Properly print drop_spoofed_arp actions when decoding OpenFlow and ODP.

[mirror_ovs.git] / utilities / ovs-ofctl.8.in

.\" -*- nroff -*-
.de IQ
.  br
.  ns
.  IP "\\$1"
..
.TH ovs\-ofctl 8 "January 2010" "Open vSwitch" "Open vSwitch Manual"
.ds PN ovs\-ofctl
.
.SH NAME
ovs\-ofctl \- administer OpenFlow switches
.
.SH SYNOPSIS
.B ovs\-ofctl
[\fIoptions\fR] \fIcommand \fR[\fIswitch\fR] [\fIargs\fR\&...]
.
.SH DESCRIPTION
The
.B ovs\-ofctl
program is a command line tool for monitoring and administering
OpenFlow switches.  It can also show the current state of an OpenFlow
switch, including features, configuration, and table entries.
.
.SS "OpenFlow Switch Management Commands"
.PP
These commands allow \fBovs\-ofctl\fR to monitor and administer an OpenFlow
switch.  It is able to show the current state of a switch, including
features, configuration, and table entries.
.PP
Most of these commands take an argument that specifies the method for
connecting to an OpenFlow switch.  The following connection methods
are supported:
.
.RS
.so lib/vconn-active.man
.
.IP "\fIfile\fR"
This is short for \fBunix:\fIfile\fR, as long as \fIfile\fR does not
contain a colon.
.
.IP \fIbridge\fR
This is short for \fBunix:@RUNDIR@/\fIbridge\fB.mgmt\fR, as long as
\fIbridge\fR does not contain a colon.
.
.IP [\fItype\fB@\fR]\fIdp\fR
Attempts to look up the bridge associated with \fIdp\fR and open as
above.  If \fItype\fR is given, it specifies the datapath provider of
\fIdp\fR, otherwise the default provider \fBsystem\fR is assumed.
.RE
.
.TP
\fBshow \fIswitch\fR
Prints to the console information on \fIswitch\fR, including
information on its flow tables and ports.
.
.TP
\fBstatus \fIswitch\fR [\fIkey\fR]
Prints to the console a series of key-value pairs that report the
status of \fIswitch\fR.  If \fIkey\fR is specified, only the key-value
pairs whose key names begin with \fIkey\fR are printed.  If \fIkey\fR is
omitted, all key-value pairs are printed.
.
.TP
\fBdump\-tables \fIswitch\fR
Prints to the console statistics for each of the flow tables used by
\fIswitch\fR.
.
.TP
\fBdump\-ports \fIswitch\fR [\fInetdev\fR]
Prints to the console statistics for network devices associated with 
\fIswitch\fR.  If \fInetdev\fR is specified, only the statistics
associated with that device will be printed.  \fInetdev\fR can be an
OpenFlow assigned port number or device name, e.g. \fBeth0\fR.
.
.TP
\fBmod\-port \fIswitch\fR \fInetdev\fR \fIaction\fR
Modify characteristics of an interface monitored by \fIswitch\fR.  
\fInetdev\fR can be referred to by its OpenFlow assigned port number or 
the device name, e.g. \fBeth0\fR.  The \fIaction\fR may be any one of the
following:
.
.RS
.IP \fBup\fR
Enables the interface.  This is equivalent to ``ifconfig up'' on a Unix
system.
.
.IP \fBdown\fR
Disables the interface.  This is equivalent to ``ifconfig down'' on a Unix
system.
.
.IP \fBflood\fR
When a \fIflood\fR action is specified, traffic will be sent out this
interface.  This is the default posture for monitored ports.
.
.IP \fBnoflood\fR
When a \fIflood\fR action is specified, traffic will not be sent out 
this interface.  This is primarily useful to prevent loops when a
spanning tree protocol is not in use.
.
.RE
.
.TP
\fBdump\-flows \fIswitch \fR[\fIflows\fR]
Prints to the console all flow entries in \fIswitch\fR's
tables that match \fIflows\fR.  If \fIflows\fR is omitted, all flows
in the switch are retrieved.  See \fBFlow Syntax\fR, below, for the
syntax of \fIflows\fR.  The output format is described in 
\fBTable Entry Output\fR.
.
