information on its flow tables and ports.
.
.TP
-\fBstatus \fIswitch\fR [\fIkey\fR]
-Prints to the console a series of key-value pairs that report the
-status of \fIswitch\fR. If \fIkey\fR is specified, only the key-value
-pairs whose key names begin with \fIkey\fR are printed. If \fIkey\fR is
-omitted, all key-value pairs are printed.
-.
-.TP
\fBdump\-tables \fIswitch\fR
Prints to the console statistics for each of the flow tables used by
\fIswitch\fR.
OpenFlow assigned port number or device name, e.g. \fBeth0\fR.
.
.TP
+\fBdump\-ports\-desc \fIswitch\fR
+Prints to the console detailed information about network devices
+associated with \fIswitch\fR (version 1.7 or later). This is a subset
+of the information provided by the \fBshow\fR command.
+.
+.TP
\fBmod\-port \fIswitch\fR \fInetdev\fR \fIaction\fR
Modify characteristics of an interface monitored by \fIswitch\fR.
\fInetdev\fR can be referred to by its OpenFlow assigned port number or
following:
.
.RS
-.IP \fBup\fR
-Enables the interface. This is equivalent to ``ifconfig up'' on a Unix
-system.
-.
-.IP \fBdown\fR
-Disables the interface. This is equivalent to ``ifconfig down'' on a Unix
-system.
+.IQ \fBup\fR
+.IQ \fBdown\fR
+Enable or disable the interface. This is equivalent to \fBifconfig
+up\fR or \fBifconfig down\fR on a Unix system.
+.
+.IP \fBstp\fR
+.IQ \fBno\-stp\fR
+Enable or disable 802.1D spanning tree protocol (STP) on the
+interface. OpenFlow implementations that don't support STP will
+refuse to enable it.
+.
+.IP \fBreceive\fR
+.IQ \fBno\-receive\fR
+.IQ \fBreceive\-stp\fR
+.IQ \fBno\-receive\-stp\fR
+Enable or disable OpenFlow processing of packets received on this
+interface. When packet processing is disabled, packets will be
+dropped instead of being processed through the OpenFlow table. The
+\fBreceive\fR or \fBno\-receive\fR setting applies to all packets
+except 802.1D spanning tree packets, which are separately controlled
+by \fBreceive\-stp\fR or \fBno\-receive\-stp\fR.
+.
+.IP \fBforward\fR
+.IQ \fBno\-forward\fR
+Allow or disallow forwarding of traffic to this interface. By
+default, forwarding is enabled.
.
.IP \fBflood\fR
-When a \fIflood\fR action is specified, traffic will be sent out this
-interface. This is the default posture for monitored ports.
+.IQ \fBno\-flood\fR
+Controls whether an OpenFlow \fBflood\fR action will send traffic out
+this interface. By default, flooding is enabled. Disabling flooding
+is primarily useful to prevent loops when a spanning tree protocol is
+not in use.
+.
+.IP \fBpacket\-in\fR
+.IQ \fBno\-packet\-in\fR
+Controls whether packets received on this interface that do not match
+a flow table entry generate a ``packet in'' message to the OpenFlow
+controller. By default, ``packet in'' messages are enabled.
+.RE
+.IP
+The \fBshow\fR command displays (among other information) the
+configuration that \fBmod\-port\fR changes.
.
-.IP \fBnoflood\fR
-When a \fIflood\fR action is specified, traffic will not be sent out
-this interface. This is primarily useful to prevent loops when a
-spanning tree protocol is not in use.
+.IP "\fBget\-frags \fIswitch\fR"
+Prints \fIswitch\fR's fragment handling mode. See \fBset\-frags\fR,
+below, for a description of each fragment handling mode.
+.IP
+The \fBshow\fR command also prints the fragment handling mode among
+its other output.
.
+.IP "\fBset\-frags \fIswitch frag_mode\fR"
+Configures \fIswitch\fR's treatment of IPv4 and IPv6 fragments. The
+choices for \fIfrag_mode\fR are:
+.RS
+.IP "\fBnormal\fR"
+Fragments pass through the flow table like non-fragmented packets.
+The TCP ports, UDP ports, and ICMP type and code fields are always set
+to 0, even for fragments where that information would otherwise be
+available (fragments with offset 0). This is the default fragment
+handling mode for an OpenFlow switch.
+.IP "\fBdrop\fR"
+Fragments are dropped without passing through the flow table.
+.IP "\fBreassemble\fR"
+The switch reassembles fragments into full IP packets before passing
+them through the flow table. Open vSwitch does not implement this
+fragment handling mode.
+.IP "\fBnx\-match\fR"
+Fragments pass through the flow table like non-fragmented packets.
+The TCP ports, UDP ports, and ICMP type and code fields are available
+for matching for fragments with offset 0, and set to 0 in fragments
+with nonzero offset. This mode is a Nicira extension.
.RE
+.IP
+See the description of \fBip_frag\fR, below, for a way to match on
+whether a packet is a fragment and on its fragment offset.
.
.TP
\fBdump\-flows \fIswitch \fR[\fIflows\fR]
\fIswitch\fR's tables that match \fIflows\fR. If \fIflows\fR is omitted,
the statistics are aggregated across all flows in the switch's flow
tables. See \fBFlow Syntax\fR, below, for the syntax of \fIflows\fR.
-The output format is descrbed in \fBTable Entry Output\fR.
+The output format is described in \fBTable Entry Output\fR.
.
.IP "\fBqueue\-stats \fIswitch \fR[\fIport \fR[\fIqueue\fR]]"
Prints to the console statistics for the specified \fIqueue\fR on
queues on \fIport\fR; if only \fIport\fR is omitted, then statistics
are printed for \fIqueue\fR on every port where it exists.
.
-.TP
-\fBadd\-flow \fIswitch flow\fR
-Add the flow entry as described by \fIflow\fR to the \fIswitch\fR's
-tables. The flow entry is in the format described in \fBFlow Syntax\fR,
-below.
+.SS "OpenFlow Switch Flow Table Commands"
+.
+These commands manage the flow table in an OpenFlow switch. In each
+case, \fIflow\fR specifies a flow entry in the format described in
+\fBFlow Syntax\fR, below, and \fIfile\fR is a text file that contains
+zero or more flows in the same syntax, one per line.
+.
+.IP "\fBadd\-flow \fIswitch flow\fR"
+.IQ "\fBadd\-flow \fIswitch \fB\- < \fIfile\fR"
+.IQ "\fBadd\-flows \fIswitch file\fR"
+Add each flow entry to \fIswitch\fR's tables.
+.
+.IP "[\fB\-\-strict\fR] \fBmod\-flows \fIswitch flow\fR"
+.IQ "[\fB\-\-strict\fR] \fBmod\-flows \fIswitch \fB\- < \fIfile\fR"
+Modify the actions in entries from \fIswitch\fR's tables that match
+the specified flows. With \fB\-\-strict\fR, wildcards are not treated
+as active for matching purposes.
+.
+.IP "\fBdel\-flows \fIswitch\fR"
+.IQ "[\fB\-\-strict\fR] \fBdel\-flows \fIswitch \fR[\fIflow\fR]"
+.IQ "[\fB\-\-strict\fR] \fBdel\-flows \fIswitch \fB\- < \fIfile\fR"
+Deletes entries from \fIswitch\fR's flow table. With only a
+\fIswitch\fR argument, deletes all flows. Otherwise, deletes flow
+entries that match the specified flows. With \fB\-\-strict\fR,
+wildcards are not treated as active for matching purposes.
