\fBdump\-table\-features \fIswitch\fR
Prints to the console features for each of the flow tables used by
\fIswitch\fR.
-.
-.IP "\fBmod\-table \fIswitch\fR \fItable_id\fR \fIflow_miss_handling\fR"
-An OpenFlow 1.0 switch looks up each packet that arrives at the switch
-in table 0, then in table 1 if there is no match in table 0, then in
-table 2, and so on until the packet finds a match in some table.
-Finally, if no match was found, the switch sends the packet to the
-controller
-.IP
-OpenFlow 1.1 and later offer more flexibility. This command
-configures the flow table miss handling configuration for table
-\fItable_id\fR in \fIswitch\fR. \fItable_id\fR may be an OpenFlow
-table number between 0 and 254, inclusive, or the keyword \fBALL\fR to
-modify all tables. \fIflow_miss_handling\fR may be any one of the
-following:
+.TP
+\fBdump\-table\-desc \fIswitch\fR
+Prints to the console configuration for each of the flow tables used
+by \fIswitch\fR for OpenFlow 1.4+.
+.IP "\fBmod\-table \fIswitch\fR \fItable\fR \fIsetting\fR"
+This command configures flow table settings in \fIswitch\fR for
+OpenFlow table \fItable\fR, which may be expressed as a number or
+(unless \fB\-\-no\-names\fR is specified) a name.
+.IP
+The available settings depend on
+the OpenFlow version in use. In OpenFlow 1.1 and 1.2 (which must be
+enabled with the \fB\-O\fR option) only, \fBmod\-table\fR configures
+behavior when no flow is found when a packet is looked up in a flow
+table. The following \fIsetting\fR values are available:
.RS
.IP \fBdrop\fR
Drop the packet.
Send to controller. (This is how an OpenFlow 1.0 switch always
handles packets that do not match any flow in the last table.)
.RE
+.IP
+In OpenFlow 1.4 and later (which must be enabled with the \fB\-O\fR
+option) only, \fBmod\-table\fR configures the behavior when a
+controller attempts to add a flow to a flow table that is full. The
+following \fIsetting\fR values are available:
+.RS
+.IP \fBevict\fR
+Delete some existing flow from the flow table, according to the
+algorithm described for the \fBFlow_Table\fR table in
+\fBovs-vswitchd.conf.db\fR(5).
+.IP \fBnoevict\fR
+Refuse to add the new flow. (Eviction might still be enabled through
+the \fBoverflow_policy\fR column in the \fBFlow_Table\fR table
+documented in \fBovs-vswitchd.conf.db\fR(5).)
+.IP \fBvacancy:\fIlow\fB,\fIhigh\fR
+Enables sending vacancy events to controllers using \fBTABLE_STATUS\fR
+messages, based on percentage thresholds \fIlow\fR and \fIhigh\fR.
+.IP \fBnovacancy\fR
+Disables vacancy events.
+.RE
.
.TP
\fBdump\-ports \fIswitch\fR [\fInetdev\fR]
.
.IP "\fBmod\-port \fIswitch\fR \fIport\fR \fIaction\fR"
Modify characteristics of port \fBport\fR in \fIswitch\fR. \fIport\fR
-may be an OpenFlow port number or name or the keyword \fBLOCAL\fR (the
+may be an OpenFlow port number or name (unless \fB\-\-no\-names\fR is
+specified) or the keyword \fBLOCAL\fR (the
preferred way to refer to the OpenFlow local port). The \fIaction\fR
may be any one of the following:
.
.RS
.IQ \fBup\fR
.IQ \fBdown\fR
-Enable or disable the interface. This is equivalent to \fBifconfig
-up\fR or \fBifconfig down\fR on a Unix system.
+Enable or disable the interface. This is equivalent to \fBip
+link set up\fR or \fBip link set down\fR on a Unix system.
.
.IP \fBstp\fR
.IQ \fBno\-stp\fR
.IP
By default, \fBovs\-ofctl\fR prints flow entries in the same order
that the switch sends them, which is unlikely to be intuitive or
-consistent. See the description of \fB\-\-sort\fR and \fB\-\-rsort\fR,
-under \fBOPTIONS\fR below, to influence the display order.
+consistent. Use \fB\-\-sort\fR and \fB\-\-rsort\fR to control display
+order. The \fB\-\-names\fR/\fB\-\-no\-names\fR and
+\fB\-\-stats\fR/\fB\-\-no\-stats\fR options also affect output
+formatting. See the descriptions of these options, under
+\fBOPTIONS\fR below, for more information
.
.TP
\fBdump\-aggregate \fIswitch \fR[\fIflows\fR]
\fIport\fR is omitted, then statistics are printed for \fIqueue\fR on
every port where it exists.
.
-.SS "OpenFlow 1.1+ Group Table Commands"
-.
-The following commands work only with switches that support OpenFlow
-1.1 or later. Because support for OpenFlow 1.1 and later is still
-experimental in Open vSwitch, it is necessary to explicitly enable
-these protocol versions in \fBovs\-ofctl\fR (using \fB\-O\fR) and in
-the switch itself (with the \fBprotocols\fR column in the \fBBridge\fR
-table). For more information, see ``Q: What versions of OpenFlow does
-Open vSwitch support?'' in the Open vSwitch FAQ.
-.
-.IP "\fBdump\-groups \fIswitch\fR [\fIgroup\fR]"
-Prints group entries in \fIswitch\fR's tables to console. To dump
-only a specific group, specify its number as \fIgroup\fR. Otherwise,
-if \fIgroup\fR is omitted, or if it is specified as \fBALL\fR, then
-all groups are printed. Each line of output is a group entry as
-described in \fBGroup Syntax\fR below.
+.IP "\fBqueue\-get\-config \fIswitch [\fIport \fR[\fIqueue\fR]]"
+Prints to the console the configuration of \fIqueue\fR on \fIport\fR
+in \fIswitch\fR. If \fIport\fR is omitted or \fBANY\fR, reports
+queues for all port. If \fIqueue\fR is omitted or \fBANY\fR, reports
+all queues. For OpenFlow 1.3 and earlier, the output always includes
+all queues, ignoring \fIqueue\fR if specified.
.IP
-Only OpenFlow 1.5 and later support dumping a specific group. Earlier
-versions of OpenFlow always dump all groups.
-.
-.IP "\fBdump\-group\-features \fIswitch"
-Prints to the console the group features of the \fIswitch\fR.
+This command has limited usefulness, because ports often have no
+configured queues and because the OpenFlow protocol provides only very
+limited information about the configuration of a queue.
.
-.IP "\fBdump\-group-stats \fIswitch \fR[\fIgroups\fR]"
-Prints to the console statistics for the specified \fIgroups in the
-\fIswitch\fR's tables. If \fIgroups\fR is omitted then statistics for all
-groups are printed. See \fBGroup Syntax\fR, below, for the syntax of
-\fIgroups\fR.
-.
-.SS "OpenFlow 1.3+ Switch Meter Table Commands"
-.
-These commands manage the meter table in an OpenFlow switch. In each
-case, \fImeter\fR specifies a meter entry in the format described in
-\fBMeter Syntax\fR, below.
-.
-.PP
-OpenFlow 1.3 introduced support for meters, so these commands only
-work with switches that support OpenFlow 1.3 or later. The caveats
-described for groups in the previous section also apply to meters.
-.
-.IP "\fBadd\-meter \fIswitch meter\fR"
-Add a meter entry to \fIswitch\fR's tables. The \fImeter\fR syntax is
-described in section \fBMeter Syntax\fR, below.
-.
-.IP "\fBmod\-meter \fIswitch meter\fR"
-Modify an existing meter.
-.
-.IP "\fBdel\-meters \fIswitch\fR"
-.IQ "\fBdel\-meter \fIswitch\fR [\fImeter\fR]"
-Delete entries from \fIswitch\fR's meter table. \fImeter\fR can specify
-a single meter with syntax \fBmeter=\fIid\fR, or all meters with syntax
-\fBmeter=all\fR.
-.
-.IP "\fBdump\-meters \fIswitch\fR"
-.IQ "\fBdump\-meter \fIswitch\fR [\fImeter\fR]"
-Print meter configuration. \fImeter\fR can specify a single meter with
-syntax \fBmeter=\fIid\fR, or all meters with syntax \fBmeter=all\fR.
+.IP "\fBdump\-ipfix\-bridge \fIswitch\fR"
+Prints to the console the statistics of bridge IPFIX for \fIswitch\fR.
+If bridge IPFIX is configured on the \fIswitch\fR, IPFIX statistics
+can be retrieved. Otherwise, error message will be printed.
+.IP
+This command uses an Open vSwitch extension that is only in Open
+vSwitch 2.6 and later.
.
-.IP "\fBmeter\-stats \fIswitch\fR [\fImeter\fR]"
-Print meter statistics. \fImeter\fR can specify a single meter with
-syntax \fBmeter=\fIid\fR, or all meters with syntax \fBmeter=all\fR.
+.IP "\fBdump\-ipfix\-flow \fIswitch\fR"
+Prints to the console the statistics of flow-based IPFIX for
+\fIswitch\fR. If flow-based IPFIX is configured on the \fIswitch\fR,
+statistics of all the collector set ids on the \fIswitch\fR will be
+printed. Otherwise, print error message.
+.IP
+Refer to \fBovs\-vswitchd.conf.db\fR(5) for more details on configuring
+flow based IPFIX and collector set ids.
+.IP
+This command uses an Open vSwitch extension that is only in Open
+vSwitch 2.6 and later.
.
-.IP "\fBmeter\-features \fIswitch\fR"
-Print meter features.
+.IP "\fBct\-flush\-zone \fIswitch zone\fR
+Flushes the connection tracking entries in \fIzone\fR on \fIswitch\fR.
+.IP
+This command uses an Open vSwitch extension that is only in Open
+vSwitch 2.6 and later.
.
.SS "OpenFlow Switch Flow Table Commands"
.
These commands manage the flow table in an OpenFlow switch. In each
case, \fIflow\fR specifies a flow entry in the format described in
-\fBFlow Syntax\fR, below, and \fIfile\fR is a text file that contains
-zero or more flows in the same syntax, one per line.
-.
-.IP "\fBadd\-flow \fIswitch flow\fR"
-.IQ "\fBadd\-flow \fIswitch \fB\- < \fIfile\fR"
-.IQ "\fBadd\-flows \fIswitch file\fR"
+\fBFlow Syntax\fR, below, \fIfile\fR is a text file that contains zero
+or more flows in the same syntax, one per line, and the optional
+\fB\-\-bundle\fR option operates the command as a single atomic
+transation, see option \fB\-\-bundle\fR, below.
+.
+.IP "[\fB\-\-bundle\fR] \fBadd\-flow \fIswitch flow\fR"
+.IQ "[\fB\-\-bundle\fR] \fBadd\-flow \fIswitch \fB\- < \fIfile\fR"
+.IQ "[\fB\-\-bundle\fR] \fBadd\-flows \fIswitch file\fR"
Add each flow entry to \fIswitch\fR's tables.
.
-.IP "[\fB\-\-strict\fR] \fBmod\-flows \fIswitch flow\fR"
-.IQ "[\fB\-\-strict\fR] \fBmod\-flows \fIswitch \fB\- < \fIfile\fR"
+Each flow specification (e.g., each line in \fIfile\fR) may start with
+\fBadd\fR, \fBmodify\fR, \fBdelete\fR, \fBmodify_strict\fR, or
+\fBdelete_strict\fR keyword to specify whether a flow is to be added,
+modified, or deleted, and whether the modify or delete is strict or
+not. For backwards compatibility a flow specification without one of
+these keywords is treated as a flow add. All flow mods are executed
+in the order specified.
+.
+.IP "[\fB\-\-bundle\fR] [\fB\-\-strict\fR] \fBmod\-flows \fIswitch flow\fR"
+.IQ "[\fB\-\-bundle\fR] [\fB\-\-strict\fR] \fBmod\-flows \fIswitch \fB\- < \fIfile\fR"
Modify the actions in entries from \fIswitch\fR's tables that match
the specified flows. With \fB\-\-strict\fR, wildcards are not treated
as active for matching purposes.
.
-.IP "\fBdel\-flows \fIswitch\fR"
-.IQ "[\fB\-\-strict\fR] \fBdel\-flows \fIswitch \fR[\fIflow\fR]"
-.IQ "[\fB\-\-strict\fR] \fBdel\-flows \fIswitch \fB\- < \fIfile\fR"
+.IP "[\fB\-\-bundle\fR] \fBdel\-flows \fIswitch\fR"
+.IQ "[\fB\-\-bundle\fR] [\fB\-\-strict\fR] \fBdel\-flows \fIswitch \fR[\fIflow\fR]"
+.IQ "[\fB\-\-bundle\fR] [\fB\-\-strict\fR] \fBdel\-flows \fIswitch \fB\- < \fIfile\fR"
Deletes entries from \fIswitch\fR's flow table. With only a
\fIswitch\fR argument, deletes all flows. Otherwise, deletes flow
entries that match the specified flows. With \fB\-\-strict\fR,
wildcards are not treated as active for matching purposes.
.
-.IP "[\fB\-\-readd\fR] \fBreplace\-flows \fIswitch file\fR"
+.IP "[\fB\-\-bundle\fR] [\fB\-\-readd\fR] \fBreplace\-flows \fIswitch file\fR"
Reads flow entries from \fIfile\fR (or \fBstdin\fR if \fIfile\fR is
\fB\-\fR) and queries the flow table from \fIswitch\fR. Then it fixes
up any differences, adding flows from \fIflow\fR that are missing on
.IP
With \fB\-\-readd\fR, \fBovs\-ofctl\fR adds all the flows from
\fIfile\fR, even those that exist with the same actions, cookie, and
-timeout in \fIswitch\fR. This resets all the flow packet and byte
-counters to 0, which can be useful for debugging.
+timeout in \fIswitch\fR. In OpenFlow 1.0 and 1.1, re-adding a flow
+always resets the flow's packet and byte counters to 0, and in
+OpenFlow 1.2 and later, it does so only if the \fBreset_counts\fR flag
+is set.
.
.IP "\fBdiff\-flows \fIsource1 source2\fR"
Reads flow entries from \fIsource1\fR and \fIsource2\fR and prints the
found, 1 means that an error occurred, and 2 means that some
differences were found.
.
-.IP "\fBpacket\-out \fIswitch in_port actions packet\fR..."
-Connects to \fIswitch\fR and instructs it to execute the OpenFlow
-\fIactions\fR on each \fIpacket\fR. Each \fBpacket\fR is specified as a
-series of hex digits. For the purpose of executing the
-actions, the packets are considered to have arrived on \fIin_port\fR,
-which may be an OpenFlow port number or name (e.g. \fBeth0\fR), the
-keyword \fBLOCAL\fR (the preferred way to refer to the OpenFlow
-``local'' port), or the keyword \fBNONE\fR to indicate that the packet
-was generated by the switch itself.
+.IP "\fBpacket\-out \fIswitch\fR \fIpacket-out\fR"
+Connects to \fIswitch\fR and instructs it to execute the
+\fIpacket-out\fR OpenFlow message, specified as defined in
+\fBPacket\-Out Syntax\fR section.
.
-.SS "OpenFlow Switch Group Table Commands"
+.SS "Group Table Commands"
.
These commands manage the group table in an OpenFlow switch. In each
case, \fIgroup\fR specifies a group entry in the format described in
\fBGroup Syntax\fR, below, and \fIfile\fR is a text file that contains
-zero or more groups in the same syntax, one per line.
-
-.IP "\fBadd\-group \fIswitch group\fR"
-.IQ "\fBadd\-group \fIswitch \fB\- < \fIfile\fR"
-.IQ "\fBadd\-groups \fIswitch file\fR"
+zero or more groups in the same syntax, one per line, and the optional
+\fB\-\-bundle\fR option operates the command as a single atomic
+transation, see option \fB\-\-bundle\fR, below.
+.PP
+The group commands work only with switches that support OpenFlow 1.1
+or later or the Open vSwitch group extensions to OpenFlow 1.0 (added
+in Open vSwitch 2.9.90). For OpenFlow 1.1 or later, it is necessary
+to explicitly enable these protocol versions in \fBovs\-ofctl\fR
+(using \fB\-O\fR). For more information, see ``Q: What versions of
+OpenFlow does Open vSwitch support?'' in the Open vSwitch FAQ.
+.
