. ns
. IP "\\$1"
..
-.TH ovs\-ofctl 8 "January 2010" "Open vSwitch" "Open vSwitch Manual"
+.TH ovs\-ofctl 8 "January 2011" "Open vSwitch" "Open vSwitch Manual"
.ds PN ovs\-ofctl
.
.SH NAME
information on its flow tables and ports.
.
.TP
-\fBstatus \fIswitch\fR [\fIkey\fR]
-Prints to the console a series of key-value pairs that report the
-status of \fIswitch\fR. If \fIkey\fR is specified, only the key-value
-pairs whose key names begin with \fIkey\fR are printed. If \fIkey\fR is
-omitted, all key-value pairs are printed.
-.
-.TP
\fBdump\-tables \fIswitch\fR
Prints to the console statistics for each of the flow tables used by
\fIswitch\fR.
queues on \fIport\fR; if only \fIport\fR is omitted, then statistics
are printed for \fIqueue\fR on every port where it exists.
.
-.TP
-\fBadd\-flow \fIswitch flow\fR
-Add the flow entry as described by \fIflow\fR to the \fIswitch\fR's
-tables. The flow entry is in the format described in \fBFlow Syntax\fR,
-below.
-.
-.TP
-\fBadd\-flows \fIswitch file\fR
-Add flow entries as described in \fIfile\fR to \fIswitch\fR's
-tables. Each line in \fIfile\fR is a flow entry in the format
-described in \fBFlow Syntax\fR, below.
-.
-.TP
-\fBmod\-flows \fIswitch flow\fR
-Modify the actions in entries from the \fIswitch\fR's tables
-that match \fIflow\fR. When invoked with the \fB\-\-strict\fR option,
-wildcards are not treated as active for matching purposes. See
-\fBFlow Syntax\fR, below, for the syntax of \fIflows\fR.
+.SS "OpenFlow Switch Flow Table Commands"
+.
+These commands manage the flow table in an OpenFlow switch. In each
+case, \fIflow\fR specifies a flow entry in the format described in
+\fBFlow Syntax\fR, below, and \fIfile\fR is a text file that contains
+zero or more flows in the same syntax, one per line.
+.
+.IP "\fBadd\-flow \fIswitch flow\fR"
+.IQ "\fBadd\-flow \fIswitch \fB\- < \fIfile\fR"
+.IQ "\fBadd\-flows \fIswitch file\fR"
+Add each flow entry to \fIswitch\fR's tables.
+.
+.IP "[\fB\-\-strict\fR] \fBmod\-flows \fIswitch flow\fR"
+.IQ "[\fB\-\-strict\fR] \fBmod\-flows \fIswitch \fB\- < \fIfile\fR"
+Modify the actions in entries from \fIswitch\fR's tables that match
+the specified flows. With \fB\-\-strict\fR, wildcards are not treated
+as active for matching purposes.
+.
+.IP "\fBdel\-flows \fIswitch\fR"
+.IQ "[\fB\-\-strict\fR] \fBdel\-flows \fIswitch \fR[\fIflow\fR]"
+.IQ "[\fB\-\-strict\fR] \fBdel\-flows \fIswitch \fB\- < \fIfile\fR"
+Deletes entries from \fIswitch\fR's flow table. With only a
+\fIswitch\fR argument, deletes all flows. Otherwise, deletes flow
+entries that match the specified flows. With \fB\-\-strict\fR,
+wildcards are not treated as active for matching purposes.
+.
+.IP "\fBreplace\-flows \fIswitch file\fR"
+Reads flow entries from \fIfile\fR (or \fBstdin\fR if \fIfile\fR is
+\fB\-\fR) and queries the flow table from \fIswitch\fR. Then it fixes
+up any differences, adding flows from \fIflow\fR that are missing on
+\fIswitch\fR, deleting flows from \fIswitch\fR that are not in
+\fIfile\fR, and updating flows in \fIswitch\fR whose actions, cookie,
+or timeouts differ in \fIfile\fR.
+.
+.IP "\fBdiff\-flows \fIsource1 source2\fR"
+Reads flow entries from \fIsource1\fR and \fIsource2\fR and prints the
+differences. A flow that is in \fIsource1\fR but not in \fIsource2\fR
+is printed preceded by a \fB\-\fR, and a flow that is in \fIsource2\fR
+but not in \fIsource1\fR is printed preceded by a \fB+\fR. If a flow
+exists in both \fIsource1\fR and \fIsource2\fR with different actions,
+cookie, or timeouts, then both versions are printed preceded by
+\fB\-\fR and \fB+\fR, respectively.