+.
+.IP "[\fB\-\-readd\fR] \fBreplace\-flows \fIswitch file\fR"
+Reads flow entries from \fIfile\fR (or \fBstdin\fR if \fIfile\fR is
+\fB\-\fR) and queries the flow table from \fIswitch\fR. Then it fixes
+up any differences, adding flows from \fIflow\fR that are missing on
+\fIswitch\fR, deleting flows from \fIswitch\fR that are not in
+\fIfile\fR, and updating flows in \fIswitch\fR whose actions, cookie,
+or timeouts differ in \fIfile\fR.
.
-.TP
-\fBadd\-flows \fIswitch file\fR
-Add flow entries as described in \fIfile\fR to \fIswitch\fR's
-tables. Each line in \fIfile\fR is a flow entry in the format
-described in \fBFlow Syntax\fR, below.
+.IP
+With \fB\-\-readd\fR, \fBovs\-ofctl\fR adds all the flows from
+\fIfile\fR, even those that exist with the same actions, cookie, and
+timeout in \fIswitch\fR. This resets all the flow packet and byte
+counters to 0, which can be useful for debugging.
+.
+.IP "\fBdiff\-flows \fIsource1 source2\fR"
+Reads flow entries from \fIsource1\fR and \fIsource2\fR and prints the
+differences. A flow that is in \fIsource1\fR but not in \fIsource2\fR
+is printed preceded by a \fB\-\fR, and a flow that is in \fIsource2\fR
+but not in \fIsource1\fR is printed preceded by a \fB+\fR. If a flow
+exists in both \fIsource1\fR and \fIsource2\fR with different actions,
+cookie, or timeouts, then both versions are printed preceded by
+\fB\-\fR and \fB+\fR, respectively.
+.IP
+\fIsource1\fR and \fIsource2\fR may each name a file or a switch. If
+a name begins with \fB/\fR or \fB.\fR, then it is considered to be a
+file name. A name that contains \fB:\fR is considered to be a switch.
+Otherwise, it is a file if a file by that name exists, a switch if
+not.
+.IP
+For this command, an exit status of 0 means that no differences were
+found, 1 means that an error occurred, and 2 means that some
+differences were found.
.
-.TP
-\fBmod\-flows \fIswitch flow\fR
-Modify the actions in entries from the \fIswitch\fR's tables
-that match \fIflow\fR. When invoked with the \fB\-\-strict\fR option,
-wildcards are not treated as active for matching purposes. See
-\fBFlow Syntax\fR, below, for the syntax of \fIflows\fR.
+.IP "\fBpacket\-out \fIswitch in_port actions packet\fR..."
+Connects to \fIswitch\fR and instructs it to execute the OpenFlow
+\fIactions\fR on each \fIpacket\fR. For the purpose of executing the
+actions, the packets are considered to have arrived on \fIin_port\fR,
+which may be an OpenFlow assigned port number, an OpenFlow port name
+(e.g. \fBeth0\fR), the keyword \fBlocal\fR for the OpenFlow ``local''
+port \fBOFPP_LOCAL\fR, or the keyword \fBnone\fR to indicate that the
+packet was generated by the switch itself.
.
-.TP
-\fBdel\-flows \fIswitch \fR[\fIflow\fR]
-Deletes entries from the \fIswitch\fR's tables that match
-\fIflow\fR. When invoked with the \fB\-\-strict\fR option, wildcards are
-not treated as active for matching purposes. If \fIflow\fR is
-omitted and the \fB\-\-strict\fR option is not used, all flows in the
-switch's tables are removed. See \fBFlow Syntax\fR, below, for the
-syntax of \fIflows\fR.
+.SS "OpenFlow Switch Monitoring Commands"
.
.IP "\fBsnoop \fIswitch\fR"
Connects to \fIswitch\fR and prints to the console all OpenFlow
the configured controller is disconnected, no traffic is sent, so
monitoring will not show any traffic.
.
-.IQ "\fBmonitor \fIswitch\fR [\fImiss-len\fR]"
+.IP "\fBmonitor \fIswitch\fR [\fImiss-len\fR] [\fIinvalid_ttl\fR]"
Connects to \fIswitch\fR and prints to the console all OpenFlow
-messages received. Usually, \fIswitch\fR should specify a connection
-named on \fBovs\-openflowd\fR(8)'s \fB\-l\fR or \fB\-\-listen\fR command line
-option.
+messages received. Usually, \fIswitch\fR should specify the name of a
+bridge in the \fBovs\-vswitchd\fR database.
.IP
If \fImiss-len\fR is provided, \fBovs\-ofctl\fR sends an OpenFlow ``set
configuration'' message at connection setup time that requests
specified on this argument. (Thus, if \fImiss\-len\fR is not
specified, very little traffic will ordinarily be printed.)
.IP
+.IP
+If \fBinvalid_ttl\fR is passed, \fBovs\-ofctl\fR sends an OpenFlow ``set
+configuration'' message at connection setup time that requests
+\fIINVALID_TTL_TO_CONTROLLER\fR, so that \fBovs\-ofctl monitor\fR can
+receive ``packets-in'' messages when TTL reaches zero on \fBdec_ttl\fR action.
+.IP
+
This command may be useful for debugging switch or controller
implementations.
.
(\fB*\fR should be quoted to protect it from shell expansion.)
.
.IP \fBin_port=\fIport_no\fR
-Matches physical port \fIport_no\fR. Switch ports are numbered as
+Matches OpenFlow port \fIport_no\fR. Ports are numbered as
displayed by \fBovs\-ofctl show\fR.
+.IP
+(The \fBresubmit\fR action can search OpenFlow flow tables with
+arbitrary \fBin_port\fR values, so flows that match port numbers that
+do not exist from an OpenFlow perspective can still potentially be
+matched.)
.
.IP \fBdl_vlan=\fIvlan\fR
Matches IEEE 802.1q Virtual LAN tag \fIvlan\fR. Specify \fB0xffff\fR
pairs of hexadecimal digits delimited by colons
(e.g. \fB00:0A:E4:25:6B:B0\fR).
.
+.IP \fBdl_dst=\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB/\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fR
+Matches an Ethernet destination address specified as 6 pairs of
+hexadecimal digits delimited by colons (e.g. \fB00:0A:E4:25:6B:B0\fR),
+with a wildcard mask following the slash. Only
+the following masks are allowed:
+.RS
+.IP \fB01:00:00:00:00:00\fR
+Match only the multicast bit. Thus,
+\fBdl_dst=01:00:00:00:00:00/01:00:00:00:00:00\fR matches all multicast
+(including broadcast) Ethernet packets, and
+\fBdl_dst=00:00:00:00:00:00/01:00:00:00:00:00\fR matches all unicast
+Ethernet packets.
+.IP \fBfe:ff:ff:ff:ff:ff\fR
+Match all bits except the multicast bit. This is probably not useful.
+.IP \fBff:ff:ff:ff:ff:ff\fR
+Exact match (equivalent to omitting the mask).
+.IP \fB00:00:00:00:00:00\fR
+Wildcard all bits (equivalent to \fBdl_dst=*\fR.)
+.RE
+.
.IP \fBdl_type=\fIethertype\fR
Matches Ethernet protocol type \fIethertype\fR, which is specified as an
integer between 0 and 65535, inclusive, either in decimal or as a
specified as a decimal number between 0 and 255, inclusive. Note that
the two lower reserved bits are ignored for matching purposes.