+.IP "[\fB\-\-bundle\fR] \fBadd\-group \fIswitch group\fR"
+.IQ "[\fB\-\-bundle\fR] \fBadd\-group \fIswitch \fB\- < \fIfile\fR"
+.IQ "[\fB\-\-bundle\fR] \fBadd\-groups \fIswitch file\fR"
Add each group entry to \fIswitch\fR's tables.
.
-.IP "\fBmod\-group \fIswitch group\fR"
-.IQ "\fBmod\-group \fIswitch \fB\- < \fIfile\fR"
-Modify the action buckets in entries from \fIswitch\fR's tables for
-each group entry.
+Each group specification (e.g., each line in \fIfile\fR) may start
+with \fBadd\fR, \fBmodify\fR, \fBadd_or_mod\fR, \fBdelete\fR,
+\fBinsert_bucket\fR, or \fBremove_bucket\fR keyword to specify whether
+a flow is to be added, modified, or deleted, or whether a group bucket
+is to be added or removed. For backwards compatibility a group
+specification without one of these keywords is treated as a group add.
+All group mods are executed in the order specified.
.
-.IP "\fBdel\-groups \fIswitch\fR"
-.IQ "\fBdel\-groups \fIswitch \fR[\fIgroup\fR]"
-.IQ "\fBdel\-groups \fIswitch \fB\- < \fIfile\fR"
+.IP "[\fB\-\-bundle\fR] [\fB\-\-may\-create\fR] \fBmod\-group \fIswitch group\fR"
+.IQ "[\fB\-\-bundle\fR] [\fB\-\-may\-create\fR] \fBmod\-group \fIswitch \fB\- < \fIfile\fR"
+Modify the action buckets in entries from \fIswitch\fR's tables for
+each group entry. If a specified group does not already exist, then
+without \fB\-\-may\-create\fR, this command has no effect; with
+\fB\-\-may\-create\fR, it creates a new group. The
+\fB\-\-may\-create\fR option uses an Open vSwitch extension to
+OpenFlow only implemented in Open vSwitch 2.6 and later.
+.
+.IP "[\fB\-\-bundle\fR] \fBdel\-groups \fIswitch\fR"
+.IQ "[\fB\-\-bundle\fR] \fBdel\-groups \fIswitch \fR[\fIgroup\fR]"
+.IQ "[\fB\-\-bundle\fR] \fBdel\-groups \fIswitch \fB\- < \fIfile\fR"
Deletes entries from \fIswitch\fR's group table. With only a
\fIswitch\fR argument, deletes all groups. Otherwise, deletes the group
for each group entry.
.
-.IP "\fBinsert\-buckets \fIswitch group\fR"
-.IQ "\fBinsert\-buckets \fIswitch \fB\- < \fIfile\fR"
+.IP "[\fB\-\-bundle\fR] \fBinsert\-buckets \fIswitch group\fR"
+.IQ "[\fB\-\-bundle\fR] \fBinsert\-buckets \fIswitch \fB\- < \fIfile\fR"
Add buckets to an existing group present in the \fIswitch\fR's group table.
If no \fIcommand_bucket_id\fR is present in the group specification then all
buckets of the group are removed.
.
-.IP "\fBremove\-buckets \fIswitch group\fR"
-.IQ "\fBremove\-buckets \fIswitch \fB\- < \fIfile\fR"
+.IP "[\fB\-\-bundle\fR] \fBremove\-buckets \fIswitch group\fR"
+.IQ "[\fB\-\-bundle\fR] \fBremove\-buckets \fIswitch \fB\- < \fIfile\fR"
Remove buckets to an existing group present in the \fIswitch\fR's group table.
If no \fIcommand_bucket_id\fR is present in the group specification then all
buckets of the group are removed.
.
+.IP "\fBdump\-groups \fIswitch\fR [\fIgroup\fR]"
+Prints group entries in \fIswitch\fR's tables to console. To dump
+only a specific group, specify its number as \fIgroup\fR. Otherwise,
+if \fIgroup\fR is omitted, or if it is specified as \fBALL\fR, then
+all groups are printed.
+.IP
+Only OpenFlow 1.5 and later support dumping a specific group. Earlier
+versions of OpenFlow always dump all groups.
+.
+.IP "\fBdump\-group\-features \fIswitch"
+Prints to the console the group features of the \fIswitch\fR.
+.
+.IP "\fBdump\-group\-stats \fIswitch \fR[\fIgroup\fR]"
+Prints to the console statistics for the specified \fIgroup\fR in
+\fIswitch\fR's tables. If \fIgroup\fR is omitted then statistics for all
+groups are printed.
+.
+.SS "OpenFlow 1.3+ Switch Meter Table Commands"
+.
+These commands manage the meter table in an OpenFlow switch. In each
+case, \fImeter\fR specifies a meter entry in the format described in
+\fBMeter Syntax\fR, below.
+.
+.PP
+OpenFlow 1.3 introduced support for meters, so these commands only work
+with switches that support OpenFlow 1.3 or later. It is necessary to
+explicitly enable these protocol versions in \fBovs\-ofctl\fR (using
+\fB\-O\fR) and in the switch itself (with the \fBprotocols\fR column in
+the \fBBridge\fR table). For more information, see ``Q: What versions
+of OpenFlow does Open vSwitch support?'' in the Open vSwitch FAQ.
+.
+.IP "\fBadd\-meter \fIswitch meter\fR"
+Add a meter entry to \fIswitch\fR's tables. The \fImeter\fR syntax is
+described in section \fBMeter Syntax\fR, below.
+.
+.IP "\fBmod\-meter \fIswitch meter\fR"
+Modify an existing meter.
+.
+.IP "\fBdel\-meters \fIswitch\fR"
+.IQ "\fBdel\-meter \fIswitch\fR [\fImeter\fR]"
+Delete entries from \fIswitch\fR's meter table. \fImeter\fR can specify
+a single meter with syntax \fBmeter=\fIid\fR, or all meters with syntax
+\fBmeter=all\fR.
+.
+.IP "\fBdump\-meters \fIswitch\fR"
+.IQ "\fBdump\-meter \fIswitch\fR [\fImeter\fR]"
+Print meter configuration. \fImeter\fR can specify a single meter with
+syntax \fBmeter=\fIid\fR, or all meters with syntax \fBmeter=all\fR.
+.
+.IP "\fBmeter\-stats \fIswitch\fR [\fImeter\fR]"
+Print meter statistics. \fImeter\fR can specify a single meter with
+syntax \fBmeter=\fIid\fR, or all meters with syntax \fBmeter=all\fR.
+.
+.IP "\fBmeter\-features \fIswitch\fR"
+Print meter features.
+.
+.SS OpenFlow Switch Bundle Command
+.
+Transactional updates to both flow and group tables can be made with
+the \fBbundle\fR command. \fIfile\fR is a text file that contains
+zero or more flow mods, group mods, or packet-outs in \fBFlow
+Syntax\fR, \fBGroup Syntax\fR, or \fBPacket\-Out Syntax\fR, each line
+preceded by \fBflow\fR, \fBgroup\fR, or \fBpacket\-out\fR keyword,
+correspondingly. The \fBflow\fR keyword may be optionally followed by
+one of the keywords \fBadd\fR, \fBmodify\fR, \fBmodify_strict\fR,
+\fBdelete\fR, or \fBdelete_strict\fR, of which the \fBadd\fR is
+assumed if a bare \fBflow\fR is given. Similarly, the \fBgroup\fR
+keyword may be optionally followed by one of the keywords \fBadd\fR,
+\fBmodify\fR, \fBadd_or_mod\fR, \fBdelete\fR, \fBinsert_bucket\fR, or
+\fBremove_bucket\fR, of which the \fBadd\fR is assumed if a bare
+\fBgroup\fR is given.
+.
+.IP "\fBbundle \fIswitch file\fR"
+Execute all flow and group mods in \fIfile\fR as a single atomic
+transaction against \fIswitch\fR's tables. All bundled mods are
+executed in the order specified.
+.
+.SS "OpenFlow Switch Tunnel TLV Table Commands"
+.
+Open vSwitch maintains a mapping table between tunnel option TLVs (defined
+by <class, type, length>) and NXM fields \fBtun_metadata\fIn\fR,
+where \fIn\fR ranges from 0 to 63, that can be operated on for the
+purposes of matches, actions, etc. This TLV table can be used for
+Geneve option TLVs or other protocols with options in same TLV format
+as Geneve options. This mapping must be explicitly specified by the user
+through the following commands.
+
+A TLV mapping is specified with the syntax
+\fB{class=\fIclass\fB,type=\fItype\fB,len=\fIlength\fB}->tun_metadata\fIn\fR.
+When an option mapping exists for a given \fBtun_metadata\fIn\fR,
+matching on the defined field becomes possible, e.g.:
+
+.RS
+ovs-ofctl add-tlv-map br0 "{class=0xffff,type=0,len=4}->tun_metadata0"
+.PP
+ovs-ofctl add-flow br0 tun_metadata0=1234,actions=controller
+.RE
+
+A mapping should not be changed while it is in active
+use by a flow. The result of doing so is undefined.
+
+These commands are Nicira extensions to OpenFlow and require Open vSwitch
+2.5 or later.
+
+.IP "\fBadd\-tlv\-map \fIswitch option\fR[\fB,\fIoption\fR]..."
+Add each \fIoption\fR to \fIswitch\fR's tables. Duplicate fields are
+rejected.
+.
+.IP "\fBdel\-tlv\-map \fIswitch \fR[\fIoption\fR[\fB,\fIoption\fR]]..."
+Delete each \fIoption\fR from \fIswitch\fR's table, or all option TLV
+mapping if no \fIoption\fR is specified.
+Fields that aren't mapped are ignored.
+.
+.IP "\fBdump\-tlv\-map \fIswitch\fR"
+Show the currently mapped fields in the switch's option table as well
+as switch capabilities.
+.
.SS "OpenFlow Switch Monitoring Commands"
.
.IP "\fBsnoop \fIswitch\fR"
messages received. Unlike other \fBovs\-ofctl\fR commands, if
\fIswitch\fR is the name of a bridge, then the \fBsnoop\fR command
connects to a Unix domain socket named
-\fB@RUNDIR@/\fIbridge\fB.snoop\fR. \fBovs\-vswitchd\fR listens on
+\fB@RUNDIR@/\fIswitch\fB.snoop\fR. \fBovs\-vswitchd\fR listens on
such a socket for each bridge and sends to it all of the OpenFlow
messages sent to or received from its configured OpenFlow controller.
Thus, this command can be used to view OpenFlow protocol activity
configuration'' message at connection setup time that requests
\fBINVALID_TTL_TO_CONTROLLER\fR, so that \fBovs\-ofctl monitor\fR can
receive ``packet-in'' messages when TTL reaches zero on \fBdec_ttl\fR action.
+Only OpenFlow 1.1 and 1.2 support \fBinvalid_ttl\fR; Open vSwitch also
+implements it for OpenFlow 1.0 as an extension.
.IP
\fBwatch:\fR[\fB\fIspec\fR...] causes \fBovs\-ofctl\fR to send a
``monitor request'' Nicira extension message to the switch at
COMMANDS\fR.)
.IP "\fB!actions\fR"
Do not report actions as part of flow updates.
-.IP "\fBtable=\fInumber\fR"
-Limits the monitoring to the table with the given \fInumber\fR between
-0 and 254. By default, all tables are monitored.
+.IP "\fBtable=\fItable\fR"
+Limits the monitoring to the table with the given \fItable\fR, which
+may be expressed as a number between 0 and 254 or (unless
+\fB\-\-no\-names\fR is specified) a name. By default, all tables are
+monitored.
.IP "\fBout_port=\fIport\fR"
If set, only flows that output to \fIport\fR are monitored. The
\fIport\fR may be an OpenFlow port number or keyword
.SS "Flow Syntax"
.PP
Some \fBovs\-ofctl\fR commands accept an argument that describes a flow or
-flows. Such flow descriptions comprise a series
+flows. Such flow descriptions comprise a series of
\fIfield\fB=\fIvalue\fR assignments, separated by commas or white
space. (Embedding spaces into a flow description normally requires
quoting to prevent the shell from breaking the description into
\fBtcp_src\fR. \fBovs\-ofctl\fR will warn about
flows not in normal form.
.PP
-The following field assignments describe how a flow matches a packet.
-If any of these assignments is omitted from the flow syntax, the field
-is treated as a wildcard; thus, if all of them are omitted, the
-resulting flow matches all packets. The string \fB*\fR may be specified
-to explicitly mark any of these fields as a wildcard.
-(\fB*\fR should be quoted to protect it from shell expansion.)
-.
-.IP \fBin_port=\fIport\fR
-Matches OpenFlow port \fIport\fR, which may be an OpenFlow port number
-or keyword (e.g. \fBLOCAL\fR).
-\fBovs\-ofctl show\fR.
-.IP
-(The \fBresubmit\fR action can search OpenFlow flow tables with
-arbitrary \fBin_port\fR values, so flows that match port numbers that
-do not exist from an OpenFlow perspective can still potentially be
-matched.)
-.
-.IP \fBdl_vlan=\fIvlan\fR
-Matches IEEE 802.1q Virtual LAN tag \fIvlan\fR. Specify \fB0xffff\fR
-as \fIvlan\fR to match packets that are not tagged with a Virtual LAN;
-otherwise, specify a number between 0 and 4095, inclusive, as the
-12-bit VLAN ID to match.
-.
-.IP \fBdl_vlan_pcp=\fIpriority\fR
-Matches IEEE 802.1q Priority Code Point (PCP) \fIpriority\fR, which is
-specified as a value between 0 and 7, inclusive. A higher value
-indicates a higher frame priority level.
-.
-.IP \fBdl_src=\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fR
-.IQ \fBdl_dst=\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fR
-Matches an Ethernet source (or destination) address specified as 6
-pairs of hexadecimal digits delimited by colons
-(e.g. \fB00:0A:E4:25:6B:B0\fR).
-.
-.IP \fBdl_src=\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB/\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fR
-.IQ \fBdl_dst=\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB/\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fR
-Matches an Ethernet destination address specified as 6 pairs of
-hexadecimal digits delimited by colons (e.g. \fB00:0A:E4:25:6B:B0\fR),
-with a wildcard mask following the slash. Open vSwitch 1.8 and later
-support arbitrary masks for source and/or destination. Earlier
-versions only support masking the destination with the following masks:
-.RS
-.IP \fB01:00:00:00:00:00\fR
-Match only the multicast bit. Thus,
-\fBdl_dst=01:00:00:00:00:00/01:00:00:00:00:00\fR matches all multicast
-(including broadcast) Ethernet packets, and
-\fBdl_dst=00:00:00:00:00:00/01:00:00:00:00:00\fR matches all unicast
-Ethernet packets.
-.IP \fBfe:ff:ff:ff:ff:ff\fR
-Match all bits except the multicast bit. This is probably not useful.
-.IP \fBff:ff:ff:ff:ff:ff\fR
-Exact match (equivalent to omitting the mask).
-.IP \fB00:00:00:00:00:00\fR
-Wildcard all bits (equivalent to \fBdl_dst=*\fR.)
-.RE
-.
-.IP \fBdl_type=\fIethertype\fR
-Matches Ethernet protocol type \fIethertype\fR, which is specified as an
-integer between 0 and 65535, inclusive, either in decimal or as a
-hexadecimal number prefixed by \fB0x\fR (e.g. \fB0x0806\fR to match ARP
-packets).
-.
-.IP \fBnw_src=\fIip\fR[\fB/\fInetmask\fR]
-.IQ \fBnw_dst=\fIip\fR[\fB/\fInetmask\fR]
-When \fBdl_type\fR is 0x0800 (possibly via shorthand, e.g. \fBip\fR
-or \fBtcp\fR), matches IPv4 source (or destination) address \fIip\fR,
-which may be specified as an IP address or host name
-(e.g. \fB192.168.1.1\fR or \fBwww.example.com\fR). The optional
-\fInetmask\fR allows restricting a match to an IPv4 address prefix.
-The netmask may be specified as a dotted quad
-(e.g. \fB192.168.1.0/255.255.255.0\fR) or as a CIDR block
-(e.g. \fB192.168.1.0/24\fR). Open vSwitch 1.8 and later support
-arbitrary dotted quad masks; earlier versions support only CIDR masks,
-that is, the dotted quads that are equivalent to some CIDR block.
