action set, the one written later replaces the earlier action:
.
.RS
.IP 1.
\fBstrip_vlan\fR
.IQ
\fBpop_mpls\fR
.
.IP 2.
\fBdecap\fR
.
.IP 3.
\fBencap\fR
.
.IP 4.
\fBpush_mpls\fR
.
.IP 5.
\fBpush_vlan\fR
.
.IP 6.
\fBdec_ttl\fR
.IQ
\fBdec_mpls_ttl\fR
.IQ
\fBdec_nsh_ttl\fR
.
.IP 7.
\fBload\fR
.IQ
\fBmove\fR
.IQ
\fBmod_dl_dst\fR
.IQ
\fBmod_dl_src\fR
.IQ
\fBmod_nw_dst\fR
.IQ
\fBmod_nw_src\fR
.IQ
\fBmod_nw_tos\fR
.IQ
\fBmod_nw_ecn\fR
.IQ
\fBmod_nw_ttl\fR
.IQ
\fBmod_tp_dst\fR
.IQ
\fBmod_tp_src\fR
.IQ
\fBmod_vlan_pcp\fR
.IQ
\fBmod_vlan_vid\fR
.IQ
\fBset_field\fR
.IQ
\fBset_tunnel\fR
.IQ
\fBset_tunnel64\fR
.IQ
The action set can contain any number of these actions, with
cumulative effect. They will be applied in the order as added.
That is, when multiple actions modify the same part of a field,
the later modification takes effect, and when they modify
different parts of a field (or different fields), then both
modifications are applied.
.
.IP 8.
\fBset_queue\fR
.
.IP 9.
\fBgroup\fR
.IQ
\fBoutput\fR
.IQ
\fBresubmit\fR
.IQ
If more than one of these actions is present, then the one listed
earliest above is executed and the others are ignored, regardless of
the order in which they were added to the action set.  (If none of these
actions is present, the action set has no real effect, because the
modified packet is not sent anywhere and thus the modifications are
not visible.)
.RE
.IP
Only the actions listed above may be written to the action set.
\fBencap\fR, \fBdecap\fR and \fBdec_nsh_ttl\fR actions are nonstandard.
.
.IP \fBwrite_metadata\fB:\fIvalue\fR[/\fImask\fR]
Updates the metadata field for the flow. If \fImask\fR is omitted, the
metadata field is set exactly to \fIvalue\fR; if \fImask\fR is specified, then
a 1-bit in \fImask\fR indicates that the corresponding bit in the metadata
field will be replaced with the corresponding bit from \fIvalue\fR. Both
\fIvalue\fR and \fImask\fR are 64-bit values that are decimal by default; use
a \fB0x\fR prefix to specify them in hexadecimal.
.
.IP \fBmeter\fR:\fImeter_id\fR
Apply the \fImeter_id\fR before any other actions. If a meter band rate is
exceeded, the packet may be dropped, or modified, depending on the meter
band type. See the description of the \fBMeter Table Commands\fR, above,
for more details.
.
.IP \fBgoto_table\fR:\fItable\fR
Jumps to \fItable\Fr as the next table in the process pipeline.  The
\fItable\fR may be a number between 0 and 254 or (unless
\fB\-\-no\-names\fR is specified) a name.
.
.IP "\fBfin_timeout(\fIargument\fR[\fB,\fIargument\fR]\fB)"
This action changes the idle timeout or hard timeout, or both, of this
OpenFlow rule when the rule matches a TCP packet with the FIN or RST
flag.  When such a packet is observed, the action reduces the rule's
timeouts to those specified on the action.  If the rule's existing
timeout is already shorter than the one that the action specifies,
then that timeout is unaffected.
.IP
\fIargument\fR takes the following forms:
.RS
.IP "\fBidle_timeout=\fIseconds\fR"
Causes the flow to expire after the given number of seconds of
inactivity.
.
.IP "\fBhard_timeout=\fIseconds\fR"
Causes the flow to expire after the given number of seconds,
regardless of activity.  (\fIseconds\fR specifies time since the
flow's creation, not since the receipt of the FIN or RST.)
.RE
.IP
This action was added in Open vSwitch 1.5.90.
.
.IP "\fBsample(\fIargument\fR[\fB,\fIargument\fR]...\fB)\fR"
Samples packets and sends one sample for every sampled packet.
.IP
\fIargument\fR takes the following forms:
.RS
.IP "\fBprobability=\fIpackets\fR"
The number of sampled packets out of 65535.  Must be greater or equal to 1.
.IP "\fBcollector_set_id=\fIid\fR"
The unsigned 32-bit integer identifier of the set of sample collectors
to send sampled packets to.  Defaults to 0.
.IP "\fBobs_domain_id=\fIid\fR"
When sending samples to IPFIX collectors, the unsigned 32-bit integer
Observation Domain ID sent in every IPFIX flow record.  Defaults to 0.
.IP "\fBobs_point_id=\fIid\fR"
When sending samples to IPFIX collectors, the unsigned 32-bit integer
Observation Point ID sent in every IPFIX flow record.  Defaults to 0.
.IP "\fBsampling_port=\fIport\fR"
Sample packets on \fIport\fR, which should be the ingress or egress
port.  This option, which was added in Open vSwitch 2.5.90, allows the
IPFIX implementation to export egress tunnel information.
.IP "\fBingress\fR"
.IQ "\fBegress\fR"
Specifies explicitly that the packet is being sampled on ingress to or
egress from the switch.  IPFIX reports sent by Open vSwitch before
version 2.5.90 did not include a direction.  From 2.5.90 until 2.6.90,
IPFIX reports inferred a direction from \fBsampling_port\fR: if it was
the packet's output port, then the direction was reported as egress,
otherwise as ingress.  Open vSwitch 2.6.90 introduced these options,
which allow the inferred direction to be overridden.  This is
particularly useful when the ingress (or egress) port is not a tunnel.