.IP
-When \fBdl_type\fR is wildcarded or set to a value other than 0x0800,
-0x0806, or 0x86dd, the value of \fBnw_tos\fR is ignored (see \fBFlow
-Syntax\fR above).
+When \fBdl_type\fR is wildcarded or set to a value other than 0x0800 or
+0x86dd, the value of \fBnw_tos\fR is ignored (see \fBFlow Syntax\fR
+above).
+.
+.IP \fBnw_ecn=\fIecn\fR
+Matches \fIecn\fR bits in IP ToS or IPv6 traffic class fields, which is
+specified as a decimal number between 0 and 3, inclusive.
+.IP
+When \fBdl_type\fR is wildcarded or set to a value other than 0x0800 or
+0x86dd, the value of \fBnw_ecn\fR is ignored (see \fBFlow Syntax\fR
+above).
+.
+.IP \fBnw_ttl=\fIttl\fR
+Matches IP TTL or IPv6 hop limit value \fIttl\fR, which is
+specified as a decimal number between 0 and 255, inclusive.
+.IP
+When \fBdl_type\fR is wildcarded or set to a value other than 0x0800 or
+0x86dd, the value of \fBnw_ttl\fR is ignored (see \fBFlow Syntax\fR
+above).
+.IP
.
.IP \fBtp_src=\fIport\fR
.IQ \fBtp_dst=\fIport\fR
When \fBdl_type\fR and \fBnw_proto\fR specify TCP or UDP, \fBtp_src\fR
and \fBtp_dst\fR match the UDP or TCP source or destination port
-\fIport\fR, respectively. which is specified as a decimal number
+\fIport\fR, respectively, which is specified as a decimal number
between 0 and 65535, inclusive (e.g. 80 to match packets originating
from a HTTP server).
.IP
When \fBdl_type\fR and \fBnw_proto\fR take other values, the values of
these settings are ignored (see \fBFlow Syntax\fR above).
.
+.IP \fBtp_src=\fIport\fB/\fImask\fR
+.IQ \fBtp_dst=\fIport\fB/\fImask\fR
+Bitwise match on TCP (or UDP) source or destination port,
+respectively. The \fIport\fR and \fImask\fR are 16-bit numbers
+written in decimal or in hexadecimal prefixed by \fB0x\fR. Each 1-bit
+in \fImask\fR requires that the corresponding bit in \fIport\fR must
+match. Each 0-bit in \fImask\fR causes the corresponding bit to be
+ignored.
+.IP
+Bitwise matches on transport ports are rarely useful in isolation, but
+a group of them can be used to reduce the number of flows required to
+match on a range of transport ports. For example, suppose that the
+goal is to match TCP source ports 1000 to 1999, inclusive. One way is
+to insert 1000 flows, each of which matches on a single source port.
+Another way is to look at the binary representations of 1000 and 1999,
+as follows:
+.br
+.B "01111101000"
+.br
+.B "11111001111"
+.br
+and then to transform those into a series of bitwise matches that
+accomplish the same results:
+.br
+.B "01111101xxx"
+.br
+.B "0111111xxxx"
+.br
+.B "10xxxxxxxxx"
+.br
+.B "110xxxxxxxx"
+.br
+.B "1110xxxxxxx"
+.br
+.B "11110xxxxxx"
+.br
+.B "1111100xxxx"
+.br
+which become the following when written in the syntax required by
+\fBovs\-ofctl\fR:
+.br
+.B "tcp,tp_src=0x03e8/0xfff8"
+.br
+.B "tcp,tp_src=0x03f0/0xfff0"
+.br
+.B "tcp,tp_src=0x0400/0xfe00"
+.br
+.B "tcp,tp_src=0x0600/0xff00"
+.br
+.B "tcp,tp_src=0x0700/0xff80"
+.br
+.B "tcp,tp_src=0x0780/0xffc0"
+.br
+.B "tcp,tp_src=0x07c0/0xfff0"
+.IP
+Only Open vSwitch 1.6 and later supports bitwise matching on transport
+ports.
+.IP
+Like the exact-match forms of \fBtp_src\fR and \fBtp_dst\fR described
+above, the bitwise match forms apply only when \fBdl_type\fR and
+\fBnw_proto\fR specify TCP or UDP.
+.
.IP \fBicmp_type=\fItype\fR
.IQ \fBicmp_code=\fIcode\fR
When \fBdl_type\fR and \fBnw_proto\fR specify ICMP or ICMPv6, \fItype\fR
When \fBdl_type\fR and \fBnw_proto\fR take other values, the values of
these settings are ignored (see \fBFlow Syntax\fR above).
.
+.IP \fBtable=\fInumber\fR
+If specified, limits the flow manipulation and flow dump commands to
+only apply to the table with the given \fInumber\fR between 0 and 254.
+.
+Behavior varies if \fBtable\fR is not specified (equivalent to
+specifying 255 as \fInumber\fR). For flow table
+modification commands without \fB\-\-strict\fR, the switch will choose
+the table for these commands to operate on. For flow table
+modification commands with \fB\-\-strict\fR, the command will operate
+on any single matching flow in any table; it will do nothing if there
+are matches in more than one table. The \fBdump-flows\fR and
+\fBdump-aggregate\fR commands will gather statistics about flows from
+all tables.
+.IP
+When this field is specified in \fBadd-flow\fR, \fBadd-flows\fR,
+\fBmod-flows\fR and \fBdel-flows\fR commands, it activates a Nicira
+extension to OpenFlow, which as of this writing is only known to be
+implemented by Open vSwitch.
+.
.PP
The following shorthand notations are also available:
.
extension. If the switch does not support NXM, then \fBovs\-ofctl\fR
will report a fatal error.
.
+.IP \fBvlan_tci=\fItci\fR[\fB/\fImask\fR]
+Matches modified VLAN TCI \fItci\fR. If \fImask\fR is omitted,
+\fItci\fR is the exact VLAN TCI to match; if \fImask\fR is specified,
+then a 1-bit in \fImask\fR indicates that the corresponding bit in
+\fItci\fR must match exactly, and a 0-bit wildcards that bit. Both
+\fItci\fR and \fImask\fR are 16-bit values that are decimal by
+default; use a \fB0x\fR prefix to specify them in hexadecimal.
+.
+.IP
+The value that \fBvlan_tci\fR matches against is 0 for a packet that
+has no 802.1Q header. Otherwise, it is the TCI value from the 802.1Q
+header with the CFI bit (with value \fB0x1000\fR) forced to 1.
+.IP
+Examples:
+.RS
+.IP \fBvlan_tci=0\fR
+Match only packets without an 802.1Q header.
+.IP \fBvlan_tci=0xf123\fR
+Match packets tagged with priority 7 in VLAN 0x123.
+.IP \fBvlan_tci=0x1123/0x1fff\fR
+Match packets tagged with VLAN 0x123 (and any priority).
+.IP \fBvlan_tci=0x5000/0xf000\fR
+Match packets tagged with priority 2 (in any VLAN).
+.IP \fBvlan_tci=0/0xfff\fR
+Match packets with no 802.1Q header or tagged with VLAN 0 (and any
+priority).
+.IP \fBvlan_tci=0x5000/0xe000\fR
+Match packets with no 802.1Q header or tagged with priority 2 (in any
+VLAN).
