# uncomment them. Afterward, the secure channel will come up
# automatically at boot time. It can be started immediately with
# /etc/init.d/openflow-switch start
-# Alternatively, use the ofp-switch-setup program to do everything
-# automatically.
+# Alternatively, use the ofp-switch-setup program (from the
+# openflow-switch-config package) to do everything automatically.
# NETDEVS: Which network devices should the OpenFlow switch include?
#
# configured statically or dynamically:
#
# * For static configuration, specify the switch's IP address as a
-# string.
+# string. In this case you may also set SWITCH_NETMASK and
+# SWITCH_GATEWAY appropriately.
#
# * For dynamic configuration with DHCP (the most common case),
# specify "dhcp". Configuration with DHCP will only work reliably
#
# This setting has no effect unless MODE is set to 'in-band'.
SWITCH_IP=dhcp
+#SWITCH_NETMASK=255.255.255.0
+#SWITCH_GATEWAY=192.168.1.1
# CONTROLLER: Location of controller.
# One of the following formats:
-# tcp:HOST[:PORT] via TCP to PORT (default: 975) on HOST
-# ssl:HOST[:PORT] via SSL to PORT (default: 976) on HOST
+# tcp:HOST[:PORT] via TCP to PORT (default: 6633) on HOST
+# ssl:HOST[:PORT] via SSL to PORT (default: 6633) on HOST
# The default below assumes that the controller is running locally.
# This setting has no effect when MODE is set to 'discovery'.
#CONTROLLER="tcp:127.0.0.1"
# Required if SSL enabled.
#CACERT=/etc/openflow-switch/cacert.pem
+# CACERT_MODE: Two modes are available:
+#
+# * secure: The controller CA certificate named in CACERT above must exist.
+# (You must copy it manually from the PKI server or another trusted source.)
+#
+# * bootstrap: If the controller CA certificate named in CACERT above does
+# not exist, the switch will obtain it from the controller the first time
+# it connects and save a copy to the file named in CACERT. This is insecure,
+# in the same way that initial connections with ssh are insecure, but
+# it is convenient.
+#
+# Set CACERT_MODE to 'secure' or 'bootstrap' for these respective cases.
+#CACERT_MODE=secure
+
# MGMT_VCONNS: List of vconns (space-separated) on which secchan
# should listen for management connections from dpctl, etc.
# openflow-switchmon by default connects to
# use openflow-switchmon.
MGMT_VCONNS="punix:/var/run/secchan.socket"
+# COMMANDS: Access control list for the commands that can be executed
+# remotely over the OpenFlow protocol, as a comma-separated list of
+# shell glob patterns. Negative patterns (beginning with !) act as a
+# blacklist. To be executable, a command name must match one positive
+# pattern and not match any negative patterns.
+#COMMANDS="reboot,update"
+
# DAEMON_OPTS: Additional options to pass to secchan, e.g. "--fail=open"
DAEMON_OPTS=""