.RE
.IP
Refer to \fBovs\-vswitchd.conf.db\fR(5) for more details on
configuring sample collector sets.
.IP
This action was added in Open vSwitch 1.10.90.
.
.IP "\fBexit\fR"
This action causes Open vSwitch to immediately halt execution of
further actions.  Those actions which have already been executed are
unaffected.  Any further actions, including those which may be in
other tables, or different levels of the \fBresubmit\fR call stack,
are ignored.  Actions in the action set is still executed (specify
\fBclear_actions\fR before \fBexit\fR to discard them).
.
.IP "\fBconjunction(\fIid\fB, \fIk\fB/\fIn\fR\fB)\fR"
This action allows for sophisticated ``conjunctive match'' flows.
Refer to \fBCONJUNCTIVE MATCH FIELDS\fR in \fBovs\-fields\fR(7) for details.
.IP
The \fBconjunction\fR action and \fBconj_id\fR field were introduced
in Open vSwitch 2.4.
.
.IP "\fBclone(\fR[\fIaction\fR][\fB,\fIaction\fR...]\fB)\fR"
Executes each nested \fIaction\fR, saving much of the packet and
pipeline state beforehand and then restoring it afterward.  The state
that is saved and restored includes all flow data and metadata
(including, for example, \fBct_state\fR), the stack accessed by
\fBpush\fR and \fBpop\fR actions, and the OpenFlow action set.
.IP
This action was added in Open vSwitch 2.6.90.
.
.IP "\fBencap(\fR\fIheader\fR[\fB(\fR\fIprop\fR\fB=\fR\fIvalue\fR,\fItlv\fR\fB(\fR\fIclass\fR,\fItype\fR,\fIvalue\fB)\fR,...\fB)\fR]\fB)\fR"
Encapsulates the packet with a new packet header, e.g., ethernet
or nsh.
.
.RS
.IP "\fIheader\fR"
Used to specify encapsulation header type.
.
.IP "\fIprop\fR\fB=\fR\fIvalue\fR"
Used to specify the initial value for the property in the encapsulation header.
.
.IP "\fItlv\fR\fB(\fR\fIclass\fR,\fItype\fR,\fIvalue\fB)\fR"
Used to specify the initial value for the TLV (Type Length Value)
in the encapsulation header.
.RE
.IP
For example, \fBencap(ethernet)\fR will encapsulate the L3 packet with
Ethernet header.
.IP
\fBencap(nsh(md_type=1))\fR will encapsulate the packet with nsh header
and nsh metadata type 1.
.IP
\fBencap(nsh(md_type=2,tlv(0x1000,10,0x12345678)))\fR will encapsulate
the packet with nsh header and nsh metadata type 2, and the nsh TLV with
class 0x1000 and type 10 is set to 0x12345678.
.IP
\fIprop\fR\fB=\fR\fIvalue\fR is just used to set some
necessary fields for encapsulation header initialization. Other fields
in the encapsulation header must be set by \fBset_field\fR action. New
encapsulation header implementation must add new match fields and
corresponding \fBset\fR action in order that \fBset_field\fR action can
change the fields in the encapsulation header on demand.
.IP
\fBencap(nsh(md_type=1)),\fR
\fBset_field:0x1234->nsh_spi,set_field:0x11223344->nsh_c1\fR
is an example to encapsulate nsh header and set nsh spi and c1.
.IP
This action was added in Open vSwitch 2.8.
.
.IP "\fBdecap(\fR[\fBpacket_type(ns=\fR\fInamespace\fR\fB,type=\fR\fItype\fR\fB)\fR]\fB)\fR"
Decapsulates the outer packet header.
.
.RS
.IP "\fBpacket_type(ns=\fR\fInamespace\fR\fB,type=\fR\fItype\fR\fB)\fR"
It is optional and used to specify the outer header type of the
decapsulated packet. \fInamespace\fR is 0 for Ethernet packet,
1 for L3 packet, \fItype\fR\ is L3 protocol type, e.g.,
0x894f for nsh, 0x0 for Ethernet.
.RE
.IP
By default, \fBdecap()\fR will decapsulate the outer packet header
according to the packet header type, if
\fBpacket_type(ns=\fR\fInamespace\fR\fB,type=\fR\fItype\fR\fB)\fR
is given, it will decapsulate the given packet header, it will fail
if the actual outer packet header type is not of
\fBpacket_type(ns=\fR\fInamespace\fR\fB,type=\fR\fItype\fR\fB)\fR.
.IP
This action was added in Open vSwitch 2.8.
.RE
.
.PP
An opaque identifier called a cookie can be used as a handle to identify
a set of flows:
.
.IP \fBcookie=\fIvalue\fR
.
A cookie can be associated with a flow using the \fBadd\-flow\fR,
\fBadd\-flows\fR, and \fBmod\-flows\fR commands.  \fIvalue\fR can be any
64-bit number and need not be unique among flows.  If this field is
omitted, a default cookie value of 0 is used.
.
.IP \fBcookie=\fIvalue\fR\fB/\fImask\fR
.
When using NXM, the cookie can be used as a handle for querying,
modifying, and deleting flows.  \fIvalue\fR and \fImask\fR may be
supplied for the \fBdel\-flows\fR, \fBmod\-flows\fR, \fBdump\-flows\fR, and
\fBdump\-aggregate\fR commands to limit matching cookies.  A 1-bit in
\fImask\fR indicates that the corresponding bit in \fIcookie\fR must
match exactly, and a 0-bit wildcards that bit.  A mask of \-1 may be used
to exactly match a cookie.