+.IP \fBvlan_tci=0/0xefff\fR
+Match packets with no 802.1Q header or tagged with VLAN 0 and priority
+0.
+.RE
+.IP
+Some of these matching possibilities can also be achieved with
+\fBdl_vlan\fR and \fBdl_vlan_pcp\fR.
+.
+.IP \fBip_frag=\fIfrag_type\fR
+When \fBdl_type\fR specifies IP or IPv6, \fIfrag_type\fR
+specifies what kind of IP fragments or non-fragments to match. The
+following values of \fIfrag_type\fR are supported:
+.RS
+.IP "\fBno\fR"
+Matches only non-fragmented packets.
+.IP "\fByes\fR"
+Matches all fragments.
+.IP "\fBfirst\fR"
+Matches only fragments with offset 0.
+.IP "\fBlater\fR"
+Matches only fragments with nonzero offset.
+.IP "\fBnot_later\fR"
+Matches non-fragmented packets and fragments with zero offset.
+.RE
+.IP
+The \fBip_frag\fR match type is likely to be most useful in
+\fBnx\-match\fR mode. See the description of the \fBset\-frags\fR
+command, above, for more details.
+.
.IP \fBarp_sha=\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fR
.IQ \fBarp_tha=\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fR
When \fBdl_type\fR specifies ARP, \fBarp_sha\fR and \fBarp_tha\fR match
restricting a match to an IPv6 address prefix. A netmask is specified
as a CIDR block (e.g. \fB2001:db8:3c4d:1::/64\fR).
.
+.IP \fBipv6_label=\fIlabel\fR
+When \fBdl_type\fR is 0x86dd (possibly via shorthand, e.g., \fBipv6\fR
+or \fBtcp6\fR), matches IPv6 flow label \fIlabel\fR.
+.
+.IP \fBnd_target=\fIipv6\fR[\fB/\fInetmask\fR]
+When \fBdl_type\fR, \fBnw_proto\fR, and \fBicmp_type\fR specify
+IPv6 Neighbor Discovery (ICMPv6 type 135 or 136), matches the target address
+\fIipv6\fR. \fIipv6\fR is in the same format described earlier for the
+\fBipv6_src\fR and \fBipv6_dst\fR fields.
+.
+.IP \fBnd_sll=\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fR
+When \fBdl_type\fR, \fBnw_proto\fR, and \fBicmp_type\fR specify IPv6
+Neighbor Solicitation (ICMPv6 type 135), matches the source link\-layer
+address option. An address is specified as 6 pairs of hexadecimal
+digits delimited by colons.
+.
+.IP \fBnd_tll=\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fR
+When \fBdl_type\fR, \fBnw_proto\fR, and \fBicmp_type\fR specify IPv6
+Neighbor Advertisement (ICMPv6 type 136), matches the target link\-layer
+address option. An address is specified as 6 pairs of hexadecimal
+digits delimited by colons.
+.
.IP \fBtun_id=\fItunnel-id\fR[\fB/\fImask\fR]
Matches tunnel identifier \fItunnel-id\fR. Only packets that arrive
over a tunnel that carries a key (e.g. GRE with the RFC 2890 key
-extension) will have a nonzero tunnel ID. If \fImask\fR is omitted,
-\fItunnel-id\fR is the exact tunnel ID to match; if \fImask\fR is
-specified, then a 1-bit in \fImask\fR indicates that the corresponding
-bit in \fItunnel-id\fR must match exactly, and a 0-bit wildcards that
-bit.
-.IP
-In an attempt to be compatible with more switches, \fBovs\-ofctl\fR will
-prefer to use the ``tunnel ID from cookie'' Nicira extension to NXM.
-The use of this extension comes with three caveats: the top 32 bits of
-the \fBcookie\fR (see below) are used for \fItunnel-id\fR and thus
-unavailable for other use, specifying \fBtun_id\fR on \fBdump\-flows\fR
-or \fBdump\-aggregate\fR has no effect, and \fImask\fR is not supported.
-If any of these caveats apply, \fBovs-ofctl\fR will use NXM.
+extension and a nonzero key value) will have a nonzero tunnel ID.
+If \fImask\fR is omitted, \fItunnel-id\fR is the exact tunnel ID to match;
+if \fImask\fR is specified, then a 1-bit in \fImask\fR indicates that the
+corresponding bit in \fItunnel-id\fR must match exactly, and a 0-bit
+wildcards that bit.
.
.IP "\fBreg\fIidx\fB=\fIvalue\fR[\fB/\fImask\fR]"
Matches \fIvalue\fR either exactly or with optional \fImask\fR in
Same as \fBdl_type=0x86dd,nw_proto=58\fR.
.
.PP
-The \fBadd\-flow\fR and \fBadd\-flows\fR commands require an additional
-field, which must be the final field specified:
+Finally, field assignments to \fBduration\fR, \fBn_packets\fR, or
+\fBn_bytes\fR are ignored to allow output from the \fBdump\-flows\fR
+command to be used as input for other commands that parse flows.
+.
+.PP
+The \fBadd\-flow\fR, \fBadd\-flows\fR, and \fBmod\-flows\fR commands
+require an additional field, which must be the final field specified:
.
.IP \fBactions=\fR[\fItarget\fR][\fB,\fItarget\fR...]\fR
Specifies a comma-separated list of actions to take on a packet when the
.
.RS
.IP \fBoutput\fR:\fIport\fR
-Outputs the packet on the port specified by \fIport\fR.
+.IQ \fBoutput\fR:\fIsrc\fB[\fIstart\fB..\fIend\fB]
+Outputs the packet. If \fIport\fR is an OpenFlow port number, outputs directly
+to it. Otherwise, outputs to the OpenFlow port number read from \fIsrc\fR
+which must be an NXM field as described above. Outputting to an NXM field is
+an OpenFlow extension which is not supported by standard OpenFlow switches.
+.IP
+Example: \fBoutput:NXM_NX_REG0[16..31]\fR outputs to the OpenFlow port number
+written in the upper half of register 0.
.
.IP \fBenqueue\fR:\fIport\fB:\fIqueue\fR
Enqueues the packet on the specified \fIqueue\fR within port
Outputs the packet on all switch physical ports other than the port on
which it was received.
.
-.IP \fBcontroller\fR:\fImax_len\fR
+.IP \fBcontroller(\fIkey\fB=\fIvalue\fR...\fB)
Sends the packet to the OpenFlow controller as a ``packet in''
-message. If \fImax_len\fR is a number, then it specifies the maximum
-number of bytes that should be sent. If \fImax_len\fR is \fBALL\fR or
-omitted, then the entire packet is sent.
+message. The supported key-value pairs are:
+.RS
+.IP "\fBmax_len=\fInbytes\fR"
+Limit to \fInbytes\fR the number of bytes of the packet to send to
+the controller. By default the entire packet is sent.
+.IP "\fBreason=\fIreason\fR"
+Specify \fIreason\fR as the reason for sending the message in the
+``packet in'' message. The supported reasons are \fBaction\fR (the
+default), \fBno_match\fR, and \fBinvalid_ttl\fR.
+.IP "\fBid=\fIcontroller-id\fR"
+Specify \fIcontroller-id\fR, a 16-bit integer, as the connection ID of
+the OpenFlow controller or controllers to which the ``packet in''
+message should be sent. The default is zero. Zero is also the
+default connection ID for each controller connection, and a given
+controller connection will only have a nonzero connection ID if its
+controller uses the \fBNXT_SET_CONTROLLER_ID\fR Nicira extension to
+OpenFlow.