.TP
\fBdump\-aggregate \fIswitch \fR[\fIflows\fR]
Prints to the console aggregate statistics for flows in 
\fIswitch\fR's tables that match \fIflows\fR.  If \fIflows\fR is omitted, 
the statistics are aggregated across all flows in the switch's flow
tables.  See \fBFlow Syntax\fR, below, for the syntax of \fIflows\fR.
The output format is descrbed in \fBTable Entry Output\fR.
.
.TP
\fBadd\-flow \fIswitch flow\fR
Add the flow entry as described by \fIflow\fR to the \fIswitch\fR's 
tables.  The flow entry is in the format described in \fBFlow Syntax\fR, 
below.
.
.TP
\fBadd\-flows \fIswitch file\fR
Add flow entries as described in \fIfile\fR to \fIswitch\fR's 
tables.  Each line in \fIfile\fR is a flow entry in the format
described in \fBFlow Syntax\fR, below.
.
.TP
\fBmod\-flows \fIswitch flow\fR
Modify the actions in entries from the \fIswitch\fR's tables 
that match \fIflow\fR.  When invoked with the \fB\-\-strict\fR option,
wildcards are not treated as active for matching purposes.  See 
\fBFlow Syntax\fR, below, for the syntax of \fIflows\fR.
.
.TP
\fBdel\-flows \fIswitch \fR[\fIflow\fR]
Deletes entries from the \fIswitch\fR's tables that match
\fIflow\fR.  When invoked with the \fB\-\-strict\fR option, wildcards are 
not treated as active for matching purposes.  If \fIflow\fR is 
omitted and the \fB\-\-strict\fR option is not used, all flows in the 
switch's tables are removed.  See \fBFlow Syntax\fR, below, for the 
syntax of \fIflows\fR.
.
.IP "\fBsnoop \fIswitch\fR"
Connects to \fIswitch\fR and prints to the console all OpenFlow
messages received.  Unlike other \fBovs\-ofctl\fR commands, if
\fIswitch\fR is the name of a bridge, then the \fBsnoop\fR command
connects to a Unix domain socket named
\fB@RUNDIR@/\fIbridge\fB.snoop\fR.  \fBovs\-vswitchd\fR listens on
such a socket for each bridge and sends to it all of the OpenFlow
messages sent to or received from its configured OpenFlow controller.
Thus, this command can be used to view OpenFlow protocol activity
between a switch and its controller.
.IP
When a switch has more than one controller configured, only the
traffic to and from a single controller is output.  If none of the
controllers is configured as a master or a slave (using a Nicira
extension to OpenFlow), then a controller is chosen arbitrarily among
them.  If there is a master controller, it is chosen; otherwise, if
there are any controllers that are not masters or slaves, one is
chosen arbitrarily; otherwise, a slave controller is chosen
arbitrarily.  This choice is made once at connection time and does not
change as controllers reconfigure their roles.
.IP
If a switch has no controller configured, or if
the configured controller is disconnected, no traffic is sent, so
monitoring will not show any traffic.
.
.IQ "\fBmonitor \fIswitch\fR [\fImiss-len\fR]"
Connects to \fIswitch\fR and prints to the console all OpenFlow
messages received.  Usually, \fIswitch\fR should specify a connection
named on \fBovs\-openflowd\fR(8)'s \fB\-l\fR or \fB\-\-listen\fR command line
option.
.IP
If \fImiss-len\fR is provided, \fBovs\-ofctl\fR sends an OpenFlow ``set
configuration'' message at connection setup time that requests
\fImiss-len\fR bytes of each packet that misses the flow table.  Open vSwitch
does not send these and other asynchronous messages to an
\fBovs\-ofctl monitor\fR client connection unless a nonzero value is
specified on this argument.  (Thus, if \fImiss\-len\fR is not
specified, very little traffic will ordinarily be printed.)
.IP
This command may be useful for debugging switch or controller
implementations.
.
.SS "OpenFlow Switch and Controller Commands"
.
The following commands, like those in the previous section, may be
applied to OpenFlow switches, using any of the connection methods
described in that section.  Unlike those commands, these may also be
applied to OpenFlow controllers.
.