.IP
The \fBmod\-flows\fR command can update the cookies of flows that
match a cookie by specifying the \fIcookie\fR field twice (once with a
mask for matching and once without to indicate the new value):
.RS
.IP "\fBovs\-ofctl mod\-flows br0 cookie=1,actions=normal\fR"
Change all flows' cookies to 1 and change their actions to \fBnormal\fR.
.IP "\fBovs\-ofctl mod\-flows br0 cookie=1/\-1,cookie=2,actions=normal\fR"
Update cookies with a value of 1 to 2 and change their actions to
\fBnormal\fR.
.RE
.IP
The ability to match on cookies was added in Open vSwitch 1.5.0.
.
.PP
The following additional field sets the priority for flows added by
the \fBadd\-flow\fR and \fBadd\-flows\fR commands.  For
\fBmod\-flows\fR and \fBdel\-flows\fR when \fB\-\-strict\fR is
specified, priority must match along with the rest of the flow
specification.  For \fBmod-flows\fR without \fB\-\-strict\fR,
priority is only significant if the command creates a new flow, that
is, non-strict \fBmod\-flows\fR does not match on priority and will
not change the priority of existing flows.  Other commands do not
allow priority to be specified.
.
.IP \fBpriority=\fIvalue\fR
The priority at which a wildcarded entry will match in comparison to
others.  \fIvalue\fR is a number between 0 and 65535, inclusive.  A higher 
\fIvalue\fR will match before a lower one.  An exact-match entry will always 
have priority over an entry containing wildcards, so it has an implicit 
priority value of 65535.  When adding a flow, if the field is not specified, 
the flow's priority will default to 32768.
.IP
OpenFlow leaves behavior undefined when two or more flows with the
same priority can match a single packet.  Some users expect
``sensible'' behavior, such as more specific flows taking precedence
over less specific flows, but OpenFlow does not specify this and Open
vSwitch does not implement it.  Users should therefore take care to
use priorities to ensure the behavior that they expect.
.
.PP
The \fBadd\-flow\fR, \fBadd\-flows\fR, and \fBmod\-flows\fR commands
support the following additional options.  These options affect only
new flows.  Thus, for \fBadd\-flow\fR and \fBadd\-flows\fR, these
options are always significant, but for \fBmod\-flows\fR they are
significant only if the command creates a new flow, that is, their
values do not update or affect existing flows.
.
.IP "\fBidle_timeout=\fIseconds\fR"
Causes the flow to expire after the given number of seconds of
inactivity.  A value of 0 (the default) prevents a flow from expiring
due to inactivity.
.
.IP \fBhard_timeout=\fIseconds\fR
Causes the flow to expire after the given number of seconds,
regardless of activity.  A value of 0 (the default) gives the flow no
hard expiration deadline.
.
.IP "\fBimportance=\fIvalue\fR"
Sets the importance of a flow.  The flow entry eviction mechanism can
use importance as a factor in deciding which flow to evict.  A value
of 0 (the default) makes the flow non-evictable on the basis of
importance.  Specify a value between 0 and 65535.
.IP
Only OpenFlow 1.4 and later support \fBimportance\fR.
.
.IP "\fBsend_flow_rem\fR"
Marks the flow with a flag that causes the switch to generate a ``flow
removed'' message and send it to interested controllers when the flow
later expires or is removed.
.
.IP "\fBcheck_overlap\fR"
Forces the switch to check that the flow match does not overlap that
of any different flow with the same priority in the same table.  (This
check is expensive so it is best to avoid it.)
.
.IP "\fBreset_counts\fR"
When this flag is specified on a flow being added to a switch, and the
switch already has a flow with an identical match, an OpenFlow 1.2 (or
later) switch resets the flow's packet and byte counters to 0.
Without the flag, the packet and byte counters are preserved.
.IP
OpenFlow 1.0 and 1.1 switches always reset counters in this situation,
as if \fBreset_counts\fR were always specified.
.IP
Open vSwitch 1.10 added support for \fBreset_counts\fR.
.
.IP "\fBno_packet_counts\fR"
.IQ "\fBno_byte_counts\fR"
Adding these flags to a flow advises an OpenFlow 1.3 (or later) switch
that the controller does not need packet or byte counters,
respectively, for the flow.  Some switch implementations might achieve
higher performance or reduce resource consumption when these flags are
used.  These flags provide no benefit to the Open vSwitch software
switch implementation.
.IP
OpenFlow 1.2 and earlier do not support these flags.
.IP
Open vSwitch 1.10 added support for \fBno_packet_counts\fR and
\fBno_byte_counts\fR.
.
.PP
The \fBdump\-flows\fR, \fBdump\-aggregate\fR, \fBdel\-flow\fR 
and \fBdel\-flows\fR commands support these additional optional fields:
.
.TP
\fBout_port=\fIport\fR
If set, a matching flow must include an output action to \fIport\fR,
which must be an OpenFlow port number or name (e.g. \fBlocal\fR).
.
.TP
\fBout_group=\fIport\fR
If set, a matching flow must include an \fBgroup\fR action naming
\fIgroup\fR, which must be an OpenFlow group number.  This field
is supported in Open vSwitch 2.5 and later and requires OpenFlow 1.1
or later.
.
.SS "Table Entry Output"
.
The \fBdump\-tables\fR and \fBdump\-aggregate\fR commands print information 
about the entries in a datapath's tables.  Each line of output is a 
flow entry as described in \fBFlow Syntax\fR, above, plus some
additional fields:
.
.IP \fBduration=\fIsecs\fR
The time, in seconds, that the entry has been in the table.
\fIsecs\fR includes as much precision as the switch provides, possibly
to nanosecond resolution.