-.IP
-When \fBdl_type=0x0806\fR or \fBarp\fR is specified, matches the
-\fBar_spa\fR or \fBar_tpa\fR field, respectively, in ARP packets for
-IPv4 and Ethernet.
-.IP
-When \fBdl_type=0x8035\fR or \fBrarp\fR is specified, matches the
-\fBar_spa\fR or \fBar_tpa\fR field, respectively, in RARP packets for
-IPv4 and Ethernet.
-.IP
-When \fBdl_type\fR is wildcarded or set to a value other than 0x0800,
-0x0806, or 0x8035, the values of \fBnw_src\fR and \fBnw_dst\fR are ignored
-(see \fBFlow Syntax\fR above).
-.
-.IP \fBnw_proto=\fIproto\fR
-.IQ \fBip_proto=\fIproto\fR
-When \fBip\fR or \fBdl_type=0x0800\fR is specified, matches IP
-protocol type \fIproto\fR, which is specified as a decimal number
-between 0 and 255, inclusive (e.g. 1 to match ICMP packets or 6 to match
-TCP packets).
-.IP
-When \fBipv6\fR or \fBdl_type=0x86dd\fR is specified, matches IPv6
-header type \fIproto\fR, which is specified as a decimal number between
-0 and 255, inclusive (e.g. 58 to match ICMPv6 packets or 6 to match
-TCP). The header type is the terminal header as described in the
-\fBDESIGN\fR document.
-.IP
-When \fBarp\fR or \fBdl_type=0x0806\fR is specified, matches the lower
-8 bits of the ARP opcode. ARP opcodes greater than 255 are treated as
-0.
-.IP
-When \fBrarp\fR or \fBdl_type=0x8035\fR is specified, matches the lower
-8 bits of the ARP opcode. ARP opcodes greater than 255 are treated as
-0.
-.IP
-When \fBdl_type\fR is wildcarded or set to a value other than 0x0800,
-0x0806, 0x8035 or 0x86dd, the value of \fBnw_proto\fR is ignored (see
-\fBFlow Syntax\fR above).
-.
-.IP \fBnw_tos=\fItos\fR
-Matches IP ToS/DSCP or IPv6 traffic class field \fItos\fR, which is
-specified as a decimal number between 0 and 255, inclusive. Note that
-the two lower reserved bits are ignored for matching purposes.
-.IP
-When \fBdl_type\fR is wildcarded or set to a value other than 0x0800 or
-0x86dd, the value of \fBnw_tos\fR is ignored (see \fBFlow Syntax\fR
-above).
-.
-.IP \fBip_dscp=\fIdscp\fR
-Matches IP ToS/DSCP or IPv6 traffic class field \fIdscp\fR, which is
-specified as a decimal number between 0 and 63, inclusive.
-.IP
-When \fBdl_type\fR is wildcarded or set to a value other than 0x0800 or
-0x86dd, the value of \fBip_dscp\fR is ignored (see \fBFlow Syntax\fR
-above).
-.
-.IP \fBnw_ecn=\fIecn\fR
-.IQ \fBip_ecn=\fIecn\fR
-Matches \fIecn\fR bits in IP ToS or IPv6 traffic class fields, which is
-specified as a decimal number between 0 and 3, inclusive.
-.IP
-When \fBdl_type\fR is wildcarded or set to a value other than 0x0800 or
-0x86dd, the value of \fBnw_ecn\fR is ignored (see \fBFlow Syntax\fR
-above).
-.
-.IP \fBnw_ttl=\fIttl\fR
-Matches IP TTL or IPv6 hop limit value \fIttl\fR, which is
-specified as a decimal number between 0 and 255, inclusive.
-.IP
-When \fBdl_type\fR is wildcarded or set to a value other than 0x0800 or
-0x86dd, the value of \fBnw_ttl\fR is ignored (see \fBFlow Syntax\fR
-above).
-.IP
-.
-.IP \fBtcp_src=\fIport\fR
-.IQ \fBtcp_dst=\fIport\fR
-.IQ \fBudp_src=\fIport\fR
-.IQ \fBudp_dst=\fIport\fR
-.IQ \fBsctp_src=\fIport\fR
-.IQ \fBsctp_dst=\fIport\fR
-Matches a TCP, UDP, or SCTP source or destination port \fIport\fR,
-which is specified as a decimal number between 0 and 65535, inclusive.
-.IP
-When \fBdl_type\fR and \fBnw_proto\fR are wildcarded or set to values
-that do not indicate an appropriate protocol, the values of these
-settings are ignored (see \fBFlow Syntax\fR above).
-.
-.IP \fBtcp_src=\fIport\fB/\fImask\fR
-.IQ \fBtcp_dst=\fIport\fB/\fImask\fR
-.IQ \fBudp_src=\fIport\fB/\fImask\fR
-.IQ \fBudp_dst=\fIport\fB/\fImask\fR
-.IQ \fBsctp_src=\fIport\fB/\fImask\fR
-.IQ \fBsctp_dst=\fIport\fB/\fImask\fR
-Bitwise match on TCP (or UDP or SCTP) source or destination port.
-The \fIport\fR and \fImask\fR are 16-bit numbers
-written in decimal or in hexadecimal prefixed by \fB0x\fR. Each 1-bit
-in \fImask\fR requires that the corresponding bit in \fIport\fR must
-match. Each 0-bit in \fImask\fR causes the corresponding bit to be
-ignored.
-.IP
-Bitwise matches on transport ports are rarely useful in isolation, but
-a group of them can be used to reduce the number of flows required to
-match on a range of transport ports. For example, suppose that the
-goal is to match TCP source ports 1000 to 1999, inclusive. One way is
-to insert 1000 flows, each of which matches on a single source port.
-Another way is to look at the binary representations of 1000 and 1999,
-as follows:
-.br
-.B "01111101000"
-.br
-.B "11111001111"
-.br
-and then to transform those into a series of bitwise matches that
-accomplish the same results:
-.br
-.B "01111101xxx"
-.br
-.B "0111111xxxx"
-.br
-.B "10xxxxxxxxx"
-.br
-.B "110xxxxxxxx"
-.br
-.B "1110xxxxxxx"
-.br
-.B "11110xxxxxx"
-.br
-.B "1111100xxxx"
-.br
-which become the following when written in the syntax required by
-\fBovs\-ofctl\fR:
-.br
-.B "tcp,tcp_src=0x03e8/0xfff8"
-.br
-.B "tcp,tcp_src=0x03f0/0xfff0"
-.br
-.B "tcp,tcp_src=0x0400/0xfe00"
-.br
-.B "tcp,tcp_src=0x0600/0xff00"
-.br
-.B "tcp,tcp_src=0x0700/0xff80"
-.br
-.B "tcp,tcp_src=0x0780/0xffc0"
-.br
-.B "tcp,tcp_src=0x07c0/0xfff0"
-.IP
-Only Open vSwitch 1.6 and later supports bitwise matching on transport
-ports.
-.IP
-Like the exact-match forms described
-above, the bitwise match forms apply only when \fBdl_type\fR and
-\fBnw_proto\fR specify TCP or UDP or SCTP.
-.
-.IP \fBtp_src=\fIport\fR
-.IQ \fBtp_dst=\fIport\fR
-These are deprecated generic forms of L4 port matches. In new code,
-please use the TCP-, UDP-, or SCTP-specific forms described above.
-.
-.IP \fBtcp_flags=\fIflags\fB/\fImask\fR
-.IQ \fBtcp_flags=\fR[\fB+\fIflag\fR...][\fB-\fIflag\fR...]
-Bitwise match on TCP flags. The \fIflags\fR and \fImask\fR are 16-bit
-numbers written in decimal or in hexadecimal prefixed by \fB0x\fR.
-Each 1-bit in \fImask\fR requires that the corresponding bit in
-\fIflags\fR must match. Each 0-bit in \fImask\fR causes the corresponding
-bit to be ignored.
-.IP
-Alternatively, the flags can be specified by their symbolic names
-(listed below), each preceded by either \fB+\fR for a flag that must
-be set, or \fB\-\fR for a flag that must be unset, without any other
-delimiters between the flags. Flags not mentioned are wildcarded.
-For example, \fBtcp,tcp_flags=+syn\-ack\fR matches TCP SYNs that are
-not ACKs.
-.IP
-TCP protocol currently defines 9 flag bits, and additional 3 bits are
-reserved (must be transmitted as zero), see RFCs 793, 3168, and 3540.
-The flag bits are, numbering from the least significant bit:
-.RS
-.IP "\fB0: fin\fR"
-No more data from sender.
-.IP "\fB1: syn\fR"
-Synchronize sequence numbers.
-.IP "\fB2: rst\fR"
-Reset the connection.
-.IP "\fB3: psh\fR"
-Push function.
-.IP "\fB4: ack\fR"
-Acknowledgement field significant.
-.IP "\fB5: urg\fR"
-Urgent pointer field significant.
-.IP "\fB6: ece\fR"
-ECN Echo.
-.IP "\fB7: cwr\fR"
-Congestion Windows Reduced.
-.IP "\fB8: ns\fR"
-Nonce Sum.
-.IP "\fB9-11:\fR"
-Reserved.
-.IP "\fB12-15:\fR"
-Not matchable, must be zero.
-.RE
-.IP \fBicmp_type=\fItype\fR
-.IQ \fBicmp_code=\fIcode\fR
-When \fBdl_type\fR and \fBnw_proto\fR specify ICMP or ICMPv6, \fItype\fR
-matches the ICMP type and \fIcode\fR matches the ICMP code. Each is
-specified as a decimal number between 0 and 255, inclusive.
-.IP
-When \fBdl_type\fR and \fBnw_proto\fR take other values, the values of
-these settings are ignored (see \fBFlow Syntax\fR above).
-.
-.IP \fBtable=\fInumber\fR
-For flow dump commands, limits the flows dumped to those in the table
-with the given \fInumber\fR between 0 and 254. If not specified (or if
-255 is specified as \fInumber\fR), then flows in all tables are
+\fBovs\-fields\fR(7) describes the supported fields and how to match
+them. In addition to match fields, commands that operate on flows
+accept a few additional key-value pairs:
+.
+.IP \fBtable=\fItable\fR
+For flow dump commands, limits the flows dumped to those in
+\fItable\fR, which may be expressed as a number between 0 and 255 or
+(unless \fB\-\-no\-names\fR is specified) a name. If not specified
+(or if 255 is specified as \fItable\fR), then flows in all tables are
dumped.
.
.IP
flow table modification commands, to operate on all flow tables, with
the behavior described above for OpenFlow 1.0.
.RE
-.
-.IP \fBmetadata=\fIvalue\fR[\fB/\fImask\fR]
-Matches \fIvalue\fR either exactly or with optional \fImask\fR in the metadata
-field. \fIvalue\fR and \fImask\fR are 64-bit integers, by default in decimal
-(use a \fB0x\fR prefix to specify hexadecimal). Arbitrary \fImask\fR values
-are allowed: a 1-bit in \fImask\fR indicates that the corresponding bit in
-\fIvalue\fR must match exactly, and a 0-bit wildcards that bit. Matching on
-metadata was added in Open vSwitch 1.8.
-.
-.PP
-The following shorthand notations are also available:
-.
-.IP \fBip\fR
-Same as \fBdl_type=0x0800\fR.
-.
-.IP \fBicmp\fR
-Same as \fBdl_type=0x0800,nw_proto=1\fR.
-.
-.IP \fBtcp\fR
-Same as \fBdl_type=0x0800,nw_proto=6\fR.
-.
-.IP \fBudp\fR
-Same as \fBdl_type=0x0800,nw_proto=17\fR.
-.
-.IP \fBsctp\fR
-Same as \fBdl_type=0x0800,nw_proto=132\fR.
-.
-.IP \fBarp\fR
-Same as \fBdl_type=0x0806\fR.
-.
-.IP \fBrarp\fR
-Same as \fBdl_type=0x8035\fR.
-.
-.PP
-The following field assignments require support for the NXM (Nicira
-Extended Match) extension to OpenFlow. When one of these is specified,
-\fBovs\-ofctl\fR will automatically attempt to negotiate use of this
-extension. If the switch does not support NXM, then \fBovs\-ofctl\fR
-will report a fatal error.
-.
-.IP \fBvlan_tci=\fItci\fR[\fB/\fImask\fR]
-Matches modified VLAN TCI \fItci\fR. If \fImask\fR is omitted,
-\fItci\fR is the exact VLAN TCI to match; if \fImask\fR is specified,
-then a 1-bit in \fImask\fR indicates that the corresponding bit in
-\fItci\fR must match exactly, and a 0-bit wildcards that bit. Both
-\fItci\fR and \fImask\fR are 16-bit values that are decimal by
-default; use a \fB0x\fR prefix to specify them in hexadecimal.
-.
-.IP
-The value that \fBvlan_tci\fR matches against is 0 for a packet that
-has no 802.1Q header. Otherwise, it is the TCI value from the 802.1Q
-header with the CFI bit (with value \fB0x1000\fR) forced to 1.
-.IP
-Examples:
-.RS
-.IP \fBvlan_tci=0\fR
-Match only packets without an 802.1Q header.
-.IP \fBvlan_tci=0xf123\fR
-Match packets tagged with priority 7 in VLAN 0x123.
-.IP \fBvlan_tci=0x1123/0x1fff\fR
-Match packets tagged with VLAN 0x123 (and any priority).
-.IP \fBvlan_tci=0x5000/0xf000\fR
-Match packets tagged with priority 2 (in any VLAN).
-.IP \fBvlan_tci=0/0xfff\fR
-Match packets with no 802.1Q header or tagged with VLAN 0 (and any
-priority).
-.IP \fBvlan_tci=0x5000/0xe000\fR
-Match packets with no 802.1Q header or tagged with priority 2 (in any
-VLAN).
-.IP \fBvlan_tci=0/0xefff\fR
-Match packets with no 802.1Q header or tagged with VLAN 0 and priority
-0.
-.RE
-.IP
-Some of these matching possibilities can also be achieved with
-\fBdl_vlan\fR and \fBdl_vlan_pcp\fR.
-.
-.IP \fBip_frag=\fIfrag_type\fR
-When \fBdl_type\fR specifies IP or IPv6, \fIfrag_type\fR
-specifies what kind of IP fragments or non-fragments to match. The
-following values of \fIfrag_type\fR are supported:
-.RS
-.IP "\fBno\fR"
-Matches only non-fragmented packets.
-.IP "\fByes\fR"
-Matches all fragments.
-.IP "\fBfirst\fR"
-Matches only fragments with offset 0.
-.IP "\fBlater\fR"
-Matches only fragments with nonzero offset.
-.IP "\fBnot_later\fR"
-Matches non-fragmented packets and fragments with zero offset.
-.RE
-.IP
-The \fBip_frag\fR match type is likely to be most useful in
-\fBnx\-match\fR mode. See the description of the \fBset\-frags\fR
-command, above, for more details.
-.
-.IP \fBarp_spa=\fIip\fR[\fB/\fInetmask\fR]
-.IQ \fBarp_tpa=\fIip\fR[\fB/\fInetmask\fR]
-When \fBdl_type\fR specifies either ARP or RARP, \fBarp_spa\fR and
-\fBarp_tpa\fR match the source and target IPv4 address, respectively.
-An address may be specified as an IP address or host name
-(e.g. \fB192.168.1.1\fR or \fBwww.example.com\fR). The optional
-\fInetmask\fR allows restricting a match to an IPv4 address prefix.
-The netmask may be specified as a dotted quad
-(e.g. \fB192.168.1.0/255.255.255.0\fR) or as a CIDR block
-(e.g. \fB192.168.1.0/24\fR).
-.
-.IP \fBarp_sha=\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fR
-.IQ \fBarp_tha=\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fR
-When \fBdl_type\fR specifies either ARP or RARP, \fBarp_sha\fR and
-\fBarp_tha\fR match the source and target hardware address, respectively. An
-address is specified as 6 pairs of hexadecimal digits delimited by colons
-(e.g. \fB00:0A:E4:25:6B:B0\fR).
-.
-.IP \fBarp_sha=\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB/\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fR
-.IQ \fBarp_tha=\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB/\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fR
-When \fBdl_type\fR specifies either ARP or RARP, \fBarp_sha\fR and
-\fBarp_tha\fR match the source and target hardware address, respectively. An
-address is specified as 6 pairs of hexadecimal digits delimited by colons
-(e.g. \fB00:0A:E4:25:6B:B0\fR), with a wildcard mask following the slash.