.TP
\fBprobe \fItarget\fR
Sends a single OpenFlow echo-request message to \fItarget\fR and waits
for the response.  With the \fB\-t\fR or \fB\-\-timeout\fR option, this
command can test whether an OpenFlow switch or controller is up and
running.
.
.TP
\fBping \fItarget \fR[\fIn\fR]
Sends a series of 10 echo request packets to \fItarget\fR and times
each reply.  The echo request packets consist of an OpenFlow header
plus \fIn\fR bytes (default: 64) of randomly generated payload.  This
measures the latency of individual requests.
.
.TP
\fBbenchmark \fItarget n count\fR
Sends \fIcount\fR echo request packets that each consist of an
OpenFlow header plus \fIn\fR bytes of payload and waits for each
response.  Reports the total time required.  This is a measure of the
maximum bandwidth to \fItarget\fR for round-trips of \fIn\fR-byte
messages.
.
.SS "Flow Syntax"
.PP
Some \fBovs\-ofctl\fR commands accept an argument that describes a flow or
flows.  Such flow descriptions comprise a series
\fIfield\fB=\fIvalue\fR assignments, separated by commas or white
space.  (Embedding spaces into a flow description normally requires
quoting to prevent the shell from breaking the description into
multiple arguments.)
.PP
Flow descriptions should be in \fBnormal form\fR.  This means that a
flow may only specify a value for an L3 field if it also specifies a
particular L2 protocol, and that a flow may only specify an L4 field
if it also specifies particular L2 and L3 protocol types.  For
example, if the L2 protocol type \fBdl_type\fR is wildcarded, then L3
fields \fBnw_src\fR, \fBnw_dst\fR, and \fBnw_proto\fR must also be
wildcarded.  Similarly, if \fBdl_type\fR or \fBnw_proto\fR (the L3
protocol type) is wildcarded, so must be \fBtp_dst\fR and
\fBtp_src\fR, which are L4 fields.  \fBovs\-ofctl\fR will warn about
flows not in normal form.
.PP
The following field assignments describe how a flow matches a packet.
If any of these assignments is omitted from the flow syntax, the field
is treated as a wildcard; thus, if all of them are omitted, the
resulting flow matches all packets.  The string \fB*\fR or \fBANY\fR
may be specified to explicitly mark any of these fields as a wildcard.  
(\fB*\fR should be quoted to protect it from shell expansion.)
.
.IP \fBin_port=\fIport_no\fR
Matches physical port \fIport_no\fR.  Switch ports are numbered as
displayed by \fBovs\-ofctl show\fR.
.
.IP \fBdl_vlan=\fIvlan\fR
Matches IEEE 802.1q Virtual LAN tag \fIvlan\fR.  Specify \fB0xffff\fR
as \fIvlan\fR to match packets that are not tagged with a Virtual LAN;
otherwise, specify a number between 0 and 4095, inclusive, as the
12-bit VLAN ID to match.
.
.IP \fBdl_vlan_pcp=\fIpriority\fR
Matches IEEE 802.1q Priority Code Point (PCP) \fIpriority\fR, which is
specified as a value between 0 and 7, inclusive.  A higher value
indicates a higher frame priority level.
.
.IP \fBdl_src=\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fR
.IQ \fBdl_dst=\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fR
Matches an Ethernet source (or destination) address specified as 6
pairs of hexadecimal digits delimited by colons
(e.g. \fB00:0A:E4:25:6B:B0\fR).
.
.IP \fBdl_type=\fIethertype\fR
Matches Ethernet protocol type \fIethertype\fR, which is specified as an
integer between 0 and 65535, inclusive, either in decimal or as a 
hexadecimal number prefixed by \fB0x\fR (e.g. \fB0x0806\fR to match ARP 
packets).
.
.IP \fBnw_src=\fIip\fR[\fB/\fInetmask\fR]
.IQ \fBnw_dst=\fIip\fR[\fB/\fInetmask\fR]
When \fBdl_type\fR is 0x0800 (possibly via shorthand, e.g. \fBip\fR
or \fBtcp\fR), matches IPv4 source (or destination) address \fIip\fR,
which may be specified as an IP address or host name
(e.g. \fB192.168.1.1\fR or \fBwww.example.com\fR).  The optional
\fInetmask\fR allows restricting a match to an IPv4 address prefix.