.
.IP \fBn_packets\fR
The number of packets that have matched the entry.
.
.IP \fBn_bytes\fR
The total number of bytes from packets that have matched the entry.
.
.PP
The following additional fields are included only if the switch is
Open vSwitch 1.6 or later and the NXM flow format is used to dump the
flow (see the description of the \fB\-\-flow-format\fR option below).
The values of these additional fields are approximations only and in
particular \fBidle_age\fR will sometimes become nonzero even for busy
flows.
.
.IP \fBhard_age=\fIsecs\fR
The integer number of seconds since the flow was added or modified.
\fBhard_age\fR is displayed only if it differs from the integer part
of \fBduration\fR.  (This is separate from \fBduration\fR because
\fBmod\-flows\fR restarts the \fBhard_timeout\fR timer without zeroing
\fBduration\fR.)
.
.IP \fBidle_age=\fIsecs\fR
The integer number of seconds that have passed without any packets
passing through the flow.
.
.SS "Packet\-Out Syntax"
.PP
\fBovs\-ofctl bundle\fR command accepts packet-outs to be specified in
the bundle file.  Each packet-out comprises of a series of
\fIfield\fB=\fIvalue\fR assignments, separated by commas or white
space.  (Embedding spaces into a packet-out description normally
requires quoting to prevent the shell from breaking the description
into multiple arguments.).  Unless noted otherwise only the last
instance of each field is honoured.  This same syntax is also
supported by the \fBovs\-ofctl packet-out\fR command.
.PP
.IP \fBin_port=\fIport\fR
The port number to be considered the in_port when processing actions.
This can be any valid OpenFlow port number, or any of the \fBLOCAL\fR,
\fBCONTROLLER\fR, or \fBNONE\fR.
.
This field is required.

.IP \fIpipeline_field\fR=\fIvalue\fR
Optionally, user can specify a list of pipeline fields for a packet-out
message. The supported pipeline fields includes \fBtunnel fields\fR and
\fBregister fields\fR as defined in \fBovs\-fields\fR(7).

.IP \fBpacket=\fIhex-string\fR
The actual packet to send, expressed as a string of hexadecimal bytes.
.
This field is required.

.IP \fBactions=\fR[\fIaction\fR][\fB,\fIaction\fR...]\fR
The syntax of actions are identical to the \fBactions=\fR field
described in \fBFlow Syntax\fR above.  Specifying \fBactions=\fR is
optional, but omitting actions is interpreted as a drop, so the packet
will not be sent anywhere from the switch.
.
\fBactions\fR must be specified at the end of each line, like for flow mods.
.RE
.
.SS "Group Syntax"
.PP
Some \fBovs\-ofctl\fR commands accept an argument that describes a group or
groups.  Such flow descriptions comprise a series
\fIfield\fB=\fIvalue\fR assignments, separated by commas or white
space.  (Embedding spaces into a group description normally requires
quoting to prevent the shell from breaking the description into
multiple arguments.). Unless noted otherwise only the last instance
of each field is honoured.
.PP
.IP \fBgroup_id=\fIid\fR
The integer group id of group.
When this field is specified in \fBdel\-groups\fR or \fBdump\-groups\fR,
the keyword "all" may be used to designate all groups.
.
This field is required.


.IP \fBtype=\fItype\fR
The type of the group.  The \fBadd-group\fR, \fBadd-groups\fR and
\fBmod-groups\fR commands require this field.  It is prohibited for
other commands. The following keywords designated the allowed types:
.RS
.IP \fBall\fR
Execute all buckets in the group.
.IP \fBselect\fR
Execute one bucket in the group, balancing across the buckets
according to their weights.  To select a bucket, for each live bucket,
Open vSwitch hashes flow data with the bucket ID and multiplies by the
bucket weight to obtain a ``score,'' and then selects the bucket with
the highest score.  Use \fBselection_method\fR to control the flow
data used for selection.
.IP \fBindirect\fR
Executes the one bucket in the group.
.IP \fBff\fR
.IQ \fBfast_failover\fR
Executes the first live bucket in the group which is associated with
a live port or group.
.RE

.IP \fBcommand_bucket_id=\fIid\fR
The bucket to operate on.  The \fBinsert-buckets\fR and \fBremove-buckets\fR
commands require this field.  It is prohibited for other commands.
\fIid\fR may be an integer or one of the following keywords:
.RS
.IP \fBall\fR
Operate on all buckets in the group.
Only valid when used with the \fBremove-buckets\fR command in which
case the effect is to remove all buckets from the group.
.IP \fBfirst\fR
Operate on the first bucket present in the group.
In the case of the \fBinsert-buckets\fR command the effect is to
insert new bucets just before the first bucket already present in the group;
or to replace the buckets of the group if there are no buckets already present
in the group.
In the case of the \fBremove-buckets\fR command the effect is to
remove the first bucket of the group; or do nothing if there are no
buckets present in the group.
.IP \fBlast\fR
Operate on the last bucket present in the group.
In the case of the \fBinsert-buckets\fR command the effect is to
insert new bucets just after the last bucket already present in the group;
or to replace the buckets of the group if there are no buckets already present
in the group.
In the case of the \fBremove-buckets\fR command the effect is to
remove the last bucket of the group; or do nothing if there are no
buckets present in the group.
.RE
.IP
If \fIid\fR is an integer then it should correspond to the \fBbucket_id\fR
of a bucket present in the group.
In case of the \fBinsert-buckets\fR command the effect is to
insert buckets just before the bucket in the group whose \fBbucket_id\fR is
\fIid\fR.
In case of the \fBiremove-buckets\fR command the effect is to
remove the in the group whose \fBbucket_id\fR is \fIid\fR.