-.
-
-.IP \fBipv6_src=\fIipv6\fR[\fB/\fInetmask\fR]
-.IQ \fBipv6_dst=\fIipv6\fR[\fB/\fInetmask\fR]
-When \fBdl_type\fR is 0x86dd (possibly via shorthand, e.g., \fBipv6\fR
-or \fBtcp6\fR), matches IPv6 source (or destination) address \fIipv6\fR,
-which may be specified as defined in RFC 2373. The preferred format is
-\fIx\fB:\fIx\fB:\fIx\fB:\fIx\fB:\fIx\fB:\fIx\fB:\fIx\fB:\fIx\fR, where
-\fIx\fR are the hexadecimal values of the eight 16-bit pieces of the
-address. A single instance of \fB::\fR may be used to indicate multiple
-groups of 16-bits of zeros. The optional \fInetmask\fR allows
-restricting a match to an IPv6 address prefix. A netmask is specified
-as an IPv6 address (e.g. \fB2001:db8:3c4d:1::/ffff:ffff:ffff:ffff::\fR)
-or a CIDR block (e.g. \fB2001:db8:3c4d:1::/64\fR). Open vSwitch 1.8
-and later support arbitrary masks; earlier versions support only CIDR
-masks, that is, CIDR block and IPv6 addresses that are equivalent to
-CIDR blocks.
-.
-.IP \fBipv6_label=\fIlabel\fR
-When \fBdl_type\fR is 0x86dd (possibly via shorthand, e.g., \fBipv6\fR
-or \fBtcp6\fR), matches IPv6 flow label \fIlabel\fR.
-.
-.IP \fBnd_target=\fIipv6\fR[\fB/\fInetmask\fR]
-When \fBdl_type\fR, \fBnw_proto\fR, and \fBicmp_type\fR specify
-IPv6 Neighbor Discovery (ICMPv6 type 135 or 136), matches the target address
-\fIipv6\fR. \fIipv6\fR is in the same format described earlier for the
-\fBipv6_src\fR and \fBipv6_dst\fR fields.
-.
-.IP \fBnd_sll=\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fR
-When \fBdl_type\fR, \fBnw_proto\fR, and \fBicmp_type\fR specify IPv6
-Neighbor Solicitation (ICMPv6 type 135), matches the source link\-layer
-address option. An address is specified as 6 pairs of hexadecimal
-digits delimited by colons.
-.
-.IP \fBnd_tll=\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fR
-When \fBdl_type\fR, \fBnw_proto\fR, and \fBicmp_type\fR specify IPv6
-Neighbor Advertisement (ICMPv6 type 136), matches the target link\-layer
-address option. An address is specified as 6 pairs of hexadecimal
-digits delimited by colons.
-.
-.IP \fBmpls_bos=\fIbos\fR
-When \fBdl_type\fR is 0x8847 or 0x8848 (possibly via shorthand e.g.,
-\fBmpls\fR or \fBmplsm\fR), matches the bottom-of-stack bit of the
-outer-most MPLS label stack entry. Valid values are 0 and 1.
-.IP
-If 1 then for a packet with a well-formed MPLS label stack the
-bottom-of-stack bit indicates that the outer label stack entry is also
-the inner-most label stack entry and thus that is that there is only one
-label stack entry present. Conversely, if 0 then for a packet with a
-well-formed MPLS label stack the bottom-of-stack bit indicates that the
-outer label stack entry is not the inner-most label stack entry and
-thus there is more than one label stack entry present.
-.
-.IP \fBmpls_label=\fIlabel\fR
-When \fBdl_type\fR is 0x8847 or 0x8848 (possibly via shorthand e.g.,
-\fBmpls\fR or \fBmplsm\fR), matches the label of the outer
-MPLS label stack entry. The label is a 20-bit value that is decimal by default;
-use a \fB0x\fR prefix to specify them in hexadecimal.
-.
-.IP \fBmpls_tc=\fItc\fR
-When \fBdl_type\fR is 0x8847 or 0x8848 (possibly via shorthand e.g.,
-\fBmpls\fR or \fBmplsm\fR), matches the traffic-class of the outer
-MPLS label stack entry. Valid values are between 0 (lowest) and 7 (highest).
-.
-.IP \fBtun_id=\fItunnel-id\fR[\fB/\fImask\fR]
-.IQ \fBtunnel_id=\fItunnel-id\fR[\fB/\fImask\fR]
-Matches tunnel identifier \fItunnel-id\fR. Only packets that arrive
-over a tunnel that carries a key (e.g. GRE with the RFC 2890 key
-extension and a nonzero key value) will have a nonzero tunnel ID.
-If \fImask\fR is omitted, \fItunnel-id\fR is the exact tunnel ID to match;
-if \fImask\fR is specified, then a 1-bit in \fImask\fR indicates that the
-corresponding bit in \fItunnel-id\fR must match exactly, and a 0-bit
-wildcards that bit.
-.
-.IP \fBtun_src=\fIip\fR[\fB/\fInetmask\fR]
-.IQ \fBtun_dst=\fIip\fR[\fB/\fInetmask\fR]
-Matches tunnel IPv4 source (or destination) address \fIip\fR. Only packets
-that arrive over a tunnel will have nonzero tunnel addresses.
-The address may be specified as an IP address or host name
-(e.g. \fB192.168.1.1\fR or \fBwww.example.com\fR). The optional
-\fInetmask\fR allows restricting a match to a masked IPv4 address.
-The netmask may be specified as a dotted quad
-(e.g. \fB192.168.1.0/255.255.255.0\fR) or as a CIDR block
-(e.g. \fB192.168.1.0/24\fR).
-.
-.IP \fBtun_gbp_id=\fIvalue\fR[\fB/\fImask\fR]
-.IQ \fBtun_gbp_flags=\fIvalue\fR[\fB/\fImask\fR]
-Matches the group policy identifier and flags in the VXLAN header. Only
-packets that arrive over a VXLAN tunnel with the "gbp" extension
-enabled can have this field set. The fields may also be referred to by
-NXM_NX_TUN_GBP_ID[] (16 bits) and NXM_NX_TUN_GBP_FLAGS[] (8 bits) in
-the context of field manipulation actions. If these fields are set and
-the packet matched by the flow is encapsulated in a VXLAN-GBP tunnel,
-then the policy identifier and flags are transmitted to the destination
-VXLAN tunnel endpoint.
-.IP
-The \fBtun_gbp_flags\fR field has the following format:
-.IP
-.in +2
-\f(CR+-+-+-+-+-+-+-+-+\fR
-.br
-\f(CR|-|D|-|-|A|-|-|-|\fR
-.br
-\f(CR+-+-+-+-+-+-+-+-+\fR
-
-.B D :=
-Don't Learn bit. When set, this bit indicates that the egress
-tunnel endpoint MUST NOT learn the source address of the encapsulated
-frame.
-
-.B A :=
-Indicates that the group policy has already been applied to
-this packet. Policies MUST NOT be applied by devices when the A bit is
-set.
-.in -2
-.IP
-For more information, please see the corresponding IETF draft:
-https://tools.ietf.org/html/draft-smith-vxlan-group-policy
-.
-.IP "\fBreg\fIidx\fB=\fIvalue\fR[\fB/\fImask\fR]"
-Matches \fIvalue\fR either exactly or with optional \fImask\fR in
-register number \fIidx\fR. The valid range of \fIidx\fR depends on
-the switch. \fIvalue\fR and \fImask\fR are 32-bit integers, by
-default in decimal (use a \fB0x\fR prefix to specify hexadecimal).
-Arbitrary \fImask\fR values are allowed: a 1-bit in \fImask\fR
-indicates that the corresponding bit in \fIvalue\fR must match
-exactly, and a 0-bit wildcards that bit.
-.IP
-When a packet enters an OpenFlow switch, all of the registers are set
-to 0. Only explicit actions change register values.
-.
-.IP "\fBxreg\fIidx\fB=\fIvalue\fR[\fB/\fImask\fR]"
-Matches \fIvalue\fR either exactly or with optional \fImask\fR in
-64-bit ``extended register'' number \fIidx\fR. Each of the 64-bit
-extended registers overlays two of the 32-bit registers: \fBxreg0\fR
-overlays \fBreg0\fR and \fBreg1\fR, with \fBreg0\fR supplying the
-most-significant bits of \fBxreg0\fR and \fBreg1\fR the
-least-significant. \fBxreg1\fR similarly overlays \fBreg2\fR and
-\fBreg3\fR, and so on.
-.IP
-These fields were added in Open vSwitch 2.3 to conform with the
-OpenFlow 1.5 (draft) specification. OpenFlow 1.5 calls these fields
-just the ``packet registers,'' but Open vSwitch already had 32-bit
-registers by that name, which is why Open vSwitch refers to the
-standard registers as ``extended registers''.
-.
-.IP \fBpkt_mark=\fIvalue\fR[\fB/\fImask\fR]
-Matches packet metadata mark \fIvalue\fR either exactly or with optional
-\fImask\fR. The mark is associated data that may be passed into other
-system components in order to facilitate interaction between subsystems.
-On Linux this corresponds to the skb mark but the exact implementation is
-platform-dependent.
-.
-.IP \fBactset_output=\fIport\fR
-Matches the output port currently in the OpenFlow action set, where
-\fIport\fR may be an OpenFlow port number or keyword
-(e.g. \fBLOCAL\fR). If there is no output port in the OpenFlow action
-set, or if the output port will be ignored (e.g. because there is an
-output group in the OpenFlow action set), then the value will be
-\fBUNSET\fR.
-.IP
-This field was introduced in Open vSwitch 2.4 to conform with the
-OpenFlow 1.5 (draft) specification.
-.
-.IP \fBconj_id=\fIvalue\fR
-Matches the given 32-bit \fIvalue\fR against the conjunction ID. This
-is used only with the \fBconjunction\fR action (see below).
-.IP
-This field was introduced in Open vSwitch 2.4.
-.
-.PP
-Defining IPv6 flows (those with \fBdl_type\fR equal to 0x86dd) requires
-support for NXM. The following shorthand notations are available for
-IPv6-related flows:
-.
-.IP \fBipv6\fR
-Same as \fBdl_type=0x86dd\fR.
-.
-.IP \fBtcp6\fR
-Same as \fBdl_type=0x86dd,nw_proto=6\fR.
-.
-.IP \fBudp6\fR
-Same as \fBdl_type=0x86dd,nw_proto=17\fR.
-.
-.IP \fBsctp6\fR
-Same as \fBdl_type=0x86dd,nw_proto=132\fR.
-.
-.IP \fBicmp6\fR
-Same as \fBdl_type=0x86dd,nw_proto=58\fR.
-.
-.PP
-Finally, field assignments to \fBduration\fR, \fBn_packets\fR, or
-\fBn_bytes\fR are ignored to allow output from the \fBdump\-flows\fR
-command to be used as input for other commands that parse flows.
+.IP "\fBduration=\fR..."
+.IQ "\fBn_packet=\fR..."
+.IQ "\fBn_bytes=\fR..."
+\fBovs\-ofctl\fR ignores assignments to these ``fields'' to allow
+output from the \fBdump\-flows\fR command to be used as input for
+other commands that parse flows.
.
.PP
The \fBadd\-flow\fR, \fBadd\-flows\fR, and \fBmod\-flows\fR commands
.
.IP \fBoutput:\fIsrc\fB[\fIstart\fB..\fIend\fB]
Outputs the packet to the OpenFlow port number read from \fIsrc\fR,
-which must be an NXM field as described above. For example,
-\fBoutput:NXM_NX_REG0[16..31]\fR outputs to the OpenFlow port number
+which may be an NXM field name, as described above, or a match field name.
+\fBoutput:reg0[16..31]\fR outputs to the OpenFlow port number
written in the upper half of register 0. If the port number is the
packet's input port, the packet is not output.
.IP
of \fBoutput\fR uses an OpenFlow extension that is not supported by
standard OpenFlow switches.
.
+.IP \fBoutput(port=\fIport\fR\fB,max_len=\fInbytes\fR)
+Outputs the packet to the OpenFlow port number read from \fIport\fR,
+with maximum packet size set to \fInbytes\fR. \fIport\fR may be OpenFlow
+port number, \fBlocal\fR, or \fBin_port\fR. Patch port is not supported.
+Packets larger than \fInbytes\fR will be trimmed to \fInbytes\fR while
+packets smaller than \fInbytes\fR remains the original size.
+.
.IP \fBgroup:\fIgroup_id\fR
-Outputs the packet to the OpenFlow group \fIgroup_id\fR. Group tables
-are only supported in OpenFlow 1.1+. See Group Syntax for more details.
+Outputs the packet to the OpenFlow group \fIgroup_id\fR. OpenFlow 1.1
+introduced support for groups; Open vSwitch 2.6 and later also
+supports output to groups as an extension to OpenFlow 1.0. See
+\fBGroup Syntax\fR for more details.
.
.IP \fBnormal\fR
Subjects the packet to the device's normal L2/L3 processing. (This
Outputs the packet on the port from which it was received.
.
.IP \fBcontroller(\fIkey\fB=\fIvalue\fR...\fB)
-Sends the packet to the OpenFlow controller as a ``packet in''
+Sends the packet and its metadata to the OpenFlow controller as a ``packet in''
message. The supported key-value pairs are:
.RS
.IP "\fBmax_len=\fInbytes\fR"
controller connection will only have a nonzero connection ID if its
controller uses the \fBNXT_SET_CONTROLLER_ID\fR Nicira extension to
OpenFlow.
+.IP "\fBuserdata=\fIhh\fR...\fR"
+Supplies the bytes represented as hex digits \fIhh\fR as additional
+data to the controller in the packet-in message. Pairs of hex digits
+may be separated by periods for readability.
+.IP "\fBpause\fR"
+Causes the switch to freeze the packet's trip through Open vSwitch
+flow tables and serializes that state into the packet-in message as a
+``continuation,'' an additional property in the \fBNXT_PACKET_IN2\fR
+message. The controller can later send the continuation back to the
+switch in an \fBNXT_RESUME\fR message, which will restart the packet's
+traversal from the point where it was interrupted. This permits an
+OpenFlow controller to interpose on a packet midway through processing
+in Open vSwitch.
+.
.RE
.IP
-Any \fIreason\fR other than \fBaction\fR and any nonzero
-\fIcontroller-id\fR uses a Nicira vendor extension that, as of this
-writing, is only known to be implemented by Open vSwitch (version 1.6
-or later).
+If any \fIreason\fR other than \fBaction\fR or any nonzero
+\fIcontroller-id\fR is supplied, Open vSwitch extension
+\fBNXAST_CONTROLLER\fR, supported by Open vSwitch 1.6 and later, is
+used. If \fBuserdata\fR is supplied, then \fBNXAST_CONTROLLER2\fR,
+supported by Open vSwitch 2.6 and later, is used.
.
.IP \fBcontroller\fR
.IQ \fBcontroller\fR[\fB:\fInbytes\fR]
Strips the VLAN tag from a packet if it is present.
.
.IP \fBpush_vlan\fR:\fIethertype\fR
-Push a new VLAN tag onto the packet. Ethertype is used as the the Ethertype
+Push a new VLAN tag onto the packet. Ethertype is used as the Ethertype
for the tag. Only ethertype 0x8100 should be used. (0x88a8 which the spec
allows isn't supported at the moment.)
A priority of zero and the tag of zero are used for the new tag.
.
.IP \fBresubmit\fB:\fIport\fR
.IQ \fBresubmit\fB(\fR[\fIport\fR]\fB,\fR[\fItable\fR]\fB)
-Re-searches this OpenFlow flow table (or the table whose number is
-specified by \fItable\fR) with the \fBin_port\fR field replaced by
-\fIport\fR (if \fIport\fR is specified) and executes the actions
-found, if any, in addition to any other actions in this flow entry.
+.IQ \fBresubmit\fB(\fR[\fIport\fR]\fB,\fR[\fItable\fR]\fB,ct)
+Re-searches this OpenFlow flow table (or table \fItable\fR, if
+specified) with the \fBin_port\fR field replaced by
+\fIport\fR (if \fIport\fR is specified) and the packet 5-tuple fields
+swapped with the corresponding conntrack original direction tuple
+fields (if \fBct\fR is specified, see \fBct_nw_src\fR above), and
+executes the actions found, if any, in addition to any other actions
+in this flow entry. The \fBin_port\fR and swapped 5-tuple fields are
+restored immediately after the search, before any actions are
+executed.