+.RE
+Any \fIreason\fR other than \fBaction\fR and any nonzero
+\fIcontroller-id\fR uses a Nicira vendor extension that, as of this
+writing, is only known to be implemented by Open vSwitch (version 1.6
+or later).
+.
+.IP \fBcontroller\fR
+.IQ \fBcontroller\fR[\fB:\fInbytes\fR]
+Shorthand for \fBcontroller()\fR or
+\fBcontroller(max_len=\fInbytes\fB)\fR, respectively.
.
.IP \fBlocal\fR
Outputs the packet on the ``local port,'' which corresponds to the
-\fBof\fIn\fR network device (see \fBCONTACTING THE CONTROLLER\fR in
-\fBovs\-openflowd\fR(8) for information on the \fBof\fIn\fR network device).
+network device that has the same name as the bridge.
+.
+.IP \fBin_port\fR
+Outputs the packet on the port from which it was received.
.
.IP \fBdrop\fR
Discards the packet, so no further processing or forwarding takes place.
Sets the TCP or UDP destination port to \fIport\fR.
.
.IP \fBmod_nw_tos\fB:\fItos\fR
-Sets the IP ToS/DSCP field to \fItos\fR. Valid values are between 0 and
+Sets the IPv4 ToS/DSCP field to \fItos\fR. Valid values are between 0 and
255, inclusive. Note that the two lower reserved bits are never
modified.
.
.RS
.
.IP \fBresubmit\fB:\fIport\fR
-Re-searches the OpenFlow flow table with the \fBin_port\fR field
-replaced by \fIport\fR and executes the actions found, if any, in
-addition to any other actions in this flow entry. Recursive
-\fBresubmit\fR actions are ignored.
+.IQ \fBresubmit\fB(\fR[\fIport\fR]\fB,\fR[\fItable\fR]\fB)
+Re-searches this OpenFlow flow table (or the table whose number is
+specified by \fItable\fR) with the \fBin_port\fR field replaced by
+\fIport\fR (if \fIport\fR is specified) and executes the actions
+found, if any, in addition to any other actions in this flow entry.
+.IP
+Recursive \fBresubmit\fR actions are obeyed up to an
+implementation-defined maximum depth. Open vSwitch 1.0.1 and earlier
+did not support recursion; Open vSwitch before 1.2.90 did not support
+\fItable\fR.
.
.IP \fBset_tunnel\fB:\fIid\fR
.IQ \fBset_tunnel64\fB:\fIid\fR
If outputting to a port that encapsulates the packet in a tunnel and
-supports an identifier (such as GRE), sets the identifier to \fBid\fR.
+supports an identifier (such as GRE), sets the identifier to \fIid\fR.
If the \fBset_tunnel\fR form is used and \fIid\fR fits in 32 bits,
then this uses an action extension that is supported by Open vSwitch
1.0 and later. Otherwise, if \fIid\fR is a 64-bit value, it requires
Open vSwitch 1.1 or later.
.
-.IP \fBdrop_spoofed_arp\fR
-Stops processing further actions, if the packet being processed is an
-Ethernet+IPv4 ARP packet for which the source Ethernet address inside
-the ARP packet differs from the source Ethernet address in the
-Ethernet header.
-.IP
-This action is deprecated in favor of defining flows using the
-\fBarp_sha\fR match field described earlier and will likely be removed
-in a future version of Open vSwitch.
-.
.IP \fBset_queue\fB:\fIqueue\fR
Sets the queue that should be used to \fIqueue\fR when packets are
output. The number of supported queues depends on the switch; some
Restores the queue to the value it was before any \fBset_queue\fR
actions were applied.
.
+.IP \fBdec_ttl\fR
+Decrement TTL of IPv4 packet or hop limit of IPv6 packet. If the
+TTL or hop limit is initially zero, no decrement occurs. Instead,
+a ``packet-in'' message with reason code \fBOFPR_INVALID_TTL\fR is
+sent to each connected controller that has enabled receiving them,
+if any. Processing the current set of actions then stops.
+However, if the current set of actions was reached through
+``resubmit'' then remaining actions in outer levels resume
+processing.
+.
.IP \fBnote:\fR[\fIhh\fR]...
Does nothing at all. Any number of bytes represented as hex digits
\fIhh\fR may be included. Pairs of hex digits may be separated by
periods for readability.
+The \fBnote\fR action's format doesn't include an exact length for its
+payload, so the provided bytes will be padded on the right by enough
+bytes with value 0 to make the total number 6 more than a multiple of
+8.
.
-.IP "\fBmove:\fIsrc\fB[\fIstart\fB..\fIend\fB]->\fIdst\fB[\fIstart\fB..\fIend\fB]\fR"
+.IP "\fBmove:\fIsrc\fB[\fIstart\fB..\fIend\fB]\->\fIdst\fB[\fIstart\fB..\fIend\fB]\fR"
Copies the named bits from field \fIsrc\fR to field \fIdst\fR.
\fIsrc\fR and \fIdst\fR must be NXM field names as defined in
\fBnicira\-ext.h\fR, e.g. \fBNXM_OF_UDP_SRC\fR or \fBNXM_NX_REG0\fR.
Examples: \fBmove:NXM_NX_REG0[0..5]\->NXM_NX_REG1[26..31]\fR copies the
six bits numbered 0 through 5, inclusive, in register 0 into bits 26
through 31, inclusive;
-\fBmove:NXM_NX_REG0[0..15]->NXM_OF_VLAN_TCI[]\fR copies the least
+\fBmove:NXM_NX_REG0[0..15]\->NXM_OF_VLAN_TCI[]\fR copies the least
significant 16 bits of register 0 into the VLAN TCI field.
.
.IP "\fBload:\fIvalue\fB\->\fIdst\fB[\fIstart\fB..\fIend\fB]"
Writes \fIvalue\fR to bits \fIstart\fR through \fIend\fR, inclusive,
-in field \fBdst\fR.
+in field \fIdst\fR.
.IP
Example: \fBload:55\->NXM_NX_REG2[0..5]\fR loads value 55 (bit pattern
\fB110111\fR) into bits 0 through 5, inclusive, in register 2.
then the applies multipath link selection \fIalgorithm\fR (with
parameter \fIarg\fR) to choose one of \fIn_links\fR output links
numbered 0 through \fIn_links\fR minus 1, and stores the link into
-\fIdst\fB[\fIstart\fB..\fIend\fB]\fR, which must be an NXM register as
+\fIdst\fB[\fIstart\fB..\fIend\fB]\fR, which must be an NXM field as
described above.
.IP
Currently, \fIfields\fR must be either \fBeth_src\fR or
the \fBiter_hash\fR algorithm uses \fIarg\fR.
.IP
Refer to \fBnicira\-ext.h\fR for more details.
+.
+.IP "\fBautopath(\fIid\fB, \fIdst\fB[\fIstart\fB..\fIend\fB])\fR"
+Given \fIid\fR, chooses an OpenFlow port and populates it in
+\fIdst\fB[\fIstart\fB..\fIend\fB]\fR, which must be an NXM field as
+described above.
+.IP
+Currently, \fIid\fR should be the OpenFlow port number of an interface on the
+bridge. If it isn't then \fIdst\fB[\fIstart\fB..\fIend\fB]\fR will be
+populated with the OpenFlow port "none". If \fIid\fR is a member of a bond,
+the normal bond selection logic will be used to choose the destination port.