It is an error if there is no bucket persent group in whose \fBbucket_id\fR is
\fIid\fR.

.IP \fBselection_method\fR=\fImethod\fR
The selection method used to select a bucket for a select group.
This is a string of 1 to 15 bytes in length known to lower layers.
This field is optional for \fBadd\-group\fR, \fBadd\-groups\fR and
\fBmod\-group\fR commands on groups of type \fBselect\fR. Prohibited
otherwise.  If no selection method is specified, Open vSwitch up to
release 2.9 applies the \fBhash\fR method with default fields. From
2.10 onwards Open vSwitch defaults to the \fBdp_hash\fR method with symmetric
L3/L4 hash algorithm, unless the weighted group buckets cannot be mapped to
a maximum of 64 dp_hash values with sufficient accuracy.
In those rare cases Open vSwitch 2.10 and later fall back to the \fBhash\fR
method with the default set of hash fields.
.RS
.IP \fBdp_hash\fR
Use a datapath computed hash value.  The hash algorithm varies accross
different datapath implementations.  \fBdp_hash\fR uses the upper 32
bits of the \fBselection_method_param\fR as the datapath hash
algorithm selector.  The supported values are \fB0\fR (corresponding to
hash computation over the IP 5-tuple) and \fB1\fR (corresponding to a
\fIsymmetric\fR hash computation over the IP 5-tuple).  Selecting specific
fields with the \fBfields\fR option is not supported with \fBdp_hash\fR).
The lower 32 bits are used as the hash basis.
.IP
Using \fBdp_hash\fR has the advantage that it does not require the
generated datapath flows to exact match any additional packet header
fields.  For example, even if multiple TCP connections thus hashed to
different select group buckets have different source port numbers,
generally all of them would be handled with a small set of already
established datapath flows, resulting in less latency for TCP SYN
packets.  The downside is that the shared datapath flows must match
each packet twice, as the datapath hash value calculation happens only
when needed, and a second match is required to match some bits of its
value.  This double-matching incurs a small additional latency cost
for each packet, but this latency is orders of magnitude less than the
latency of creating new datapath flows for new TCP connections.
.IP \fBhash\fR
Use a hash computed over the fields specified with the \fBfields\fR
option, see below.  If no hash fields are specified, \fBhash\fR defaults
to a symmetric hash over the combination of MAC addresses, VLAN tags,
Ether type, IP addresses and L4 port numbers.  \fBhash\fR uses the
\fBselection_method_param\fR as the hash basis.
.IP
Note that the hashed fields become exact matched by the datapath
flows.  For example, if the TCP source port is hashed, the created
datapath flows will match the specific TCP source port value present
in the packet received.  Since each TCP connection generally has a
different source port value, a separate datapath flow will be need to
be inserted for each TCP connection thus hashed to a select group
bucket.
.RE
.IP
This option uses a Netronome OpenFlow extension which is only supported
when using Open vSwitch 2.4 and later with OpenFlow 1.5 and later.

.IP \fBselection_method_param\fR=\fIparam\fR
64-bit integer parameter to the selection method selected by the
\fBselection_method\fR field.  The parameter's use is defined by the
lower-layer that implements the \fBselection_method\fR.  It is optional if
the \fBselection_method\fR field is specified as a non-empty string.
Prohibited otherwise. The default value is zero.
.IP
This option uses a Netronome OpenFlow extension which is only supported
when using Open vSwitch 2.4 and later with OpenFlow 1.5 and later.

.IP \fBfields\fR=\fIfield\fR
.IQ \fBfields(\fIfield\fR[\fB=\fImask\fR]\fR...\fB)\fR
The field parameters to selection method selected by the
\fBselection_method\fR field.  The syntax is described in \fBFlow
Syntax\fR with the additional restrictions that if a value is provided
it is treated as a wildcard mask and wildcard masks following a slash
are prohibited. The pre-requisites of fields must be provided by any
flows that output to the group.  The use of the fields is defined by
the lower-layer that implements the \fBselection_method\fR.  They are
optional if the \fBselection_method\fR field is specified as ``hash',
prohibited otherwise.  The default is no fields.
.IP
This option will use a Netronome OpenFlow extension which is only supported
when using Open vSwitch 2.4 and later with OpenFlow 1.5 and later.

.IP \fBbucket\fR=\fIbucket_parameters\fR
The \fBadd-group\fR, \fBadd-groups\fR and \fBmod-group\fR commands
require at least one bucket field. Bucket fields must appear after
all other fields.
.
Multiple bucket fields to specify multiple buckets.
The order in which buckets are specified corresponds to their order in
the group. If the type of the group is "indirect" then only one group may
be specified.
.
\fIbucket_parameters\fR consists of a list of \fIfield\fB=\fIvalue\fR
assignments, separated by commas or white space followed by a
comma-separated list of actions.
The fields for \fIbucket_parameters\fR are:
.
.RS
.IP \fBbucket_id=\fIid\fR
The 32-bit integer group id of the bucket.  Values greater than
0xffffff00 are reserved.
.
This field was added in Open vSwitch 2.4 to conform with the OpenFlow
1.5 specification. It is not supported when earlier versions
of OpenFlow are used.  Open vSwitch will automatically allocate bucket
ids when they are not specified.
.IP \fBactions=\fR[\fIaction\fR][\fB,\fIaction\fR...]\fR
The syntax of actions are identical to the \fBactions=\fR field described in
\fBFlow Syntax\fR above. Specifying \fBactions=\fR is optional, any unknown
bucket parameter will be interpreted as an action.
.IP \fBweight=\fIvalue\fR
The relative weight of the bucket as an integer. This may be used by the switch
during bucket select for groups whose \fBtype\fR is \fBselect\fR.