+.IP
+The \fItable\fR may be expressed as a number between 0 and 254 or
+(unless \fB\-\-no\-names\fR is specified) a name.
+.IP
+The \fBct\fR option requires a valid connection tracking state as a
+match prerequisite in the flow where this action is placed. Examples
+of valid connection tracking state matches include
+\fBct_state=+new\fR, \fBct_state=+est\fR, \fBct_state=+rel\fR, and
+\fBct_state=+trk-inv\fR.
+.IP
+Recursive \fBresubmit\fR actions are obeyed up to
+implementation-defined limits:
+.RS
+.IP \(bu
+Open vSwitch 1.0.1 and earlier did not support recursion.
+.IP \(bu
+Open vSwitch 1.0.2 and 1.0.3 limited recursion to 8 levels.
+.IP \(bu
+Open vSwitch 1.1 and 1.2 limited recursion to 16 levels.
+.IP \(bu
+Open vSwitch 1.2 through 1.8 limited recursion to 32 levels.
+.IP \(bu
+Open vSwitch 1.9 through 2.0 limited recursion to 64 levels.
+.IP \(bu
+Open vSwitch 2.1 through 2.5 limited recursion to 64 levels and impose
+a total limit of 4,096 resubmits per flow translation (earlier versions
+did not impose any total limit).
+.IP \(bu
+Open vSwitch 2.6 and later imposes the same limits as 2.5, with one
+exception: \fBresubmit\fR from table \fIx\fR to any table \fIy\fR >
+\fIx\fR does not count against the recursion limit.
+.RE
.IP
-Recursive \fBresubmit\fR actions are obeyed up to an
-implementation-defined maximum depth. Open vSwitch 1.0.1 and earlier
-did not support recursion; Open vSwitch before 1.2.90 did not support
-\fItable\fR.
+Open vSwitch before 1.2.90 did not support \fItable\fR. Open vSwitch
+before 2.7 did not support \fBct\fR.
.
.IP \fBset_tunnel\fB:\fIid\fR
.IQ \fBset_tunnel64\fB:\fIid\fR
Restores the queue to the value it was before any \fBset_queue\fR
actions were applied.
.
+.IP \fBct\fR
+.IQ \fBct(\fR[\fIargument\fR][\fB,\fIargument\fR...]\fB)
+Send the packet through the connection tracker. Refer to the \fBct_state\fR
+documentation above for possible packet and connection states. A \fBct\fR
+action always sets the packet to an untracked state and clears out the
+\fBct_state\fR fields for the current processing path. Those fields are
+only available for the processing path pointed to by the \fBtable\fR
+argument. The following arguments are supported:
+.RS
+.IP \fBcommit\fR
+.RS
+Commit the connection to the connection tracking module. Information about the
+connection will be stored beyond the lifetime of the packet in the pipeline.
+Some \fBct_state\fR flags are only available for committed connections.
+.RE
+.IP \fBforce\fR
+.RS
+A committed connection always has the directionality of the packet
+that caused the connection to be committed in the first place. This
+is the ``original direction'' of the connection, and the opposite
+direction is the ``reply direction''. If a connection is already
+committed, but it is in the wrong direction, \fBforce\fR flag may be
+used in addition to \fBcommit\fR flag to effectively terminate the
+existing connection and start a new one in the current direction.
+This flag has no effect if the original direction of the connection is
+already the same as that of the current packet.
+.RE
+.IP \fBtable=\fItable\fR
+Fork pipeline processing in two. The original instance of the packet will
+continue processing the current actions list as an untracked packet. An
+additional instance of the packet will be sent to the connection tracker, which
+will be re-injected into the OpenFlow pipeline to resume processing in table
+\fInumber\fR (which may be specified as a number between 0 and 254 or,
+unless \fB\-\-no\-names\fR is specified, a name), with the
+\fBct_state\fR and other ct match fields set. If
+\fBtable\fR is not specified, then the packet which is submitted to the
+connection tracker is not re-injected into the OpenFlow pipeline. It is
+strongly recommended to specify a table later than the current table to prevent
+loops.
+.IP \fBzone=\fIvalue\fR
+.IQ \fBzone=\fIsrc\fB[\fIstart\fB..\fIend\fB]\fR
+A 16-bit context id that can be used to isolate connections into separate
+domains, allowing overlapping network addresses in different zones. If a zone
+is not provided, then the default is to use zone zero. The \fBzone\fR may be
+specified either as an immediate 16-bit \fIvalue\fR, or may be provided from an
+NXM field \fIsrc\fR. The \fIstart\fR and \fIend\fR pair are inclusive, and must
+specify a 16-bit range within the field. This value is copied to the
+\fBct_zone\fR match field for packets which are re-injected into the pipeline
+using the \fBtable\fR option.
+.IP \fBexec\fB(\fR[\fIaction\fR][\fB,\fIaction\fR...]\fB)\fR
+Perform actions within the context of connection tracking. This is a restricted
+set of actions which are in the same format as their specifications as part
+of a flow. Only actions which modify the \fBct_mark\fR or \fBct_label\fR
+fields are accepted within the \fBexec\fR action, and these fields may only be
+modified with this option. For example:
+.
+.RS
+.IP \fBset_field:\fIvalue\fR[\fB/\fImask\fR]->ct_mark\fR
+Store a 32-bit metadata value with the connection. Subsequent lookups
+for packets in this connection will populate the \fBct_mark\fR flow
+field when the packet is sent to the connection tracker with the
+\fBtable\fR specified.
+.IP \fBset_field:\fIvalue\fR[\fB/\fImask\fR]->ct_label\fR
+Store a 128-bit metadata value with the connection. Subsequent
+lookups for packets in this connection will populate the
+\fBct_label\fR flow field when the packet is sent to the connection
+tracker with the \fBtable\fR specified.
+.RE
+.IP
+The \fBcommit\fR parameter must be specified to use \fBexec(...)\fR.
+.
+.IP \fBalg=\fIalg\fR
+Specify application layer gateway \fIalg\fR to track specific connection
+types. If subsequent related connections are sent through the \fBct\fR
+action, then the \fBrel\fR flag in the \fBct_state\fR field will be set.
+Supported types include:
+.RS
+.IP \fBftp\fR
+Look for negotiation of FTP data connections. Specify this option for FTP
+control connections to detect related data connections and populate the
+\fBrel\fR flag for the data connections.
+.
+.IP \fBtftp\fR
+Look for negotiation of TFTP data connections. Specify this option for TFTP
+control connections to detect related data connections and populate the
+\fBrel\fR flag for the data connections.
+.RE
+.
+.IP
+The \fBcommit\fR parameter must be specified to use \fBalg=\fIalg\fR.
+.
+.IP
+When committing related connections, the \fBct_mark\fR for that connection is
+inherited from the current \fBct_mark\fR stored with the original connection
+(ie, the connection created by \fBct(alg=...)\fR).
+.
+.IP
+Note that with the Linux datapath, global sysctl options affect the usage of
+the \fBct\fR action. In particular, if \fBnet.netfilter.nf_conntrack_helper\fR
+is enabled then application layer gateway helpers may be executed even if the
+\fBalg\fR option is not specified. This is the default setting until Linux 4.7.
+For security reasons, the netfilter team recommends users to disable this
+option. See this blog post for further details:
+.
+http://www.netfilter.org/news.html#2012-04-03
+.
+.IP \fBnat\fR[\fB(\fR(\fBsrc\fR|\fBdst\fR)\fB=\fIaddr1\fR[\fB-\fIaddr2\fR][\fB:\fIport1\fR[\fB-\fIport2\fR]][\fB,\fIflags\fR]\fB)\fR]
+.
+Specify address and port translation for the connection being tracked.
+For new connections either \fBsrc\fR or \fBdst\fR argument must be
+provided to set up either source address/port translation (SNAT) or
+destination address/port translation (DNAT), respectively. Setting up
+address translation for a new connection takes effect only if the
+\fBcommit\fR flag is also provided for the enclosing \fBct\fR action.
+A bare \fBnat\fR action will only translate the packet being processed
+in the way the connection has been set up with an earlier \fBct\fR
+action. Also a \fBnat\fR action with \fBsrc\fR or \fBdst\fR, when
+applied to a packet belonging to an established (rather than new)
+connection, will behave the same as a bare \fBnat\fR.
+.IP
+\fBsrc\fR and \fBdst\fR options take the following arguments:
+.RS
+.IP \fIaddr1\fR[\fB-\fIaddr2\fR]
+The address range from which the translated address should be
+selected. If only one address is given, then that address will always
+be selected, otherwise the address selection can be informed by the
+optional \fBpersistent\fR flag as described below. Either IPv4 or
+IPv6 addresses can be provided, but both addresses must be of the same
+type, and the datapath behavior is undefined in case of providing IPv4
+address range for an IPv6 packet, or IPv6 address range for an IPv4
+packet. IPv6 addresses must be bracketed with '[' and ']' if a port
+range is also given.
+.RE
+.
+.RS
+.IP \fIport1\fR[\fB-\fIport2\fR]
+The port range from which the translated port should be selected. If
+only one port number is provided, then that should be selected. In
+case of a mapping conflict the datapath may choose any other
+non-conflicting port number instead, even when no port range is
+specified. The port number selection can be informed by the optional
+\fBrandom\fR and \fBhash\fR flags as described below.
+.RE
+.IP
+The optional flags are:
+.RS
+.IP \fBrandom\fR
+The selection of the port from the given range should be done using a
+fresh random number. This flag is mutually exclusive with \fBhash\fR.
+.RE
+.
+.RS
+.IP \fBhash\fR
+The selection of the port from the given range should be done using a
+datapath specific hash of the packet's IP addresses and the other,
+non-mapped port number. This flag is mutually exclusive with
+\fBrandom\fR.
+.RE
+.
+.RS
+.IP \fBpersistent\fR
+The selection of the IP address from the given range should be done so
+that the same mapping can be provided after the system restarts.
+.RE
+.IP
+If an \fBalg\fR is specified for the committing \fBct\fR action that
+also includes \fBnat\fR with a \fBsrc\fR or \fBdst\fR attribute,
+then the datapath tries to set up the helper to be NAT aware. This
+functionality is datapath specific and may not be supported by all
+datapaths.
+.IP
+\fBnat\fR was introduced in Open vSwitch 2.6. The first datapath that
+implements \fBct nat\fR support is the one that ships with Linux 4.6.
+.RE
+.IP
+The \fBct\fR action may be used as a primitive to construct stateful firewalls
+by selectively committing some traffic, then matching the \fBct_state\fR to
+allow established connections while denying new connections. The following
+flows provide an example of how to implement a simple firewall that allows new
+connections from port 1 to port 2, and only allows established connections to
+send traffic from port 2 to port 1:
+ \fBtable=0,priority=1,action=drop
+ table=0,priority=10,arp,action=normal
+ table=0,priority=100,ip,ct_state=-trk,action=ct(table=1)
+ table=1,in_port=1,ip,ct_state=+trk+new,action=ct(commit),2
+ table=1,in_port=1,ip,ct_state=+trk+est,action=2
+ table=1,in_port=2,ip,ct_state=+trk+new,action=drop
+ table=1,in_port=2,ip,ct_state=+trk+est,action=1\fR
+.IP
+If \fBct\fR is executed on IP (or IPv6) fragments, then the message is
+implicitly reassembled before sending to the connection tracker and
+refragmented upon \fBoutput\fR, to the original maximum received fragment size.
+Reassembly occurs within the context of the \fBzone\fR, meaning that IP
+fragments in different zones are not assembled together. Pipeline processing
+for the initial fragments is halted; When the final fragment is received, the
+message is assembled and pipeline processing will continue for that flow.
+Because packet ordering is not guaranteed by IP protocols, it is not possible
+to determine which IP fragment will cause message reassembly (and therefore
+continue pipeline processing). As such, it is strongly recommended that
+multiple flows should not execute \fBct\fR to reassemble fragments from the
+same IP message.
+.IP
+Currently, connection tracking is only available on Linux kernels with the
+nf_conntrack module loaded. The \fBct\fR action was introduced in Open vSwitch
+2.5.
+.
+.IP \fBct_clear\fR
+Clears connection tracking state from the flow, zeroing
+\fBct_state\fR, \fBct_zone\fR, \fBct_mark\fR, and \fBct_label\fR.
+.IP
+This action was introduced in Open vSwitch 2.6.90.
+.
.IP \fBdec_ttl\fR
-.IQ \fBdec_ttl\fB[\fR(\fIid1,id2\fI)\fR]\fR
+.IQ \fBdec_ttl(\fIid1\fR[\fB,\fIid2\fR]...\fB)\fR
Decrement TTL of IPv4 packet or hop limit of IPv6 packet. If the
TTL or hop limit is initially zero or decrementing would make it so, no
decrement occurs, as packets reaching TTL zero must be rejected. Instead,
sent to each connected controller that has enabled receiving them,
if any. Processing the current set of actions then stops. However,
if the current set of actions was reached through ``resubmit'' then
-remaining actions in outer levels resume processing. This action
-also optionally supports the ability to specify a list of valid
-controller ids. Each of controllers in the list will receive the
-``packet_in'' message only if they have registered to receive the
+remaining actions in outer levels resume processing.
+.IP
+This action also optionally supports the ability to specify a list of
+valid controller ids. Each of the controllers in the list will receive
+the ``packet_in'' message only if they have registered to receive the
invalid ttl packets. If controller ids are not specified, the
``packet_in'' message will be sent only to the controllers having
controller id zero which have registered for the invalid ttl packets.
set of actions was reached through ``resubmit'' then remaining actions in
outer levels resume processing.
.
+.IP \fBdec_nsh_ttl\fR
+Decrement TTL of the outer NSH header of a packet. If the TTL
+is initially zero or decrementing would make it so, no decrement occurs.
+Instead, a ``packet-in'' message with reason code \fBOFPR_INVALID_TTL\fR
+is sent to the main controller (id zero), if it has enabled receiving them.
+Processing the current set of actions then stops. However, if the current
+set of actions was reached through ``resubmit'' then remaining actions in
+outer levels resume processing.
+.
.IP \fBnote:\fR[\fIhh\fR]...
Does nothing at all. Any number of bytes represented as hex digits
\fIhh\fR may be included. Pairs of hex digits may be separated by
.
.IP "\fBmove:\fIsrc\fB[\fIstart\fB..\fIend\fB]\->\fIdst\fB[\fIstart\fB..\fIend\fB]\fR"
Copies the named bits from field \fIsrc\fR to field \fIdst\fR.
-\fIsrc\fR and \fIdst\fR must be NXM field names as defined in
-\fBnicira\-ext.h\fR, e.g. \fBNXM_OF_UDP_SRC\fR or \fBNXM_NX_REG0\fR.
-Each \fIstart\fR and \fIend\fR pair, which are inclusive, must specify
-the same number of bits and must fit within its respective field.
+\fIsrc\fR and \fIdst\fR may be NXM field names as defined in
+\fBnicira\-ext.h\fR, e.g. \fBNXM_OF_UDP_SRC\fR or \fBNXM_NX_REG0\fR,
+or a match field name, e.g. \fBreg0\fR. Each
+\fIstart\fR and \fIend\fR pair, which are inclusive, must specify the
+same number of bits and must fit within its respective field.
Shorthands for \fB[\fIstart\fB..\fIend\fB]\fR exist: use
\fB[\fIbit\fB]\fR to specify a single bit or \fB[]\fR to specify an
-entire field.
+entire field (in the latter case the brackets can also be left off).
.IP
Examples: \fBmove:NXM_NX_REG0[0..5]\->NXM_NX_REG1[26..31]\fR copies the
six bits numbered 0 through 5, inclusive, in register 0 into bits 26
through 31, inclusive;
-\fBmove:NXM_NX_REG0[0..15]\->NXM_OF_VLAN_TCI[]\fR copies the least
+\fBmove:reg0[0..15]\->vlan_tci\fR copies the least
significant 16 bits of register 0 into the VLAN TCI field.
.IP
In OpenFlow 1.0 through 1.4, \fBmove\fR ordinarily uses an Open
vSwitch extension to OpenFlow. In OpenFlow 1.5, \fBmove\fR uses the
-OpenFlow 1.5 (draft) standard \fBcopy_field\fR action. The ONF has
+OpenFlow 1.5 standard \fBcopy_field\fR action. The ONF has
also made \fBcopy_field\fR available as an extension to OpenFlow 1.3.