+Otherwise, the register will be populated with \fIid\fR itself.
+.IP
+Refer to \fBnicira\-ext.h\fR for more details.
+.
+.IP "\fBbundle(\fIfields\fB, \fIbasis\fB, \fIalgorithm\fB, \fIslave_type\fB, slaves:[\fIs1\fB, \fIs2\fB, ...])\fR"
+Hashes \fIfields\fR using \fIbasis\fR as a universal hash parameter, then
+applies the bundle link selection \fIalgorithm\fR to choose one of the listed
+slaves represented as \fIslave_type\fR. Currently the only supported
+\fIslave_type\fR is \fBofport\fR. Thus, each \fIs1\fR through \fIsN\fR should
+be an OpenFlow port number. Outputs to the selected slave.
+.IP
+Currently, \fIfields\fR must be either \fBeth_src\fR or \fBsymmetric_l4\fR and
+\fIalgorithm\fR must be one of \fBhrw\fR and \fBactive_backup\fR.
+.IP
+Example: \fBbundle(eth_src,0,hrw,ofport,slaves:4,8)\fR uses an Ethernet source
+hash with basis 0, to select between OpenFlow ports 4 and 8 using the Highest
+Random Weight algorithm.
+.IP
+Refer to \fBnicira\-ext.h\fR for more details.
+.
+.IP "\fBbundle_load(\fIfields\fB, \fIbasis\fB, \fIalgorithm\fB, \fIslave_type\fB, \fIdst\fB[\fIstart\fB..\fIend\fB], slaves:[\fIs1\fB, \fIs2\fB, ...])\fR"
+Has the same behavior as the \fBbundle\fR action, with one exception. Instead
+of outputting to the selected slave, it writes its selection to
+\fIdst\fB[\fIstart\fB..\fIend\fB]\fR, which must be an NXM field as described
+above.
+.IP
+Example: \fBbundle_load(eth_src, 0, hrw, ofport, NXM_NX_REG0[],
+slaves:4, 8)\fR uses an Ethernet source hash with basis 0, to select
+between OpenFlow ports 4 and 8 using the Highest Random Weight
+algorithm, and writes the selection to \fBNXM_NX_REG0[]\fR.
+.IP
+Refer to \fBnicira\-ext.h\fR for more details.
+.
+.IP "\fBlearn(\fIargument\fR[\fB,\fIargument\fR]...\fB)\fR"
+This action adds or modifies a flow in an OpenFlow table, similar to
+\fBovs\-ofctl \-\-strict mod\-flows\fR. The arguments specify the
+flow's match fields, actions, and other properties, as follows. At
+least one match criterion and one action argument should ordinarily be
+specified.
+.RS
+.IP \fBidle_timeout=\fIseconds\fR
+.IQ \fBhard_timeout=\fIseconds\fR
+.IQ \fBpriority=\fIvalue\fR
+These key-value pairs have the same meaning as in the usual
+\fBovs\-ofctl\fR flow syntax.
+.
+.IP \fBfin_idle_timeout=\fIseconds\fR
+.IQ \fBfin_hard_timeout=\fIseconds\fR
+Adds a \fBfin_timeout\fR action with the specified arguments to the
+new flow. This feature was added in Open vSwitch 1.5.90.
+.
+.IP \fBtable=\fInumber\fR
+The table in which the new flow should be inserted. Specify a decimal
+number between 0 and 254. The default, if \fBtable\fR is unspecified,
+is table 1.
+.
+.IP \fIfield\fB=\fIvalue\fR
+.IQ \fIfield\fB[\fIstart\fB..\fIend\fB]=\fIsrc\fB[\fIstart\fB..\fIend\fB]\fR
+.IQ \fIfield\fB[\fIstart\fB..\fIend\fB]\fR
+Adds a match criterion to the new flow.
+.IP
+The first form specifies that \fIfield\fR must match the literal
+\fIvalue\fR, e.g. \fBdl_type=0x0800\fR. All of the fields and values
+for \fBovs\-ofctl\fR flow syntax are available with their usual
+meanings.
+.IP
+The second form specifies that \fIfield\fB[\fIstart\fB..\fIend\fB]\fR
+in the new flow must match \fIsrc\fB[\fIstart\fB..\fIend\fB]\fR taken
+from the flow currently being processed.
+.IP
+The third form is a shorthand for the second form. It specifies that
+\fIfield\fB[\fIstart\fB..\fIend\fB]\fR in the new flow must match
+\fIfield\fB[\fIstart\fB..\fIend\fB]\fR taken from the flow currently
+being processed.
+.
+.IP \fBload:\fIvalue\fB\->\fIdst\fB[\fIstart\fB..\fIend\fB]
+.IQ \fBload:\fIsrc\fB[\fIstart\fB..\fIend\fB]\->\fIdst\fB[\fIstart\fB..\fIend\fB]
+.
+Adds a \fBload\fR action to the new flow.
+.IP
+The first form loads the literal \fIvalue\fR into bits \fIstart\fR
+through \fIend\fR, inclusive, in field \fIdst\fR. Its syntax is the
+same as the \fBload\fR action described earlier in this section.
+.IP
+The second form loads \fIsrc\fB[\fIstart\fB..\fIend\fB]\fR, a value
+from the flow currently being processed, into bits \fIstart\fR
+through \fIend\fR, inclusive, in field \fIdst\fR.
+.
+.IP \fBoutput:\fIfield\fB[\fIstart\fB..\fIend\fB]\fR
+Add an \fBoutput\fR action to the new flow's actions, that outputs to
+the OpenFlow port taken from \fIfield\fB[\fIstart\fB..\fIend\fB]\fR,
+which must be an NXM field as described above.
+.RE
+.IP
+For best performance, segregate learned flows into a table (using
+\fBtable=\fInumber\fR) that is not used for any other flows except
+possibly for a lowest-priority ``catch-all'' flow, that is, a flow
+with no match criteria. (This is why the default \fBtable\fR is 1, to
+keep the learned flows separate from the primary flow table 0.)
.RE
.
+.IP "\fBfin_timeout(\fIargument\fR[\fB,\fIargument\fR]\fB)"
+This action changes the idle timeout or hard timeout, or both, of this
+OpenFlow rule when the rule matches a TCP packet with the FIN or RST
+flag. When such a packet is observed, the action reduces the rule's
+timeouts to those specified on the action. If the rule's existing
+timeout is already shorter than the one that the action specifies,
+then that timeout is unaffected.
.IP
-(The OpenFlow protocol supports other actions that \fBovs\-ofctl\fR does
-not yet expose to the user.)
+\fIargument\fR takes the following forms:
+.RS
+.IP "\fBidle_timeout=\fIseconds\fR"
+Causes the flow to expire after the given number of seconds of
+inactivity.
+.
+.IP "\fBhard_timeout=\fIseconds\fR"
+Causes the flow to expire after the given number of seconds,
+regardless of activity. (\fIseconds\fR specifies time since the
+flow's creation, not since the receipt of the FIN or RST.)
+.RE
+.IP
+This action was added in Open vSwitch 1.5.90.
+.IP "\fBexit\fR"
+This action causes Open vSwitch to immediately halt execution of further
+actions. Those actions which have already been executed are unaffected. Any
+further actions, including those which may be in other tables, or different
+levels of the \fBresubmit\fR call stack, are ignored.
.