.IP \fBwatch_port=\fIport\fR
Port used to determine liveness of group.
This or the \fBwatch_group\fR field is required
for groups whose \fBtype\fR is \fBff\fR or \fBfast_failover\fR.
.IP \fBwatch_group=\fIgroup_id\fR
Group identifier of group used to determine liveness of group.
This or the \fBwatch_port\fR field is required
for groups whose \fBtype\fR is \fBff\fR or \fBfast_failover\fR.
.RE
.
.SS "Meter Syntax"
.PP
The meter table commands accept an argument that describes a meter.
Such meter descriptions comprise a series \fIfield\fB=\fIvalue\fR
assignments, separated by commas or white space.
(Embedding spaces into a group description normally requires
quoting to prevent the shell from breaking the description into
multiple arguments.). Unless noted otherwise only the last instance
of each field is honoured.
.PP
.IP \fBmeter=\fIid\fR
The identifier for the meter.  An integer is used to specify a
user-defined meter.  In addition, the keywords "all", "controller", and
"slowpath", are also supported as virtual meters.  The "controller" and
"slowpath" virtual meters apply to packets sent to the controller and to
the OVS userspace, respectively.
.IP
When this field is specified in \fBdel-meter\fR, \fBdump-meter\fR, or
\fBmeter-stats\fR, the keyword "all" may be used to designate all
meters.  This field is required, except for \fBmeter-stats\fR, which
dumps all stats when this field is not specified.
.IP \fBkbps\fR
.IQ \fBpktps\fR
The unit for the \fBrate\fR and \fBburst_size\fR band parameters.
\fBkbps\fR specifies kilobits per second, and \fBpktps\fR specifies
packets per second.  A unit is required for the \fBadd-meter\fR and
\fBmod-meter\fR commands.

.IP \fBburst\fR
If set, enables burst support for meter bands through the \fBburst_size\fR
parameter.

.IP \fBstats\fR
If set, enables the collection of meter and band statistics.

.IP \fBbands\fR=\fIband_parameters\fR
The \fBadd-meter\fR and \fBmod-meter\fR commands require at least one
band specification. Bands must appear after all other fields.
.RS
.IP \fBtype=\fItype\fR
The type of the meter band.  This keyword starts a new band specification.
Each band specifies a rate above which the band is to take some action. The
action depends on the band type.  If multiple bands' rate is exceeded, then
the band with the highest rate among the exceeded bands is selected.
The following keywords designate the allowed
meter band types:
.RS
.IP \fBdrop\fR
Drop packets exceeding the band's rate limit.
.RE
.
.IP "The other \fIband_parameters\fR are:"
.IP \fBrate=\fIvalue\fR
The relative rate limit for this band, in kilobits per second or packets per
second, depending on whether \fBkbps\fR or \fBpktps\fR was specified.
.IP \fBburst_size=\fIsize\fR
If \fBburst\fR is specified for the meter entry, configures the maximum
burst allowed for the band in kilobits or packets, depending on whether
\fBkbps\fR or \fBpktps\fR was specified.  If unspecified, the switch is
free to select some reasonable value depending on its configuration.
.RE
.
.SH OPTIONS
.TP
\fB\-\-strict\fR
Uses strict matching when running flow modification commands.
.
.IP "\fB\-\-names\fR"
.IQ "\fB\-\-no\-names\fR"
Every OpenFlow port has a name and a number, and every OpenFlow flow
table has a number and sometimes a name.  By default, \fBovs\-ofctl\fR
commands accept both port and table names and numbers, and they
display port and table names if \fBovs\-ofctl\fR is running on an
interactive console, numbers otherwise.  With \fB\-\-names\fR,
\fBovs\-ofctl\fR commands both accept and display port and table
names; with \fB\-\-no\-names\fR, commands neither accept nor display
port and table names.
.IP
If a port or table name contains special characters or might be
confused with a keyword within a flow, it may be enclosed in double
quotes (escaped from the shell).  If necessary, JSON-style escape
sequences may be used inside quotes, as specified in RFC 7159.  When
it displays port and table names, \fBovs\-ofctl\fR quotes any name
that does not start with a letter followed by letters or digits.
.IP
Open vSwitch added support for port names and these options.  Open
vSwitch 2.10 added support for table names.  Earlier versions always
behaved as if \fB\-\-no\-names\fR were specified.
.IP
Open vSwitch does not place its own limit on the length of port names,
but OpenFlow 1.0 to 1.5 limit port names to 15 bytes and OpenFlow 1.6
limits them to 63 bytes.  Because \fRovs\-ofctl\fR uses OpenFlow to
retrieve the mapping between port names and numbers, names longer than
this limit will be truncated for both display and acceptance.
Truncation can also cause long names that are different to appear to
be the same; when a switch has two ports with the same (truncated)
name, \fBovs\-ofctl\fR refuses to display or accept the name, using
the number instead.
.IP
OpenFlow and Open vSwitch limit table names to 32 bytes.
.
.IP "\fB\-\-stats\fR"
.IQ "\fB\-\-no\-stats\fR"
The \fBdump\-flows\fR command by default, or with \fB\-\-stats\fR,
includes flow duration, packet and byte counts, and idle and hard age
in its output.  With \fB\-\-no\-stats\fR, it omits all of these, as
well as cookie values and table IDs if they are zero.
.
.IP "\fB\-\-read-only\fR"
Do not execute read/write commands.
.
.IP "\fB\-\-bundle\fR"
Execute flow mods as an OpenFlow 1.4 atomic bundle transaction.