Open vSwitch 2.4 and later understands this extension and uses it if a
controller uses it, but for backward compatibility with older versions
field name. For example, \fBset_field:00:11:22:33:44:55->eth_src\fR
sets the Ethernet source address to 00:11:22:33:44:55. With
\fBload\fR, \fIvalue\fR must be an integer value (in decimal or
-prefixed by \fB0x\fR for hexadecimal) and \fIdst\fR is the NXM or OXM
-name for the field. For example,
-\fBload:0x001122334455->OXM_OF_ETH_DST[]\fR has the same effect as the
+prefixed by \fB0x\fR for hexadecimal) and \fIdst\fR can also be the
+NXM or OXM name for the field. For example,
+\fBload:0x001122334455->OXM_OF_ETH_SRC[]\fR has the same effect as the
prior \fBset_field\fR example.
.IP
The two forms exist for historical reasons. Open vSwitch 1.1
\fBOFPAT_SET_FIELD\fR.
.
.IP "\fBpush:\fIsrc\fB[\fIstart\fB..\fIend\fB]"
-Pushes \fIstart\fR to \fIend\fR bits inclusive, in fields
-on top of the stack.
-.IP
-Example: \fBpush:NXM_NX_REG2[0..5]\fR push the value stored in register
-2 bits 0 through 5, inclusive, on to the internal stack.
-.
-.IP "\fBpop:\fIdst\fB[\fIstart\fB..\fIend\fB]"
-Pops from the top of the stack, retrieves the \fIstart\fR to \fIend\fR bits
-inclusive, from the value popped and store them into the corresponding
-bits in \fIdst\fR.
-.
-.IP
-Example: \fBpop:NXM_NX_REG2[0..5]\fR pops the value from top of the stack.
-Set register 2 bits 0 through 5, inclusive, based on bits 0 through 5 from the
-value just popped.
-.
+.IQ "\fBpop:\fIdst\fB[\fIstart\fB..\fIend\fB]"
+These Open vSwitch extension actions act on bits \fIstart\fR to
+\fIend\fR, inclusive, in the named field, pushing or popping the bits
+on a general-purpose stack of fields or subfields. Controllers can
+use this stack for saving and restoring data or metadata around
+\fBresubmit\fR actions, for swapping or rearranging data and metadata,
+or for other purposes. Any data or metadata field, or part of one,
+may be pushed, and any modifiable field or subfield may be popped.
+.IP
+The number of bits pushed in a stack entry do not have to match the
+number of bits later popped from that entry. If more bits are popped
+from an entry than were pushed, then the entry is conceptually
+left-padded with 0-bits as needed. If fewer bits are popped than
+pushed, then bits are conceptually trimmed from the left side of the
+entry.
+.IP
+The stack's size is intended to have a large enough limit that
+``normal'' use will not pose problems. Stack overflow or underflow is
+an error that causes action execution to stop.
+.IP
+Example: \fBpush:NXM_NX_REG2[0..5]\fR or \fBpush:reg2[0..5]\fR push
+the value stored in register 2 bits 0 through 5, inclusive, on the
+internal stack, and \fBpop:NXM_NX_REG2[0..5]\fR or
+\fBpop:reg2[0..5]\fR pops the value from top of the stack and sets
+register 2 bits 0 through 5, inclusive, based on bits 0 through 5 from
+the value just popped.
.
.IP "\fBmultipath(\fIfields\fB, \fIbasis\fB, \fIalgorithm\fB, \fIn_links\fB, \fIarg\fB, \fIdst\fB[\fIstart\fB..\fIend\fB])\fR"
Hashes \fIfields\fR using \fIbasis\fR as a universal hash parameter,
\fIdst\fB[\fIstart\fB..\fIend\fB]\fR, which must be an NXM field as
described above.
.IP
-Currently, \fIfields\fR must be either \fBeth_src\fR or
-\fBsymmetric_l4\fR and \fIalgorithm\fR must be one of \fBmodulo_n\fR,
+\fIfields\fR must be one of the following:
+.RS
+.IP \fBeth_src\fR
+Hashes Ethernet source address only.
+.IP \fBsymmetric_l4\fR
+Hashes Ethernet source, destination, and type, VLAN ID, IPv4/IPv6
+source, destination, and protocol, and TCP or SCTP (but not UDP)
+ports. The hash is computed so that pairs of corresponding flows in
+each direction hash to the same value, in environments where L2 paths
+are the same in each direction. UDP ports are not included in the
+hash to support protocols such as VXLAN that use asymmetric ports in
+each direction.
+.IP \fBsymmetric_l3l4\fR
+Hashes IPv4/IPv6 source, destination, and protocol, and TCP or SCTP
+(but not UDP) ports. Like \fBsymmetric_l4\fR, this is a symmetric
+hash, but by excluding L2 headers it is more effective in environments
+with asymmetric L2 paths (e.g. paths involving VRRP IP addresses on a
+router). Not an effective hash function for protocols other than IPv4
+and IPv6, which hash to a constant zero.
+.IP \fBsymmetric_l3l4+udp\fR
+Like \fBsymmetric_l3l4+udp\fR, but UDP ports are included in the hash.
+This is a more effective hash when asymmetric UDP protocols such as
+VXLAN are not a consideration.
+.IP \fBnw_src\fR
+Hashes Network source address only.
+.IP \fBnw_dst\fR
+Hashes Network destination address only.
+.RE
+.IP
+\fIalgorithm\fR must be one of \fBmodulo_n\fR,
\fBhash_threshold\fR, \fBhrw\fR, and \fBiter_hash\fR. Only
the \fBiter_hash\fR algorithm uses \fIarg\fR.
.IP
\fIslave_type\fR is \fBofport\fR. Thus, each \fIs1\fR through \fIsN\fR should
be an OpenFlow port number. Outputs to the selected slave.
.IP
-Currently, \fIfields\fR must be either \fBeth_src\fR or \fBsymmetric_l4\fR and
-\fIalgorithm\fR must be one of \fBhrw\fR and \fBactive_backup\fR.
+Currently, \fIfields\fR must be either \fBeth_src\fR, \fBsymmetric_l4\fR, \fBsymmetric_l3l4\fR, \fBsymmetric_l3l4+udp\fR,
+\fBnw_src\fR, or \fBnw_dst\fR, and \fIalgorithm\fR must be one of \fBhrw\fR and \fBactive_backup\fR.
.IP
Example: \fBbundle(eth_src,0,hrw,ofport,slaves:4,8)\fR uses an Ethernet source
hash with basis 0, to select between OpenFlow ports 4 and 8 using the Highest
Example: \fBbundle_load(eth_src, 0, hrw, ofport, NXM_NX_REG0[],
slaves:4, 8)\fR uses an Ethernet source hash with basis 0, to select
between OpenFlow ports 4 and 8 using the Highest Random Weight
-algorithm, and writes the selection to \fBNXM_NX_REG0[]\fR.
+algorithm, and writes the selection to \fBNXM_NX_REG0[]\fR. Also the
+match field name can be used, for example, instead of 'NXM_NX_REG0'
+the name 'reg0' can be used. When the while field is indicated the
+empty brackets can also be left off.
.IP
Refer to \fBnicira\-ext.h\fR for more details.
.
Adds a \fBfin_timeout\fR action with the specified arguments to the
new flow. This feature was added in Open vSwitch 1.5.90.
.
-.IP \fBtable=\fInumber\fR
+.IP \fBtable=\fItable\fR
The table in which the new flow should be inserted. Specify a decimal
-number between 0 and 254. The default, if \fBtable\fR is unspecified,
-is table 1.
+number between 0 and 254 or (unless \fB\-\-no\-names\fR is specified)
+a name. The default, if \fBtable\fR is unspecified, is table 1.
.
.IP \fBdelete_learned\fR
This flag enables deletion of the learned flows when the flow with the
.IP
This flag was added in Open vSwitch 2.4.
.
+.IP \fBlimit=\fInumber\fR
+If the number of flows in table \fBtable\fR with cookie id \fBcookie\fR exceeds
+\fInumber\fR, a new flow will not be learned by this action. By default
+there's no limit. limit=0 is a long-hand for no limit.
+.
+.IP
+This flag was added in Open vSwitch 2.8.
+.
+.IP \fBresult_dst=\fIfield\fB[\fIbit\fB]\fR
+If learning failed (because the number of flows exceeds \fBlimit\fR),
+the action sets \fIfield\fB[\fIbit\fB]\fR to 0, otherwise it will be set to 1.
+\fIfield\fB[\fIbit\fB]\fR must be a single bit.
+.
+.IP
+This flag was added in Open vSwitch 2.8.
+.
.IP \fIfield\fB=\fIvalue\fR
.IQ \fIfield\fB[\fIstart\fB..\fIend\fB]=\fIsrc\fB[\fIstart\fB..\fIend\fB]\fR
.IQ \fIfield\fB[\fIstart\fB..\fIend\fB]\fR
The first form specifies that \fIfield\fR must match the literal
\fIvalue\fR, e.g. \fBdl_type=0x0800\fR. All of the fields and values
for \fBovs\-ofctl\fR flow syntax are available with their usual
-meanings.
+meanings. Shorthand notation matchers (e.g. \fBip\fR in place of
+\fBdl_type=0x0800\fR) are not currently implemented.
.IP
The second form specifies that \fIfield\fB[\fIstart\fB..\fIend\fB]\fR
in the new flow must match \fIsrc\fB[\fIstart\fB..\fIend\fB]\fR taken
from the flow currently being processed.
+For example, \fINXM_OF_UDP_DST\fB[]\fR=\fINXM_OF_UDP_SRC\fB[]\fR on a
+TCP packet for which the UDP src port is \fB53\fR, creates a flow which
+matches \fINXM_OF_UDP_DST\fB[]\fR=\fB53\fR.
.IP
The third form is a shorthand for the second form. It specifies that
-\fIfield\fB[\fIstart\fB..\fIend\fB]\fR in the new flow must match
+\fIfield\fB[\fIstart\fB..\fIend\fB]\fR in the new flow must match the same
\fIfield\fB[\fIstart\fB..\fIend\fB]\fR taken from the flow currently
being processed.
+For example, \fINXM_OF_TCP_DST\fB[]\fR on a TCP packet
+for which the TCP dst port is \fB80\fR, creates a flow which
+matches \fINXM_OF_TCP_DST\fB[]\fR=\fB80\fR.
.
.IP \fBload:\fIvalue\fB\->\fIdst\fB[\fIstart\fB..\fIend\fB]
.IQ \fBload:\fIsrc\fB[\fIstart\fB..\fIend\fB]\->\fIdst\fB[\fIstart\fB..\fIend\fB]
the OpenFlow port taken from \fIfield\fB[\fIstart\fB..\fIend\fB]\fR,
which must be an NXM field as described above.
.RE
-.IP
-For best performance, segregate learned flows into a table (using
-\fBtable=\fInumber\fR) that is not used for any other flows except
-possibly for a lowest-priority ``catch-all'' flow, that is, a flow
-with no match criteria. (This is why the default \fBtable\fR is 1, to
-keep the learned flows separate from the primary flow table 0.)
.RE
.
.RS
\fBpop_mpls\fR
.
.IP 2.
-\fBpush_mpls\fR
+\fBdecap\fR
.
.IP 3.
-\fBpush_vlan\fR
+\fBencap\fR
.
.IP 4.
+\fBpush_mpls\fR
+.
+.IP 5.
+\fBpush_vlan\fR
+.
+.IP 6.
\fBdec_ttl\fR
.IQ
\fBdec_mpls_ttl\fR
+.IQ
+\fBdec_nsh_ttl\fR
.
-.IP 5.
+.IP 7.
\fBload\fR
.IQ
\fBmove\fR
different parts of a field (or different fields), then both
modifications are applied.
.
-.IP 6.
+.IP 8.
\fBset_queue\fR
.
-.IP 7.
+.IP 9.
\fBgroup\fR
.IQ
\fBoutput\fR
.RE
.IP
Only the actions listed above may be written to the action set.
+\fBencap\fR, \fBdecap\fR and \fBdec_nsh_ttl\fR actions are nonstandard.
.
.IP \fBwrite_metadata\fB:\fIvalue\fR[/\fImask\fR]
Updates the metadata field for the flow. If \fImask\fR is omitted, the
for more details.
.
.IP \fBgoto_table\fR:\fItable\fR
-Indicates the next table in the process pipeline.
+Jumps to \fItable\Fr as the next table in the process pipeline. The
+\fItable\fR may be a number between 0 and 254 or (unless
+\fB\-\-no\-names\fR is specified) a name.
.
.IP "\fBfin_timeout(\fIargument\fR[\fB,\fIargument\fR]\fB)"
This action changes the idle timeout or hard timeout, or both, of this
.IP "\fBobs_point_id=\fIid\fR"
When sending samples to IPFIX collectors, the unsigned 32-bit integer
Observation Point ID sent in every IPFIX flow record. Defaults to 0.
+.IP "\fBsampling_port=\fIport\fR"
+Sample packets on \fIport\fR, which should be the ingress or egress
+port. This option, which was added in Open vSwitch 2.5.90, allows the
+IPFIX implementation to export egress tunnel information.
+.IP "\fBingress\fR"
+.IQ "\fBegress\fR"
+Specifies explicitly that the packet is being sampled on ingress to or
+egress from the switch. IPFIX reports sent by Open vSwitch before
+version 2.5.90 did not include a direction. From 2.5.90 until 2.6.90,
+IPFIX reports inferred a direction from \fBsampling_port\fR: if it was
+the packet's output port, then the direction was reported as egress,
+otherwise as ingress. Open vSwitch 2.6.90 introduced these options,
+which allow the inferred direction to be overridden. This is
+particularly useful when the ingress (or egress) port is not a tunnel.
.RE
.IP
-Refer to \fBovs\-vswitchd.conf.db\fR(8) for more details on
+Refer to \fBovs\-vswitchd.conf.db\fR(5) for more details on
configuring sample collector sets.
.IP
This action was added in Open vSwitch 1.10.90.
\fBclear_actions\fR before \fBexit\fR to discard them).
.
.IP "\fBconjunction(\fIid\fB, \fIk\fB/\fIn\fR\fB)\fR"
-An individual OpenFlow flow can match only a single value for each
-field. However, situations often arise where one wants to match one
-of a set of values within a field or fields. For matching a single
-field against a set, it is straightforward and efficient to add
-multiple flows to the flow table, one for each value in the set. For
-example, one might use the following flows to send packets with IP
-source address \fIa\fR, \fIb\fR, \fIc\fR, or \fId\fR to the OpenFlow
-controller:
-.RS +1in
-.br
-\fBip,ip_src=\fIa\fB actions=controller\fR
-.br
-\fBip,ip_src=\fIb\fB actions=controller\fR
-.br
-\fBip,ip_src=\fIc\fB actions=controller\fR
-.br
-\fBip,ip_src=\fId\fB actions=controller\fR
-.br
-.RE
+This action allows for sophisticated ``conjunctive match'' flows.
+Refer to \fBCONJUNCTIVE MATCH FIELDS\fR in \fBovs\-fields\fR(7) for details.
.IP
-Similarly, these flows send packets with IP destination address
-\fIe\fR, \fIf\fR, \fIg\fR, or \fIh\fR to the OpenFlow controller:
-.RS +1in
-.br
-\fBip,ip_dst=\fIe\fB actions=controller\fR
-.br
-\fBip,ip_dst=\fIf\fB actions=controller\fR
-.br
-\fBip,ip_dst=\fIg\fB actions=controller\fR
-.br
-\fBip,ip_dst=\fIh\fB actions=controller\fR
-.br
-.RE
+The \fBconjunction\fR action and \fBconj_id\fR field were introduced
+in Open vSwitch 2.4.
+.
+.IP "\fBclone(\fR[\fIaction\fR][\fB,\fIaction\fR...]\fB)\fR"
+Executes each nested \fIaction\fR, saving much of the packet and
+pipeline state beforehand and then restoring it afterward. The state
+that is saved and restored includes all flow data and metadata
+(including, for example, \fBct_state\fR), the stack accessed by
+\fBpush\fR and \fBpop\fR actions, and the OpenFlow action set.