.PP
-The \fBadd\-flow\fR, \fBadd\-flows\fR, and \fBmod\-flows\fR commands
-support an additional optional field:
+An opaque identifier called a cookie can be used as a handle to identify
+a set of flows:
.
.IP \fBcookie=\fIvalue\fR
.
-A cookie is an opaque identifier that can be associated with the flow.
-\fIvalue\fR can be any 64-bit number and need not be unique among
-flows.
+A cookie can be associated with a flow using the \fBadd\-flow\fR,
+\fBadd\-flows\fR, and \fBmod\-flows\fR commands. \fIvalue\fR can be any
+64-bit number and need not be unique among flows. If this field is
+omitted, a default cookie value of 0 is used.
+.
+.IP \fBcookie=\fIvalue\fR\fB/\fImask\fR
+.
+When using NXM, the cookie can be used as a handle for querying,
+modifying, and deleting flows. \fIvalue\fR and \fImask\fR may be
+supplied for the \fBdel\-flows\fR, \fBmod\-flows\fR, \fBdump\-flows\fR, and
+\fBdump\-aggregate\fR commands to limit matching cookies. A 1-bit in
+\fImask\fR indicates that the corresponding bit in \fIcookie\fR must
+match exactly, and a 0-bit wildcards that bit. A mask of \-1 may be used
+to exactly match a cookie.
+.IP
+The \fBmod\-flows\fR command can update the cookies of flows that
+match a cookie by specifying the \fIcookie\fR field twice (once with a
+mask for matching and once without to indicate the new value):
+.RS
+.IP "\fBovs\-ofctl mod\-flows br0 cookie=1,actions=normal\fR"
+Change all flows' cookies to 1 and change their actions to \fBnormal\fR.
+.IP "\fBovs\-ofctl mod\-flows br0 cookie=1/\-1,cookie=2,actions=normal\fR"
+Update cookies with a value of 1 to 2 and change their actions to
+\fBnormal\fR.
+.RE
+.IP
+The ability to match on cookies was added in Open vSwitch 1.5.0.
.
.PP
The following additional field sets the priority for flows added by
the \fBadd\-flow\fR and \fBadd\-flows\fR commands. For
\fBmod\-flows\fR and \fBdel\-flows\fR when \fB\-\-strict\fR is
specified, priority must match along with the rest of the flow
-specification. Other commands ignore the priority value.
+specification. For \fBmod-flows\fR without \fB\-\-strict\fR,
+priority is only significant if the command creates a new flow, that
+is, non-strict \fBmod\-flows\fR does not match on priority and will
+not change the priority of existing flows. Other commands do not
+allow priority to be specified.
.
.IP \fBpriority=\fIvalue\fR
The priority at which a wildcarded entry will match in comparison to
have priority over an entry containing wildcards, so it has an implicit
priority value of 65535. When adding a flow, if the field is not specified,
the flow's priority will default to 32768.
+.IP
+OpenFlow leaves behavior undefined when two or more flows with the
+same priority can match a single packet. Some users expect
+``sensible'' behavior, such as more specific flows taking precedence
+over less specific flows, but OpenFlow does not specify this and Open
+vSwitch does not implement it. Users should therefore take care to
+use priorities to ensure the behavior that they expect.
.
.PP
-The \fBadd\-flow\fR and \fBadd\-flows\fR commands support additional
-optional fields:
+The \fBadd\-flow\fR, \fBadd\-flows\fR, and \fBmod\-flows\fR commands
+support the following additional options. These options affect only
+new flows. Thus, for \fBadd\-flow\fR and \fBadd\-flows\fR, these
+options are always significant, but for \fBmod\-flows\fR they are
+significant only if the command creates a new flow, that is, their
+values do not update or affect existing flows.
.
-.TP
-\fBidle_timeout=\fIseconds\fR
+.IP "\fBidle_timeout=\fIseconds\fR"
Causes the flow to expire after the given number of seconds of
-inactivity. A value of 0 (the default) prevents a flow from expiring due to
-inactivity.
+inactivity. A value of 0 (the default) prevents a flow from expiring
+due to inactivity.
.
.IP \fBhard_timeout=\fIseconds\fR
Causes the flow to expire after the given number of seconds,
regardless of activity. A value of 0 (the default) gives the flow no
hard expiration deadline.
.
+.IP "\fBsend_flow_rem\fR"
+Marks the flow with a flag that causes the switch to generate a ``flow
+removed'' message and send it to interested controllers when the flow
+later expires or is removed.
+.
+.IP "\fBcheck_overlap\fR"
+Forces the switch to check that the flow match does not overlap that
+of any different flow with the same priority in the same table. (This
+check is expensive so it is best to avoid it.)
+.
.PP
The \fBdump\-flows\fR, \fBdump\-aggregate\fR, \fBdel\-flow\fR
and \fBdel\-flows\fR commands support one additional optional field:
\fBout_port=\fIport\fR
If set, a matching flow must include an output action to \fIport\fR.
.
-.PP
-The \fBdump\-flows\fR and \fBdump\-aggregate\fR commands support an
-additional optional field:
-.
-.IP \fBtable=\fInumber\fR
-If specified, limits the flows about which statistics are gathered to
-those in the table with the given \fInumber\fR. Tables are numbered
-as shown by the \fBdump\-tables\fR command.
-.
-If this field is not specified, or if \fInumber\fR is given as
-\fB255\fR, statistics are gathered about flows from all tables.
-.
.SS "Table Entry Output"
.
The \fBdump\-tables\fR and \fBdump\-aggregate\fR commands print information
about the entries in a datapath's tables. Each line of output is a
-unique flow entry, which begins with some common information:
-.
-.IP \fBduration\fR
-The number of seconds the entry has been in the table.
+flow entry as described in \fBFlow Syntax\fR, above, plus some
+additional fields:
.
-.IP \fBtable_id\fR
-The table that contains the flow. When a packet arrives, the switch
-begins searching for an entry at the lowest numbered table. Tables are
-numbered as shown by the \fBdump\-tables\fR command.
-.
-.IP \fBpriority\fR
-The priority of the entry in relation to other entries within the same
-table. A higher value will match before a lower one.
+.IP \fBduration=\fIsecs\fR
+The time, in seconds, that the entry has been in the table.
+\fIsecs\fR includes as much precision as the switch provides, possibly
+to nanosecond resolution.
.
.IP \fBn_packets\fR
The number of packets that have matched the entry.
The total number of bytes from packets that have matched the entry.
.
.PP
-The rest of the line consists of a description of the flow entry as
-described in \fBFlow Syntax\fR, above.
+The following additional fields are included only if the switch is
+Open vSwitch 1.6 or later and the NXM flow format is used to dump the
+flow (see the description of the \fB\-\-flow-format\fR option below).
+The values of these additional fields are approximations only and in
+particular \fBidle_age\fR will sometimes become nonzero even for busy
+flows.
+.
+.IP \fBhard_age=\fIsecs\fR
+The integer number of seconds since the flow was added or modified.
+\fBhard_age\fR is displayed only if it differs from the integer part
+of \fBduration\fR. (This is separate from \fBduration\fR because
+\fBmod\-flows\fR restarts the \fBhard_timeout\fR timer without zeroing
+\fBduration\fR.)
.
+.IP \fBidle_age=\fIsecs\fR
+The integer number of seconds that have passed without any packets
+passing through the flow.
.
.SH OPTIONS
.TP
\fB\-\-strict\fR
Uses strict matching when running flow modification commands.