.RS
.IP \(bu
Within a bundle, all flow mods are processed in the order they appear
and as a single atomic transaction, meaning that if one of them fails,
the whole transaction fails and none of the changes are made to the
\fIswitch\fR's flow table, and that each given datapath packet
traversing the OpenFlow tables sees the flow tables either as before
the transaction, or after all the flow mods in the bundle have been
successfully applied.
.IP \(bu
The beginning and the end of the flow table modification commands in a
bundle are delimited with OpenFlow 1.4 bundle control messages, which
makes it possible to stream the included commands without explicit
OpenFlow barriers, which are otherwise used after each flow table
modification command.  This may make large modifications execute
faster as a bundle.
.IP \(bu
Bundles require OpenFlow 1.4 or higher.  An explicit \fB-O
OpenFlow14\fR option is not needed, but you may need to enable
OpenFlow 1.4 support for OVS by setting the OVSDB \fIprotocols\fR
column in the \fIbridge\fR table.
.RE
.
.so lib/ofp-version.man
.
.IP "\fB\-F \fIformat\fR[\fB,\fIformat\fR...]"
.IQ "\fB\-\-flow\-format=\fIformat\fR[\fB,\fIformat\fR...]"
\fBovs\-ofctl\fR supports the following individual flow formats, any
number of which may be listed as \fIformat\fR:
.RS
.IP "\fBOpenFlow10\-table_id\fR"
This is the standard OpenFlow 1.0 flow format.  All OpenFlow switches
and all versions of Open vSwitch support this flow format.
.
.IP "\fBOpenFlow10+table_id\fR"
This is the standard OpenFlow 1.0 flow format plus a Nicira extension
that allows \fBovs\-ofctl\fR to specify the flow table in which a
particular flow should be placed.  Open vSwitch 1.2 and later supports
this flow format.
.
.IP "\fBNXM\-table_id\fR (Nicira Extended Match)"
This Nicira extension to OpenFlow is flexible and extensible.  It
supports all of the Nicira flow extensions, such as \fBtun_id\fR and
registers.  Open vSwitch 1.1 and later supports this flow format.
.
.IP "\fBNXM+table_id\fR (Nicira Extended Match)"
This combines Nicira Extended match with the ability to place a flow
in a specific table.  Open vSwitch 1.2 and later supports this flow
format.
.
.IP "\fBOXM-OpenFlow12\fR"
.IQ "\fBOXM-OpenFlow13\fR"
.IQ "\fBOXM-OpenFlow14\fR"
.IQ "\fBOXM-OpenFlow15\fR"
.IQ "\fBOXM-OpenFlow16\fR"
These are the standard OXM (OpenFlow Extensible Match) flow format in
OpenFlow 1.2 and later.
.RE
.
.IP
\fBovs\-ofctl\fR also supports the following abbreviations for
collections of flow formats:
.RS
.IP "\fBany\fR"
Any supported flow format.
.IP "\fBOpenFlow10\fR"
\fBOpenFlow10\-table_id\fR or \fBOpenFlow10+table_id\fR.
.IP "\fBNXM\fR"
\fBNXM\-table_id\fR or \fBNXM+table_id\fR.
.IP "\fBOXM\fR"
\fBOXM-OpenFlow12\fR, \fBOXM-OpenFlow13\fR, or \fBOXM-OpenFlow14\fR.
.RE
.
.IP
For commands that modify the flow table, \fBovs\-ofctl\fR by default
negotiates the most widely supported flow format that supports the
flows being added.  For commands that query the flow table,
\fBovs\-ofctl\fR by default uses the most advanced format supported by
the switch.
.IP
This option, where \fIformat\fR is a comma-separated list of one or
more of the formats listed above, limits \fBovs\-ofctl\fR's choice of
flow format.  If a command cannot work as requested using one of the
specified flow formats, \fBovs\-ofctl\fR will report a fatal error.
.
.IP "\fB\-P \fIformat\fR"
.IQ "\fB\-\-packet\-in\-format=\fIformat\fR"
\fBovs\-ofctl\fR supports the following ``packet-in'' formats, in order of
increasing capability:
.RS
.IP "\fBstandard\fR"
This uses the \fBOFPT_PACKET_IN\fR message, the standard ``packet-in''
message for any given OpenFlow version.  Every OpenFlow switch that
supports a given OpenFlow version supports this format.
.
.IP "\fBnxt_packet_in\fR"
This uses the \fBNXT_PACKET_IN\fR message, which adds many of the
capabilities of the OpenFlow 1.1 and later ``packet-in'' messages
before those OpenFlow versions were available in Open vSwitch.  Open
vSwitch 1.1 and later support this format.  Only Open vSwitch 2.6 and
later, however, support it for OpenFlow 1.1 and later (but there is
little reason to use it with those versions of OpenFlow).
.
.IP "\fBnxt_packet_in2\fR"
This uses the \fBNXT_PACKET_IN2\fR message, which is extensible and
should avoid the need to define new formats later.  In particular,
this format supports passing arbitrary user-provided data to a
controller using the \fBuserdata\fB option on the \fBcontroller\fR
action.  Open vSwitch 2.6 and later support this format.
.
.RE
.IP
Without this option, \fBovs\-ofctl\fR prefers \fBnxt_packet_in2\fR if
the switch supports it.  Otherwise, if OpenFlow 1.0 is in use,
\fBovs\-ofctl\fR prefers \fBnxt_packet_in\fR if the switch supports
it.  Otherwise, \fBovs\-ofctl\fR falls back to the \fBstandard\fR
packet-in format.  When this option is specified, \fBovs\-ofctl\fR
insists on the selected format.  If the switch does not support the
requested format, \fBovs\-ofctl\fR will report a fatal error.