.IP
-Installing all of the above flows in a single flow table yields a
-disjunctive effect: a packet is sent to the controller if \fBip_src\fR
-\[mo] {\fIa\fR,\fIb\fR,\fIc\fR,\fId\fR} or \fBip_dst\fR \[mo]
-{\fIe\fR,\fIf\fR,\fIg\fR,\fIh\fR} (or both). (Pedantically, if both
-of the above sets of flows are present in the flow table, they should
-have different priorities, because OpenFlow says that the results are
-undefined when two flows with same priority can both match a single
-packet.)
-.IP
-Suppose, on the other hand, one wishes to match conjunctively, that
-is, to send a packet to the controller only if both \fBip_src\fR \[mo]
-{\fIa\fR,\fIb\fR,\fIc\fR,\fId\fR} and \fBip_dst\fR \[mo]
-{\fIe\fR,\fIf\fR,\fIg\fR,\fIh\fR}. This requires 4 \[mu] 4 = 16
-flows, one for each possible pairing of \fBip_src\fR and \fBip_dst\fR.
-That is acceptable for our small example, but it does not gracefully
-extend to larger sets or greater numbers of dimensions.
-.IP
-The \fBconjunction\fR action is a solution for conjunctive matches
-that is built into Open vSwitch. A \fBconjunction\fR action ties
-groups of individual OpenFlow flows into higher-level ``conjunctive
-flows''. Each group corresponds to one dimension, and each flow
-within the group matches one possible value for the dimension. A
-packet that matches one flow from each group matches the conjunctive
-flow.
-.IP
-To implement a conjunctive flow with \fBconjunction\fR, assign the
-conjunctive flow a 32-bit \fIid\fR, which must be unique within an
-OpenFlow table. Assign each of the \fIn\fR \[>=] 2 dimensions a
-unique number from 1 to \fIn\fR; the ordering is unimportant. Add one
-flow to the OpenFlow flow table for each possible value of each
-dimension with \fBconjunction(\fIid, \fIk\fB/\fIn\fB)\fR as the flow's
-actions, where \fIk\fR is the number assigned to the flow's dimension.
-Together, these flows specify the conjunctive flow's match condition.
-When the conjunctive match condition is met, Open vSwitch looks up one
-more flow that specifies the conjunctive flow's actions and receives
-its statistics. This flow is found by setting \fBconj_id\fR to the
-specified \fIid\fR and then again searching the flow table.
-.IP
-The following flows provide an example. Whenever the IP source is one
-of the values in the flows that match on the IP source (dimension 1 of
-2), \fIand\fR the IP destination is one of the values in the flows
-that match on IP destination (dimension 2 of 2), Open vSwitch searches
-for a flow that matches \fBconj_id\fR against the conjunction ID
-(1234), finding the first flow listed below.
-.RS +1in
-.br
-.B "conj_id=1234 actions=controller"
-.br
-.B "ip,ip_src=10.0.0.1 actions=conjunction(1234, 1/2)"
-.br
-.B "ip,ip_src=10.0.0.4 actions=conjunction(1234, 1/2)"
-.br
-.B "ip,ip_src=10.0.0.6 actions=conjunction(1234, 1/2)"
-.br
-.B "ip,ip_src=10.0.0.7 actions=conjunction(1234, 1/2)"
-.br
-.B "ip,ip_dst=10.0.0.2 actions=conjunction(1234, 2/2)"
-.br
-.B "ip,ip_dst=10.0.0.5 actions=conjunction(1234, 2/2)"
-.br
-.B "ip,ip_dst=10.0.0.7 actions=conjunction(1234, 2/2)"
-.br
-.B "ip,ip_dst=10.0.0.8 actions=conjunction(1234, 2/2)"
+This action was added in Open vSwitch 2.6.90.
+.
+.IP "\fBencap(\fR\fIheader\fR[\fB(\fR\fIprop\fR\fB=\fR\fIvalue\fR,\fItlv\fR\fB(\fR\fIclass\fR,\fItype\fR,\fIvalue\fB)\fR,...\fB)\fR]\fB)\fR"
+Encapsulates the packet with a new packet header, e.g., ethernet
+or nsh.
+.
+.RS
+.IP "\fIheader\fR"
+Used to specify encapsulation header type.
+.
+.IP "\fIprop\fR\fB=\fR\fIvalue\fR"
+Used to specify the initial value for the property in the encapsulation header.
+.
+.IP "\fItlv\fR\fB(\fR\fIclass\fR,\fItype\fR,\fIvalue\fB)\fR"
+Used to specify the initial value for the TLV (Type Length Value)
+in the encapsulation header.
.RE
.IP
-Many subtleties exist:
+For example, \fBencap(ethernet)\fR will encapsulate the L3 packet with
+Ethernet header.
+.IP
+\fBencap(nsh(md_type=1))\fR will encapsulate the packet with nsh header
+and nsh metadata type 1.
+.IP
+\fBencap(nsh(md_type=2,tlv(0x1000,10,0x12345678)))\fR will encapsulate
+the packet with nsh header and nsh metadata type 2, and the nsh TLV with
+class 0x1000 and type 10 is set to 0x12345678.
+.IP
+\fIprop\fR\fB=\fR\fIvalue\fR is just used to set some
+necessary fields for encapsulation header initialization. Other fields
+in the encapsulation header must be set by \fBset_field\fR action. New
+encapsulation header implementation must add new match fields and
+corresponding \fBset\fR action in order that \fBset_field\fR action can
+change the fields in the encapsulation header on demand.
+.IP
+\fBencap(nsh(md_type=1)),\fR
+\fBset_field:0x1234->nsh_spi,set_field:0x11223344->nsh_c1\fR
+is an example to encapsulate nsh header and set nsh spi and c1.
+.IP
+This action was added in Open vSwitch 2.8.
+.
+.IP "\fBdecap(\fR[\fBpacket_type(ns=\fR\fInamespace\fR\fB,type=\fR\fItype\fR\fB)\fR]\fB)\fR"
+Decapsulates the outer packet header.
+.
.RS
-.IP \(bu
-In the example above, every flow in a single dimension has the same
-form, that is, dimension 1 matches on \fBip_src\fR, dimension 2 on
-\fBip_dst\fR, but this is not a requirement. Different flows within a
-dimension may match on different bits within a field (e.g. IP network
-prefixes of different lengths, or TCP/UDP port ranges as bitwise
-matches), or even on entirely different fields (e.g. to match packets
-for TCP source port 80 or TCP destination port 80).
-.IP \(bu
-The flows within a dimension can vary their matches across more than
-one field, e.g. to match only specific pairs of IP source and
-destination addresses or L4 port numbers.
-.IP \(bu
-A flow may have multiple \fBconjunction\fR actions, with different
-\fIid\fR values. This is useful for multiple conjunctive flows with
-overlapping sets. If one conjunctive flow matches packets with both
-\fBip_src\fR \[mo] {\fIa\fR,\fIb\fR} and \fBip_dst\fR \[mo]
-{\fId\fR,\fIe\fR} and a second conjunctive flow matches \fBip_src\fR
-\[mo] {\fIb\fR,\fIc\fR} and \fBip_dst\fR \[mo] {\fIf\fR,\fIg\fR}, for
-example, then the flow that matches \fBip_src=\fIb\fR would have two
-\fBconjunction\fR actions, one for each conjunctive flow. The order
-of \fBconjunction\fR actions within a list of actions is not
-significant.
-.IP \(bu
-A flow with \fBconjunction\fR actions may not have any other actions.
-(It would not be useful.)
-.IP \(bu
-All of the flows that constitute a conjunctive flow with a given
-\fIid\fR must have the same priority. (Flows with the same \fIid\fR
-but different priorities are currently treated as different
-conjunctive flows, that is, currently \fIid\fR values need only be
-unique within an OpenFlow table at a given priority. This behavior
-isn't guaranteed to stay the same in later releases, so please use
-\fIid\fR values unique within an OpenFlow table.)
-.IP \(bu
-Conjunctive flows must not overlap with each other, at a given
-priority, that is, any given packet must be able to match at most one
-conjunctive flow at a given priority. Overlapping conjunctive flows
-yield unpredictable results.
-.IP \(bu
-Following a conjunctive flow match, the search for the flow with
-\fBconj_id=\fIid\fR is done in the same general-purpose way as other flow
-table searches, so one can use flows with \fBconj_id=\fIid\fR to act
-differently depending on circumstances. (One exception is that the
-search for the \fBconj_id=\fIid\fR flow itself ignores conjunctive flows,
-to avoid recursion.) If the search with \fBconj_id=\fIid\fR fails, Open
-vSwitch acts as if the conjunctive flow had not matched at all, and
-continues searching the flow table for other matching flows.
-.IP \(bu
-OpenFlow prerequisite checking occurs for the flow with
-\fBconj_id=\fIid\fR in the same way as any other flow, e.g. in an
-OpenFlow 1.1+ context, putting a \fBmod_nw_src\fR action into the
-example above would require adding an \fBip\fR match, like this:
-.RS +1in
-.br
-.B "conj_id=1234,ip actions=mod_nw_src:1.2.3.4,controller"
-.br
-.RE
-.IP \(bu
-OpenFlow prerequisite checking also occurs for the individual flows
-that comprise a conjunctive match in the same way as any other flow.
-.IP \(bu
-The flows that constitute a conjunctive flow do not have useful
-statistics. They are never updated with byte or packet counts, and so
-on. (For such a flow, therefore, the idle and hard timeouts work much
-the same way.)
-.IP \(bu
-Conjunctive flows can be a useful building block for negation, that
-is, inequality matches like \fBtcp_src\fR \[!=] 80. To implement an
-inequality match, convert it to a pair of range matches, e.g. 0 \[<=]
-\fBtcp_src\ < 80 and 80 < \fBtcp_src\fR \[<=] 65535, then convert each
-of the range matches into a collection of bitwise matches as explained
-above in the description of \fBtcp_src\fR.
-.IP \(bu
-Sometimes there is a choice of which flows include a particular match.
-For example, suppose that we added an extra constraint to our example,
-to match on \fBip_src\fR \[mo] {\fIa\fR,\fIb\fR,\fIc\fR,\fId\fR} and
-\fBip_dst\fR \[mo] {\fIe\fR,\fIf\fR,\fIg\fR,\fIh\fR} and \fBtcp_dst\fR
-= \fIi\fR. One way to implement this is to add the new constraint to
-the \fBconj_id\fR flow, like this:
-.RS +1in
-.br
-\fBconj_id=1234,tcp,tcp_dst=\fIi\fB actions=mod_nw_src:1.2.3.4,controller\fR
-.br
+.IP "\fBpacket_type(ns=\fR\fInamespace\fR\fB,type=\fR\fItype\fR\fB)\fR"
+It is optional and used to specify the outer header type of the
+decapsulated packet. \fInamespace\fR is 0 for Ethernet packet,
+1 for L3 packet, \fItype\fR\ is L3 protocol type, e.g.,
+0x894f for nsh, 0x0 for Ethernet.
.RE
.IP
-\fIbut this is not recommended\fR because of the cost of the extra
-flow table lookup. Instead, add the constraint to the individual
-flows, either in one of the dimensions or (slightly better) all of
-them.
-.IP \(bu
-A conjunctive match must have \fIn\fR \[>=] 2 dimensions (otherwise a
-conjunctive match is not necessary). Open vSwitch enforces this.
-.IP \(bu
-Each dimension within a conjunctive match should ordinarily have more
-than one flow. Open vSwitch does not enforce this.
-.RE
+By default, \fBdecap()\fR will decapsulate the outer packet header
+according to the packet header type, if
+\fBpacket_type(ns=\fR\fInamespace\fR\fB,type=\fR\fItype\fR\fB)\fR
+is given, it will decapsulate the given packet header, it will fail
+if the actual outer packet header type is not of
+\fBpacket_type(ns=\fR\fInamespace\fR\fB,type=\fR\fItype\fR\fB)\fR.
.IP
-The \fBconjunction\fR action and \fBconj_id\fR field were introduced
-in Open vSwitch 2.4.
+This action was added in Open vSwitch 2.8.
.RE
.
.PP
of any different flow with the same priority in the same table. (This
check is expensive so it is best to avoid it.)
.
+.IP "\fBreset_counts\fR"
+When this flag is specified on a flow being added to a switch, and the
+switch already has a flow with an identical match, an OpenFlow 1.2 (or
+later) switch resets the flow's packet and byte counters to 0.
+Without the flag, the packet and byte counters are preserved.
+.IP
+OpenFlow 1.0 and 1.1 switches always reset counters in this situation,
+as if \fBreset_counts\fR were always specified.
+.IP
+Open vSwitch 1.10 added support for \fBreset_counts\fR.
+.
+.IP "\fBno_packet_counts\fR"
+.IQ "\fBno_byte_counts\fR"
+Adding these flags to a flow advises an OpenFlow 1.3 (or later) switch
+that the controller does not need packet or byte counters,
+respectively, for the flow. Some switch implementations might achieve
+higher performance or reduce resource consumption when these flags are
+used. These flags provide no benefit to the Open vSwitch software
+switch implementation.
+.IP
+OpenFlow 1.2 and earlier do not support these flags.
+.IP
+Open vSwitch 1.10 added support for \fBno_packet_counts\fR and
+\fBno_byte_counts\fR.
+.
.PP
The \fBdump\-flows\fR, \fBdump\-aggregate\fR, \fBdel\-flow\fR
-and \fBdel\-flows\fR commands support one additional optional field:
+and \fBdel\-flows\fR commands support these additional optional fields:
.
.TP
\fBout_port=\fIport\fR
If set, a matching flow must include an output action to \fIport\fR,
which must be an OpenFlow port number or name (e.g. \fBlocal\fR).
.
+.TP
+\fBout_group=\fIport\fR
+If set, a matching flow must include an \fBgroup\fR action naming
+\fIgroup\fR, which must be an OpenFlow group number. This field
+is supported in Open vSwitch 2.5 and later and requires OpenFlow 1.1
+or later.
+.
.SS "Table Entry Output"
.
The \fBdump\-tables\fR and \fBdump\-aggregate\fR commands print information
The integer number of seconds that have passed without any packets
passing through the flow.
.
+.SS "Packet\-Out Syntax"
+.PP
+\fBovs\-ofctl bundle\fR command accepts packet-outs to be specified in
+the bundle file. Each packet-out comprises of a series of
+\fIfield\fB=\fIvalue\fR assignments, separated by commas or white
+space. (Embedding spaces into a packet-out description normally
+requires quoting to prevent the shell from breaking the description
+into multiple arguments.). Unless noted otherwise only the last
+instance of each field is honoured. This same syntax is also
+supported by the \fBovs\-ofctl packet-out\fR command.
+.PP
+.IP \fBin_port=\fIport\fR
+The port number to be considered the in_port when processing actions.
+This can be any valid OpenFlow port number, or any of the \fBLOCAL\fR,
+\fBCONTROLLER\fR, or \fBNONE\fR.
+.
+This field is required.
+
+.IP \fIpipeline_field\fR=\fIvalue\fR
+Optionally, user can specify a list of pipeline fields for a packet-out
+message. The supported pipeline fields includes \fBtunnel fields\fR and
+\fBregister fields\fR as defined in \fBovs\-fields\fR(7).
+
+.IP \fBpacket=\fIhex-string\fR
+The actual packet to send, expressed as a string of hexadecimal bytes.
+.
+This field is required.
+
+.IP \fBactions=\fR[\fIaction\fR][\fB,\fIaction\fR...]\fR
+The syntax of actions are identical to the \fBactions=\fR field
+described in \fBFlow Syntax\fR above. Specifying \fBactions=\fR is
+optional, but omitting actions is interpreted as a drop, so the packet
+will not be sent anywhere from the switch.
+.
+\fBactions\fR must be specified at the end of each line, like for flow mods.
+.RE
+.
.SS "Group Syntax"
.PP
Some \fBovs\-ofctl\fR commands accept an argument that describes a group or
.IP \fBall\fR
Execute all buckets in the group.
.IP \fBselect\fR
-Execute one bucket in the group.
-The switch should select the bucket in such a way that should implement
-equal load sharing is achieved. The switch may optionally select the
-bucket based on bucket weights.
+Execute one bucket in the group, balancing across the buckets
+according to their weights. To select a bucket, for each live bucket,
+Open vSwitch hashes flow data with the bucket ID and multiplies by the
+bucket weight to obtain a ``score,'' and then selects the bucket with
+the highest score. Use \fBselection_method\fR to control the flow
+data used for selection.