The netmask may be specified as a dotted quad
(e.g. \fB192.168.1.0/255.255.255.0\fR) or as a CIDR block
(e.g. \fB192.168.1.0/24\fR).
.IP
When \fBdl_type=0x0806\fR or \fBarp\fR is specified, matches the
\fBar_spa\fR or \fBar_tpa\fR field, respectively, in ARP packets for
IPv4 and Ethernet.
.IP
When \fBdl_type\fR is wildcarded or set to a value other than 0x0800
or 0x0806, the values of \fBnw_src\fR and \fBnw_dst\fR are ignored
(see \fBFlow Syntax\fR above).
.
.IP \fBnw_proto=\fIproto\fR
When \fBip\fR or \fBdl_type=0x0800\fR is specified, matches IP
protocol type \fIproto\fR, which is specified as a decimal number
between 0 and 255, inclusive (e.g. 6 to match TCP packets).
.IP
When \fBarp\fR or \fBdl_type=0x0806\fR is specified, matches the lower
8 bits of the ARP opcode.  ARP opcodes greater than 255 are treated as
0.
.IP
When \fBdl_type\fR is wildcarded or set to a value other than 0x0800
or 0x0806, the value of \fBnw_proto\fR is ignored (see \fBFlow
Syntax\fR above).
.
.IP \fBnw_tos=\fItos\fR
Matches IP ToS/DSCP field \fItos\fR, which is specified as a decimal 
number between 0 and 255, inclusive.  Note that the two lower reserved
bits are ignored for matching purposes.
.IP
The value of \fBnw_proto\fR is ignored unless \fBdl_type=0x0800\fR,
\fBip\fR, \fBicmp\fR, \fBtcp\fR, or \fBudp\fR is also specified (see
\fBFlow Syntax\fR above).
.
.IP \fBtp_src=\fIport\fR
.IQ \fBtp_dst=\fIport\fR
When \fBdl_type\fR and \fBnw_proto\fR specify TCP or UDP, \fBtp_src\fR
and \fBtp_dst\fR match the UDP or TCP source or destination port
\fIport\fR, respectively. which is specified as a decimal number
between 0 and 65535, inclusive (e.g. 80 to match packets originating
from a HTTP server).
.IP
When \fBdl_type\fR and \fBnw_proto\fR take other values, the values of
these settings are ignored (see \fBFlow Syntax\fR above).
.
.IP \fBicmp_type=\fItype\fR
.IQ \fBicmp_code=\fIcode\fR
When \fBdl_type\fR and \fBnw_proto\fR specify ICMP, \fItype\fR matches
the ICMP type and \fIcode\fR matches the ICMP code.  Each is specified
as a decimal number between 0 and 255, inclusive.
.IP
When \fBdl_type\fR and \fBnw_proto\fR take other values, the values of
these settings are ignored (see \fBFlow Syntax\fR above).
.
.PP
The following shorthand notations are also available:
.
.IP \fBip\fR
Same as \fBdl_type=0x0800\fR.
.
.IP \fBicmp\fR
Same as \fBdl_type=0x0800,nw_proto=1\fR.
.
.IP \fBtcp\fR
Same as \fBdl_type=0x0800,nw_proto=6\fR.
.
.IP \fBudp\fR
Same as \fBdl_type=0x0800,nw_proto=17\fR.
.
.IP \fBarp\fR
Same as \fBdl_type=0x0806\fR.
.
.PP
The \fBadd\-flow\fR and \fBadd\-flows\fR commands require an additional
field, which must be the final field specified:
.
.IP \fBactions=\fR[\fItarget\fR][\fB,\fItarget\fR...]\fR
Specifies a comma-separated list of actions to take on a packet when the 
flow entry matches.  If no \fItarget\fR is specified, then packets
matching the flow are dropped.  The \fItarget\fR may be a decimal port 
number designating the physical port on which to output the packet, or one 
of the following keywords:
.
.RS
.IP \fBoutput\fR:\fIport\fR
Outputs the packet on the port specified by \fIport\fR.
.
.IP \fBenqueue\fR:\fIport\fB:\fIqueue\fR
Enqueues the packet on the specified \fIqueue\fR within port
\fIport\fR.  The number of supported queues depends on the switch;
some OpenFlow implementations do not support queuing at all.