.IP
Before version 2.6, Open vSwitch called \fBstandard\fR format
\fBopenflow10\fR and \fBnxt_packet_in\fR format \fBnxm\fR, and
\fBovs\-ofctl\fR still accepts these names as synonyms.  (The name
\fBopenflow10\fR was a misnomer because this format actually varies
from one OpenFlow version to another; it is not consistently OpenFlow
1.0 format.  Similarly, when \fBnxt_packet_in2\fR was introduced, the
name \fBnxm\fR became confusing because it also uses OXM/NXM.)
.
.IP
This option affects only the \fBmonitor\fR command.
.
.IP "\fB\-\-timestamp\fR"
Print a timestamp before each received packet.  This option only
affects the \fBmonitor\fR, \fBsnoop\fR, and \fBofp\-parse\-pcap\fR
commands.
.
.IP "\fB\-m\fR"
.IQ "\fB\-\-more\fR"
Increases the verbosity of OpenFlow messages printed and logged by
\fBovs\-ofctl\fR commands.  Specify this option more than once to
increase verbosity further.
.
.IP \fB\-\-sort\fR[\fB=\fIfield\fR]
.IQ \fB\-\-rsort\fR[\fB=\fIfield\fR]
Display output sorted by flow \fIfield\fR in ascending
(\fB\-\-sort\fR) or descending (\fB\-\-rsort\fR) order, where
\fIfield\fR is any of the fields that are allowed for matching or
\fBpriority\fR to sort by priority.  When \fIfield\fR is omitted, the
output is sorted by priority.  Specify these options multiple times to
sort by multiple fields.
.IP
Any given flow will not necessarily specify a value for a given
field.  This requires special treatement:
.RS
.IP \(bu
A flow that does not specify any part of a field that is used for sorting is
sorted after all the flows that do specify the field.  For example,
\fB\-\-sort=tcp_src\fR will sort all the flows that specify a TCP
source port in ascending order, followed by the flows that do not
specify a TCP source port at all.
.IP \(bu
A flow that only specifies some bits in a field is sorted as if the
wildcarded bits were zero.  For example, \fB\-\-sort=nw_src\fR would
sort a flow that specifies \fBnw_src=192.168.0.0/24\fR the same as
\fBnw_src=192.168.0.0\fR.
.RE
.IP
These options currently affect only \fBdump\-flows\fR output.
.
.SS "Daemon Options"
.ds DD \
\fBovs\-ofctl\fR detaches only when executing the \fBmonitor\fR or \
\fBsnoop\fR commands.
.so lib/daemon.man
.so lib/unixctl.man
.SS "Public Key Infrastructure Options"
.so lib/ssl.man
.so lib/vlog.man
.so lib/colors.man
.so lib/common.man
.
.SH "RUNTIME MANAGEMENT COMMANDS"
\fBovs\-appctl\fR(8) can send commands to a running \fBovs\-ofctl\fR
process.  The supported commands are listed below.
.
.IP "\fBexit\fR"
Causes \fBovs\-ofctl\fR to gracefully terminate.  This command applies
only when executing the \fBmonitor\fR or \fBsnoop\fR commands.
.
.IP "\fBofctl/set\-output\-file \fIfile\fR"
Causes all subsequent output to go to \fIfile\fR instead of stderr.
This command applies only when executing the \fBmonitor\fR or
\fBsnoop\fR commands.
.
.IP "\fBofctl/send \fIofmsg\fR..."
Sends each \fIofmsg\fR, specified as a sequence of hex digits that
express an OpenFlow message, on the OpenFlow connection.  This command
is useful only when executing the \fBmonitor\fR command.
.
.IP "\fBofctl/packet\-out \fIpacket-out\fR"
Sends an OpenFlow PACKET_OUT message specified in \fBPacket\-Out
Syntax\fR, on the OpenFlow connection.  See \fBPacket\-Out Syntax\fR
section for more information.  This command is useful only when
executing the \fBmonitor\fR command.
.
.IP "\fBofctl/barrier\fR"
Sends an OpenFlow barrier request on the OpenFlow connection and waits
for a reply.  This command is useful only for the \fBmonitor\fR
command.
.
.SH EXAMPLES
.
The following examples assume that \fBovs\-vswitchd\fR has a bridge
named \fBbr0\fR configured.
.
.TP
\fBovs\-ofctl dump\-tables br0\fR
Prints out the switch's table stats.  (This is more interesting after
some traffic has passed through.)
.
.TP
\fBovs\-ofctl dump\-flows br0\fR
Prints the flow entries in the switch.
.
.TP
\fBovs\-ofctl add\-flow table=0 actions=learn(table=1,hard_timeout=10, NXM_OF_VLAN_TCI[0..11],output:NXM_OF_IN_PORT[]), resubmit(,1)\fR
\fBovs\-ofctl add\-flow  table=1 priority=0 actions=flood\fR
Implements a level 2 MAC learning switch using the learn.
.
.TP
\fBovs\-ofctl add\-flow br0 'table=0,priority=0 actions=load:3->NXM_NX_REG0[0..15],learn(table=0,priority=1,idle_timeout=10,NXM_OF_ETH_SRC[],NXM_OF_VLAN_TCI[0..11],output:NXM_NX_REG0[0..15]),output:2\fR
In this use of a learn action, the first packet from each source MAC
will be sent to port 2. Subsequent packets will be output to port 3,
with an idle timeout of 10 seconds.  NXM field names and match field
names are both accepted, e.g. \fBNXM_NX_REG0\fR or \fBreg0\fR for the
first register, and empty brackets may be omitted.
.IP
Additional examples may be found documented as part of related sections.
.
.SH "SEE ALSO"
.
.BR ovs\-fields (7),
.BR ovs\-appctl (8),
.BR ovs\-vswitchd (8),
.BR ovs\-vswitchd.conf.db (8)