.
-.IP "\fB\-F \fIformat\fR"
-.IQ "\fB\-\-flow\-format=\fIformat\fR"
-\fBovs\-ofctl\fR supports the following flow formats, in order of
-increasing capability:
+.IP "\fB\-F \fIformat\fR[\fB,\fIformat\fR...]"
+.IQ "\fB\-\-flow\-format=\fIformat\fR[\fB,\fIformat\fR...]"
+\fBovs\-ofctl\fR supports the following individual flow formats, any
+number of which may be listed as \fIformat\fR:
.RS
-.IP "\fBopenflow10\fR"
-This is the standard OpenFlow 1.0 flow format. It should be supported
-by all OpenFlow switches.
+.IP "\fBOpenFlow10\-table_id\fR"
+This is the standard OpenFlow 1.0 flow format. All OpenFlow switches
+and all versions of Open vSwitch support this flow format.
.
-.IP "\fBtun_id_from_cookie\fR"
-This Nicira extension to OpenFlow adds minimal and limited support for
-\fBtun_id\fR, but it does not support any other Nicira flow
-extensions. (This flow format is deprecated.)
+.IP "\fBOpenFlow10+table_id\fR"
+This is the standard OpenFlow 1.0 flow format plus a Nicira extension
+that allows \fBovs\-ofctl\fR to specify the flow table in which a
+particular flow should be placed. Open vSwitch 1.2 and later supports
+this flow format.
.
-.IP "\fBnxm\fR (Nicira Extended Match)"
+.IP "\fBNXM\-table_id\fR (Nicira Extended Match)"
This Nicira extension to OpenFlow is flexible and extensible. It
supports all of the Nicira flow extensions, such as \fBtun_id\fR and
-registers.
+registers. Open vSwitch 1.1 and later supports this flow format.
+.
+.IP "\fBNXM+table_id\fR (Nicira Extended Match)"
+This combines Nicira Extended match with the ability to place a flow
+in a specific table. Open vSwitch 1.2 and later supports this flow
+format.
+.RE
+.
+.IP
+\fBovs\-ofctl\fR also supports the following abbreviations for
+collections of flow formats:
+.RS
+.IP "\fBany\fR"
+Any supported flow format.
+.IP "\fBOpenFlow10\fR"
+\fBOpenFlow10\-table_id\fR or \fBOpenFlow10+table_id\fR.
+.IP "\fBNXM\fR"
+\fBNXM\-table_id\fR or \fBNXM+table_id\fR.
.RE
+.
.IP
-Usually, \fBovs\-ofctl\fR picks the correct format automatically. For
-commands that modify the flow table, \fBovs\-ofctl\fR by default uses
-the most widely supported flow format that supports the flows being
-added. For commands that query the flow table, \fBovs\-ofctl\fR by
-default queries and uses the most advanced format supported by the
-switch.
+For commands that modify the flow table, \fBovs\-ofctl\fR by default
+negotiates the most widely supported flow format that supports the
+flows being added. For commands that query the flow table,
+\fBovs\-ofctl\fR by default uses the most advanced format supported by
+the switch.
+.IP
+This option, where \fIformat\fR is a comma-separated list of one or
+more of the formats listed above, limits \fBovs\-ofctl\fR's choice of
+flow format. If a command cannot work as requested using one of the
+specified flow formats, \fBovs\-ofctl\fR will report a fatal error.
+.
+.IP "\fB\-P \fIformat\fR"
+.IQ "\fB\-\-packet\-in\-format=\fIformat\fR"
+\fBovs\-ofctl\fR supports the following packet_in formats, in order of
+increasing capability:
+.RS
+.IP "\fBopenflow10\fR"
+This is the standard OpenFlow 1.0 packet in format. It should be supported by
+all OpenFlow switches.
+.
+.IP "\fBnxm\fR (Nicira Extended Match)"
+This packet_in format includes flow metadata encoded using the NXM format.
+.
+.RE
.IP
-This option, where \fIformat\fR is one of the formats listed in the
-above table, overrides \fBovs\-ofctl\fR's default choice of flow
-format. If a command cannot work as requested using the requested
-flow format, \fBovs\-ofctl\fR will report a fatal error.
+Usually, \fBovs\-ofctl\fR prefers the \fBnxm\fR packet_in format, but will
+allow the switch to choose its default if \fBnxm\fR is unsupported. When
+\fIformat\fR is one of the formats listed in the above table, \fBovs\-ofctl\fR
+will insist on the selected format. If the switch does not support the
+requested format, \fBovs\-ofctl\fR will report a fatal error. This option only
+affects the \fBmonitor\fR command.
+.
+.IP "\fB\-\-timestamp\fR"
+Print a timestamp before each received packet. This option only
+affects the \fBmonitor\fR and \fBsnoop\fR commands.
.
.IP "\fB\-m\fR"
.IQ "\fB\-\-more\fR"
Increases the verbosity of OpenFlow messages printed and logged by
\fBovs\-ofctl\fR commands. Specify this option more than once to
increase verbosity further.
+.
+.ds DD \
+\fBovs\-ofctl\fR detaches only when executing the \fBmonitor\fR or \
+\fBsnoop\fR commands.
+.so lib/daemon.man
.SS "Public Key Infrastructure Options"
.so lib/ssl.man
.so lib/vlog.man
.so lib/common.man
.
+.SH "RUNTIME MANAGEMENT COMMANDS"
+\fBovs\-appctl\fR(8) can send commands to a running \fBovs\-ofctl\fR
+process. The supported commands are listed below.
+.
+.IP "\fBexit\fR"
+Causes \fBovs\-ofctl\fR to gracefully terminate. This command applies
+only when executing the \fBmonitor\fR or \fBsnoop\fR commands.
+.
+.IP "\fBofctl/set\-output\-file \fIfile\fR"
+Causes all subsequent output to go to \fIfile\fR instead of stderr.
+This command applies only when executing the \fBmonitor\fR or
+\fBsnoop\fR commands.
+.
+.IP "\fBofctl/send \fIofmsg\fR..."
+Sends each \fIofmsg\fR, specified as a sequence of hex digits that
+express an OpenFlow message, on the OpenFlow connection. This command
+is useful only when executing the \fBmonitor\fR command.
+.
+.IP "\fBofctl/barrier\fR"
+Sends an OpenFlow barrier request on the OpenFlow connection and waits
+for a reply. This command is useful only for the \fBmonitor\fR
+command.
+.
.SH EXAMPLES
.
-The following examples assume that an OpenFlow switch on the local
-host has been configured to listen for management connections on a
-Unix domain socket named \fB@RUNDIR@/openflow.sock\fR, e.g. by
-specifying \fB\-\-listen=punix:@RUNDIR@/openflow.sock\fR on the
-\fBovs\-openflowd\fR(8) command line.
+The following examples assume that \fBovs\-vswitchd\fR has a bridge
+named \fBbr0\fR configured.
.
.TP
-\fBovs\-ofctl dump\-tables unix:@RUNDIR@/openflow.sock\fR
+\fBovs\-ofctl dump\-tables br0\fR
Prints out the switch's table stats. (This is more interesting after
some traffic has passed through.)
.
.TP
-\fBovs\-ofctl dump\-flows unix:@RUNDIR@/openflow.sock\fR
+\fBovs\-ofctl dump\-flows br0\fR
Prints the flow entries in the switch.
.
.SH "SEE ALSO"