.
.IP \fBnormal\fR
Subjects the packet to the device's normal L2/L3 processing.  (This
action is not implemented by all OpenFlow switches.)
.
.IP \fBflood\fR
Outputs the packet on all switch physical ports other than the port on
which it was received and any ports on which flooding is disabled
(typically, these would be ports disabled by the IEEE 802.1D spanning
tree protocol).
.
.IP \fBall\fR
Outputs the packet on all switch physical ports other than the port on
which it was received.
.
.IP \fBcontroller\fR:\fImax_len\fR
Sends the packet to the OpenFlow controller as a ``packet in''
message.  If \fImax_len\fR is a number, then it specifies the maximum
number of bytes that should be sent.  If \fImax_len\fR is \fBALL\fR or
omitted, then the entire packet is sent.
.
.IP \fBlocal\fR
Outputs the packet on the ``local port,'' which corresponds to the
\fBof\fIn\fR network device (see \fBCONTACTING THE CONTROLLER\fR in
\fBovs\-openflowd\fR(8) for information on the \fBof\fIn\fR network device).
.
.IP \fBdrop\fR
Discards the packet, so no further processing or forwarding takes place.
If a drop action is used, no other actions may be specified.
.
.IP \fBmod_vlan_vid\fR:\fIvlan_vid\fR
Modifies the VLAN id on a packet.  The VLAN tag is added or modified 
as necessary to match the value specified.  If the VLAN tag is added,
a priority of zero is used (see the \fBmod_vlan_pcp\fR action to set
this).
.
.IP \fBmod_vlan_pcp\fR:\fIvlan_pcp\fR
Modifies the VLAN priority on a packet.  The VLAN tag is added or modified 
as necessary to match the value specified.  Valid values are between 0
(lowest) and 7 (highest).  If the VLAN tag is added, a vid of zero is used 
(see the \fBmod_vlan_vid\fR action to set this).
.
.IP \fBstrip_vlan\fR
Strips the VLAN tag from a packet if it is present.
.
.IP \fBmod_dl_src\fB:\fImac\fR
Sets the source Ethernet address to \fImac\fR.
.
.IP \fBmod_dl_dst\fB:\fImac\fR
Sets the destination Ethernet address to \fImac\fR.
.
.IP \fBmod_nw_src\fB:\fIip\fR
Sets the IPv4 source address to \fIip\fR.
.
.IP \fBmod_nw_dst\fB:\fIip\fR
Sets the IPv4 destination address to \fIip\fR.
.
.IP \fBmod_tp_src\fB:\fIport\fR
Sets the TCP or UDP source port to \fIport\fR.
.
.IP \fBmod_tp_dst\fB:\fIport\fR
Sets the TCP or UDP destination port to \fIport\fR.
.
.IP \fBmod_nw_tos\fB:\fItos\fR
Sets the IP ToS/DSCP field to \fItos\fR.  Valid values are between 0 and
255, inclusive.  Note that the two lower reserved bits are never
modified.
.
.RE
.IP
The following actions are Nicira vendor extensions that, as of this writing, are
only known to be implemented by Open vSwitch:
.
.RS
.
.IP \fBresubmit\fB:\fIport\fR
Re-searches the OpenFlow flow table with the \fBin_port\fR field
replaced by \fIport\fR and executes the actions found, if any, in
addition to any other actions in this flow entry.  Recursive
\fBresubmit\fR actions are ignored.
.
.IP \fBset_tunnel\fB:\fIid\fR
If outputting to a port that encapsulates the packet in a tunnel and supports
an identifier (such as GRE), sets the identifier to \fBid\fR.
.
.IP \fBdrop_spoofed_arp\fR
Stops processing further actions, if the packet being processed is an
Ethernet+IPv4 ARP packet for which the source Ethernet address inside
the ARP packet differs from the source Ethernet address in the
Ethernet header.
.
This is useful because OpenFlow does not provide a way to match on the
Ethernet addresses inside ARP packets, so there is no other way to
drop spoofed ARPs other than sending every ARP packet to a controller.
.RE
.
.IP
(The OpenFlow protocol supports other actions that \fBovs\-ofctl\fR does
not yet expose to the user.)