.IP \fBindirect\fR
Executes the one bucket in the group.
.IP \fBff\fR
It is an error if there is no bucket persent group in whose \fBbucket_id\fR is
\fIid\fR.
+.IP \fBselection_method\fR=\fImethod\fR
+The selection method used to select a bucket for a select group.
+This is a string of 1 to 15 bytes in length known to lower layers.
+This field is optional for \fBadd\-group\fR, \fBadd\-groups\fR and
+\fBmod\-group\fR commands on groups of type \fBselect\fR. Prohibited
+otherwise. If no selection method is specified, Open vSwitch up to
+release 2.9 applies the \fBhash\fR method with default fields. From
+2.10 onwards Open vSwitch defaults to the \fBdp_hash\fR method with symmetric
+L3/L4 hash algorithm, unless the weighted group buckets cannot be mapped to
+a maximum of 64 dp_hash values with sufficient accuracy.
+In those rare cases Open vSwitch 2.10 and later fall back to the \fBhash\fR
+method with the default set of hash fields.
+.RS
+.IP \fBdp_hash\fR
+Use a datapath computed hash value. The hash algorithm varies accross
+different datapath implementations. \fBdp_hash\fR uses the upper 32
+bits of the \fBselection_method_param\fR as the datapath hash
+algorithm selector. The supported values are \fB0\fR (corresponding to
+hash computation over the IP 5-tuple) and \fB1\fR (corresponding to a
+\fIsymmetric\fR hash computation over the IP 5-tuple). Selecting specific
+fields with the \fBfields\fR option is not supported with \fBdp_hash\fR).
+The lower 32 bits are used as the hash basis.
+.IP
+Using \fBdp_hash\fR has the advantage that it does not require the
+generated datapath flows to exact match any additional packet header
+fields. For example, even if multiple TCP connections thus hashed to
+different select group buckets have different source port numbers,
+generally all of them would be handled with a small set of already
+established datapath flows, resulting in less latency for TCP SYN
+packets. The downside is that the shared datapath flows must match
+each packet twice, as the datapath hash value calculation happens only
+when needed, and a second match is required to match some bits of its
+value. This double-matching incurs a small additional latency cost
+for each packet, but this latency is orders of magnitude less than the
+latency of creating new datapath flows for new TCP connections.
+.IP \fBhash\fR
+Use a hash computed over the fields specified with the \fBfields\fR
+option, see below. If no hash fields are specified, \fBhash\fR defaults
+to a symmetric hash over the combination of MAC addresses, VLAN tags,
+Ether type, IP addresses and L4 port numbers. \fBhash\fR uses the
+\fBselection_method_param\fR as the hash basis.
+.IP
+Note that the hashed fields become exact matched by the datapath
+flows. For example, if the TCP source port is hashed, the created
+datapath flows will match the specific TCP source port value present
+in the packet received. Since each TCP connection generally has a
+different source port value, a separate datapath flow will be need to
+be inserted for each TCP connection thus hashed to a select group
+bucket.
+.RE
+.IP
+This option uses a Netronome OpenFlow extension which is only supported
+when using Open vSwitch 2.4 and later with OpenFlow 1.5 and later.
+
+.IP \fBselection_method_param\fR=\fIparam\fR
+64-bit integer parameter to the selection method selected by the
+\fBselection_method\fR field. The parameter's use is defined by the
+lower-layer that implements the \fBselection_method\fR. It is optional if
+the \fBselection_method\fR field is specified as a non-empty string.
+Prohibited otherwise. The default value is zero.
+.IP
+This option uses a Netronome OpenFlow extension which is only supported
+when using Open vSwitch 2.4 and later with OpenFlow 1.5 and later.
+
+.IP \fBfields\fR=\fIfield\fR
+.IQ \fBfields(\fIfield\fR[\fB=\fImask\fR]\fR...\fB)\fR
+The field parameters to selection method selected by the
+\fBselection_method\fR field. The syntax is described in \fBFlow
+Syntax\fR with the additional restrictions that if a value is provided
+it is treated as a wildcard mask and wildcard masks following a slash
+are prohibited. The pre-requisites of fields must be provided by any
+flows that output to the group. The use of the fields is defined by
+the lower-layer that implements the \fBselection_method\fR. They are
+optional if the \fBselection_method\fR field is specified as ``hash',
+prohibited otherwise. The default is no fields.
+.IP
+This option will use a Netronome OpenFlow extension which is only supported
+when using Open vSwitch 2.4 and later with OpenFlow 1.5 and later.
+
.IP \fBbucket\fR=\fIbucket_parameters\fR
The \fBadd-group\fR, \fBadd-groups\fR and \fBmod-group\fR commands
require at least one bucket field. Bucket fields must appear after
0xffffff00 are reserved.
.
This field was added in Open vSwitch 2.4 to conform with the OpenFlow
-1.5 (draft) specification. It is not supported when earlier versions
+1.5 specification. It is not supported when earlier versions
of OpenFlow are used. Open vSwitch will automatically allocate bucket
ids when they are not specified.
.IP \fBactions=\fR[\fIaction\fR][\fB,\fIaction\fR...]\fR
The syntax of actions are identical to the \fBactions=\fR field described in
-\fBFlow Syntax\fR above. Specyfing \fBactions=\fR is optional, any unknown
+\fBFlow Syntax\fR above. Specifying \fBactions=\fR is optional, any unknown
bucket parameter will be interpreted as an action.
.IP \fBweight=\fIvalue\fR
The relative weight of the bucket as an integer. This may be used by the switch
When this field is specified in \fBdel-meter\fR, \fBdump-meter\fR, or
\fBmeter-stats\fR, the keyword "all" may be used to designate all meters.
.
-This field is required, exept for \fBmeter-stats\fR, which dumps all stats
+This field is required, except for \fBmeter-stats\fR, which dumps all stats
when this field is not specified.
.IP \fBkbps\fR
.IP \fBrate=\fIvalue\fR
The relative rate limit for this band, in kilobits per second or packets per
second, depending on the meter flags defined above.
-.IP \fBburst_size=\fIport\fR
-The maximum burst allowed for the band. If unspecified, the switch is free to
-select some reasonable value depending on it's configuration.
+.IP \fBburst_size=\fIsize\fR
+The maximum burst allowed for the band. If \fBpktps\fR is specified,
+then \fIsize\fR is a packet count, otherwise it is in kilobits. If
+unspecified, the switch is free to select some reasonable value
+depending on its configuration.
.RE
.
.SH OPTIONS
\fB\-\-strict\fR
Uses strict matching when running flow modification commands.
.
+.IP "\fB\-\-names\fR"
+.IQ "\fB\-\-no\-names\fR"
+Every OpenFlow port has a name and a number, and every OpenFlow flow
+table has a number and sometimes a name. By default, \fBovs\-ofctl\fR
+commands accept both port and table names and numbers, and they
+display port and table names if \fBovs\-ofctl\fR is running on an
+interactive console, numbers otherwise. With \fB\-\-names\fR,
+\fBovs\-ofctl\fR commands both accept and display port and table
+names; with \fB\-\-no\-names\fR, commands neither accept nor display
+port and table names.
+.IP
+If a port or table name contains special characters or might be
+confused with a keyword within a flow, it may be enclosed in double
+quotes (escaped from the shell). If necessary, JSON-style escape
+sequences may be used inside quotes, as specified in RFC 7159. When
+it displays port and table names, \fBovs\-ofctl\fR quotes any name
+that does not start with a letter followed by letters or digits.
+.IP
+Open vSwitch added support for port names and these options. Open
+vSwitch 2.10 added support for table names. Earlier versions always
+behaved as if \fB\-\-no\-names\fR were specified.
+.IP
+Open vSwitch does not place its own limit on the length of port names,
+but OpenFlow 1.0 to 1.5 limit port names to 15 bytes and OpenFlow 1.6
+limits them to 63 bytes. Because \fRovs\-ofctl\fR uses OpenFlow to
+retrieve the mapping between port names and numbers, names longer than
+this limit will be truncated for both display and acceptance.
+Truncation can also cause long names that are different to appear to
+be the same; when a switch has two ports with the same (truncated)
+name, \fBovs\-ofctl\fR refuses to display or accept the name, using
+the number instead.
+.IP
+OpenFlow and Open vSwitch limit table names to 32 bytes.
+.
+.IP "\fB\-\-stats\fR"
+.IQ "\fB\-\-no\-stats\fR"
+The \fBdump\-flows\fR command by default, or with \fB\-\-stats\fR,
+includes flow duration, packet and byte counts, and idle and hard age
+in its output. With \fB\-\-no\-stats\fR, it omits all of these, as
+well as cookie values and table IDs if they are zero.
+.
+.IP "\fB\-\-read-only\fR"
+Do not execute read/write commands.
+.
+.IP "\fB\-\-bundle\fR"
+Execute flow mods as an OpenFlow 1.4 atomic bundle transaction.
+.RS
+.IP \(bu
+Within a bundle, all flow mods are processed in the order they appear
+and as a single atomic transaction, meaning that if one of them fails,
+the whole transaction fails and none of the changes are made to the
+\fIswitch\fR's flow table, and that each given datapath packet
+traversing the OpenFlow tables sees the flow tables either as before
+the transaction, or after all the flow mods in the bundle have been
+successfully applied.
+.IP \(bu
+The beginning and the end of the flow table modification commands in a
+bundle are delimited with OpenFlow 1.4 bundle control messages, which
+makes it possible to stream the included commands without explicit
+OpenFlow barriers, which are otherwise used after each flow table
+modification command. This may make large modifications execute
+faster as a bundle.
+.IP \(bu
+Bundles require OpenFlow 1.4 or higher. An explicit \fB-O
+OpenFlow14\fR option is not needed, but you may need to enable
+OpenFlow 1.4 support for OVS by setting the OVSDB \fIprotocols\fR
+column in the \fIbridge\fR table.
+.RE
+.
.so lib/ofp-version.man
.
.IP "\fB\-F \fIformat\fR[\fB,\fIformat\fR...]"
.IP "\fBOXM-OpenFlow12\fR"
.IQ "\fBOXM-OpenFlow13\fR"
.IQ "\fBOXM-OpenFlow14\fR"
+.IQ "\fBOXM-OpenFlow15\fR"
+.IQ "\fBOXM-OpenFlow16\fR"
These are the standard OXM (OpenFlow Extensible Match) flow format in
-OpenFlow 1.2, 1.3, and 1.4, respectively.
+OpenFlow 1.2 and later.
.RE
.
.IP
.
.IP "\fB\-P \fIformat\fR"
.IQ "\fB\-\-packet\-in\-format=\fIformat\fR"
-\fBovs\-ofctl\fR supports the following packet_in formats, in order of
+\fBovs\-ofctl\fR supports the following ``packet-in'' formats, in order of
increasing capability:
.RS
-.IP "\fBopenflow10\fR"
-This is the standard OpenFlow 1.0 packet in format. It should be supported by
-all OpenFlow switches.
-.
-.IP "\fBnxm\fR (Nicira Extended Match)"
-This packet_in format includes flow metadata encoded using the NXM format.
+.IP "\fBstandard\fR"
+This uses the \fBOFPT_PACKET_IN\fR message, the standard ``packet-in''
+message for any given OpenFlow version. Every OpenFlow switch that
+supports a given OpenFlow version supports this format.
+.
+.IP "\fBnxt_packet_in\fR"
+This uses the \fBNXT_PACKET_IN\fR message, which adds many of the
+capabilities of the OpenFlow 1.1 and later ``packet-in'' messages
+before those OpenFlow versions were available in Open vSwitch. Open
+vSwitch 1.1 and later support this format. Only Open vSwitch 2.6 and
+later, however, support it for OpenFlow 1.1 and later (but there is
+little reason to use it with those versions of OpenFlow).
+.
+.IP "\fBnxt_packet_in2\fR"
+This uses the \fBNXT_PACKET_IN2\fR message, which is extensible and
+should avoid the need to define new formats later. In particular,
+this format supports passing arbitrary user-provided data to a
+controller using the \fBuserdata\fB option on the \fBcontroller\fR
+action. Open vSwitch 2.6 and later support this format.
.
.RE
.IP
-Usually, \fBovs\-ofctl\fR prefers the \fBnxm\fR packet_in format, but will
-allow the switch to choose its default if \fBnxm\fR is unsupported. When
-\fIformat\fR is one of the formats listed in the above table, \fBovs\-ofctl\fR
-will insist on the selected format. If the switch does not support the
-requested format, \fBovs\-ofctl\fR will report a fatal error. This option only
-affects the \fBmonitor\fR command.
+Without this option, \fBovs\-ofctl\fR prefers \fBnxt_packet_in2\fR if
+the switch supports it. Otherwise, if OpenFlow 1.0 is in use,
+\fBovs\-ofctl\fR prefers \fBnxt_packet_in\fR if the switch supports
+it. Otherwise, \fBovs\-ofctl\fR falls back to the \fBstandard\fR
+packet-in format. When this option is specified, \fBovs\-ofctl\fR
+insists on the selected format. If the switch does not support the
+requested format, \fBovs\-ofctl\fR will report a fatal error.
+.IP
+Before version 2.6, Open vSwitch called \fBstandard\fR format
+\fBopenflow10\fR and \fBnxt_packet_in\fR format \fBnxm\fR, and
+\fBovs\-ofctl\fR still accepts these names as synonyms. (The name
+\fBopenflow10\fR was a misnomer because this format actually varies
+from one OpenFlow version to another; it is not consistently OpenFlow
+1.0 format. Similarly, when \fBnxt_packet_in2\fR was introduced, the
+name \fBnxm\fR became confusing because it also uses OXM/NXM.)
+.
+.IP
+This option affects only the \fBmonitor\fR command.
.
.IP "\fB\-\-timestamp\fR"
Print a timestamp before each received packet. This option only
.IP
These options currently affect only \fBdump\-flows\fR output.
.
+.SS "Daemon Options"
.ds DD \
\fBovs\-ofctl\fR detaches only when executing the \fBmonitor\fR or \
\fBsnoop\fR commands.
.SS "Public Key Infrastructure Options"
.so lib/ssl.man
.so lib/vlog.man
+.so lib/colors.man
.so lib/common.man
.
.SH "RUNTIME MANAGEMENT COMMANDS"
express an OpenFlow message, on the OpenFlow connection. This command
is useful only when executing the \fBmonitor\fR command.
.
+.IP "\fBofctl/packet\-out \fIpacket-out\fR"
+Sends an OpenFlow PACKET_OUT message specified in \fBPacket\-Out
+Syntax\fR, on the OpenFlow connection. See \fBPacket\-Out Syntax\fR
+section for more information. This command is useful only when
+executing the \fBmonitor\fR command.
+.
.IP "\fBofctl/barrier\fR"
Sends an OpenFlow barrier request on the OpenFlow connection and waits
for a reply. This command is useful only for the \fBmonitor\fR
\fBovs\-ofctl dump\-flows br0\fR
Prints the flow entries in the switch.
.
+.TP
+\fBovs\-ofctl add\-flow table=0 actions=learn(table=1,hard_timeout=10, NXM_OF_VLAN_TCI[0..11],output:NXM_OF_IN_PORT[]), resubmit(,1)\fR
+\fBovs\-ofctl add\-flow table=1 priority=0 actions=flood\fR
+Implements a level 2 MAC learning switch using the learn.
+.
+.TP
+\fBovs\-ofctl add\-flow br0 'table=0,priority=0 actions=load:3->NXM_NX_REG0[0..15],learn(table=0,priority=1,idle_timeout=10,NXM_OF_ETH_SRC[],NXM_OF_VLAN_TCI[0..11],output:NXM_NX_REG0[0..15]),output:2\fR
+In this use of a learn action, the first packet from each source MAC
+will be sent to port 2. Subsequent packets will be output to port 3,
+with an idle timeout of 10 seconds. NXM field names and match field
+names are both accepted, e.g. \fBNXM_NX_REG0\fR or \fBreg0\fR for the
+first register, and empty brackets may be omitted.
+.IP
+Additional examples may be found documented as part of related sections.
+.
.SH "SEE ALSO"
.
+.BR ovs\-fields (7),
.BR ovs\-appctl (8),
-.BR ovs\-vswitchd (8)
+.BR ovs\-vswitchd (8),
.BR ovs\-vswitchd.conf.db (8)
projects / ovs.git / blobdiff