.
.PP
The \fBadd\-flow\fR, \fBadd\-flows\fR, and \fBmod\-flows\fR commands
support an additional optional field:
.
.IP \fBcookie=\fIvalue\fR
.
A cookie is an opaque identifier that can be associated with the flow.
\fIvalue\fR can be any 64-bit number and need not be unique among
flows.
.
.PP
The \fBadd\-flow\fR, \fBadd\-flows\fR, and \fBdel\-flows\fR commands
support an additional optional field:
.
.IP \fBpriority=\fIvalue\fR
The priority at which a wildcarded entry will match in comparison to
others.  \fIvalue\fR is a number between 0 and 65535, inclusive.  A higher 
\fIvalue\fR will match before a lower one.  An exact-match entry will always 
have priority over an entry containing wildcards, so it has an implicit 
priority value of 65535.  When adding a flow, if the field is not specified, 
the flow's priority will default to 32768.
.
.PP
The \fBadd\-flow\fR and \fBadd\-flows\fR commands support additional
optional fields:
.
.TP
\fBidle_timeout=\fIseconds\fR
Causes the flow to expire after the given number of seconds of
inactivity.  A value of 0 prevents a flow from expiring due to
inactivity.  The default is 60 seconds.
.
.IP \fBhard_timeout=\fIseconds\fR
Causes the flow to expire after the given number of seconds,
regardless of activity.  A value of 0 (the default) gives the flow no
hard expiration deadline.
.
.PP
The \fBdump\-flows\fR, \fBdump\-aggregate\fR, \fBdel\-flow\fR 
and \fBdel\-flows\fR commands support one additional optional field:
.
.TP
\fBout_port=\fIport\fR
If set, a matching flow must include an output action to \fIport\fR.
.
.PP
The \fBdump\-flows\fR and \fBdump\-aggregate\fR commands support an
additional optional field:
.
.IP \fBtable=\fInumber\fR
If specified, limits the flows about which statistics are gathered to
those in the table with the given \fInumber\fR.  Tables are numbered
as shown by the \fBdump\-tables\fR command.
.
If this field is not specified, or if \fInumber\fR is given as
\fB255\fR, statistics are gathered about flows from all tables.
.
.SS "Table Entry Output"
.
The \fBdump\-tables\fR and \fBdump\-aggregate\fR commands print information 
about the entries in a datapath's tables.  Each line of output is a 
unique flow entry, which begins with some common information:
.
.IP \fBduration\fR
The number of seconds the entry has been in the table.
.
.IP \fBtable_id\fR
The table that contains the flow.  When a packet arrives, the switch 
begins searching for an entry at the lowest numbered table.  Tables are 
numbered as shown by the \fBdump\-tables\fR command.
.
.IP \fBpriority\fR
The priority of the entry in relation to other entries within the same
table.  A higher value will match before a lower one.
.
.IP \fBn_packets\fR
The number of packets that have matched the entry.
.
.IP \fBn_bytes\fR
The total number of bytes from packets that have matched the entry.
.
.PP
The rest of the line consists of a description of the flow entry as 
described in \fBFlow Syntax\fR, above.
.
.
.SH OPTIONS
.TP
\fB\-\-strict\fR
Uses strict matching when running flow modification commands.
.
.SS "Public Key Infrastructure Options"
.so lib/ssl.man
.so lib/vlog.man
.so lib/common.man
.
.SH EXAMPLES
.
The following examples assume that an OpenFlow switch on the local
host has been configured to listen for management connections on a
Unix domain socket named \fB@RUNDIR@/openflow.sock\fR, e.g. by
specifying \fB\-\-listen=punix:@RUNDIR@/openflow.sock\fR on the
\fBovs\-openflowd\fR(8) command line.
.
.TP
\fBovs\-ofctl dump\-tables unix:@RUNDIR@/openflow.sock\fR
Prints out the switch's table stats.  (This is more interesting after
some traffic has passed through.)
.
.TP
\fBovs\-ofctl dump\-flows unix:@RUNDIR@/openflow.sock\fR
Prints the flow entries in the switch.
.
.SH "SEE ALSO"
.
.BR ovs\-appctl (8),
.BR ovs\-controller (8),
.BR ovs\-vswitchd (8)