+.IP
+\fIsource1\fR and \fIsource2\fR may each name a file or a switch. If
+a name begins with \fB/\fR or \fB.\fR, then it is considered to be a
+file name. A name that contains \fB:\fR is considered to be a switch.
+Otherwise, it is a file if a file by that name exists, a switch if
+not.
+.IP
+For this command, an exit status of 0 means that no differences were
+found, 1 means that an error occurred, and 2 means that some
+differences were found.
.
-.TP
-\fBdel\-flows \fIswitch \fR[\fIflow\fR]
-Deletes entries from the \fIswitch\fR's tables that match
-\fIflow\fR. When invoked with the \fB\-\-strict\fR option, wildcards are
-not treated as active for matching purposes. If \fIflow\fR is
-omitted and the \fB\-\-strict\fR option is not used, all flows in the
-switch's tables are removed. See \fBFlow Syntax\fR, below, for the
-syntax of \fIflows\fR.
+.SS "OpenFlow Switch Monitoring Commands"
.
.IP "\fBsnoop \fIswitch\fR"
Connects to \fIswitch\fR and prints to the console all OpenFlow
the configured controller is disconnected, no traffic is sent, so
monitoring will not show any traffic.
.
-.IQ "\fBmonitor \fIswitch\fR [\fImiss-len\fR]"
+.IP "\fBmonitor \fIswitch\fR [\fImiss-len\fR]"
Connects to \fIswitch\fR and prints to the console all OpenFlow
-messages received. Usually, \fIswitch\fR should specify a connection
-named on \fBovs\-openflowd\fR(8)'s \fB\-l\fR or \fB\-\-listen\fR command line
-option.
+messages received. Usually, \fIswitch\fR should specify the name of a
+bridge in the \fBovs\-vswitchd\fR database.
.IP
If \fImiss-len\fR is provided, \fBovs\-ofctl\fR sends an OpenFlow ``set
configuration'' message at connection setup time that requests
pairs of hexadecimal digits delimited by colons
(e.g. \fB00:0A:E4:25:6B:B0\fR).
.
+.IP \fBdl_dst=\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB/\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fR
+Matches an Ethernet destination address specified as 6 pairs of
+hexadecimal digits delimited by colons (e.g. \fB00:0A:E4:25:6B:B0\fR),
+with a wildcard mask following the slash. Only
+the following masks are allowed:
+.RS
+.IP \fB01:00:00:00:00:00\fR
+Match only the multicast bit. Thus,
+\fBdl_dst=01:00:00:00:00:00/01:00:00:00:00:00\fR matches all multicast
+(including broadcast) Ethernet packets, and
+\fBdl_dst=00:00:00:00:00:00/01:00:00:00:00:00\fR matches all unicast
+Ethernet packets.
+.IP \fBfe:ff:ff:ff:ff:ff\fR
+Match all bits except the multicast bit. This is probably not useful.
+.IP \fBff:ff:ff:ff:ff:ff\fR
+Exact match (equivalent to omitting the mask).
+.IP \fB00:00:00:00:00:00\fR
+Wildcard all bits (equivalent to \fBdl_dst=*\fR.)
+.RE
+.
.IP \fBdl_type=\fIethertype\fR
Matches Ethernet protocol type \fIethertype\fR, which is specified as an
integer between 0 and 65535, inclusive, either in decimal or as a
.IP \fBnw_proto=\fIproto\fR
When \fBip\fR or \fBdl_type=0x0800\fR is specified, matches IP
protocol type \fIproto\fR, which is specified as a decimal number
-between 0 and 255, inclusive (e.g. 6 to match TCP packets).
+between 0 and 255, inclusive (e.g. 1 to match ICMP packets or 6 to match
+TCP packets).
+.IP
+When \fBipv6\fR or \fBdl_type=0x86dd\fR is specified, matches IPv6
+header type \fIproto\fR, which is specified as a decimal number between
+0 and 255, inclusive (e.g. 58 to match ICMPv6 packets or 6 to match
+TCP). The header type is the terminal header as described in the
+\fBDESIGN\fR document.
.IP
When \fBarp\fR or \fBdl_type=0x0806\fR is specified, matches the lower
8 bits of the ARP opcode. ARP opcodes greater than 255 are treated as
0.
.IP
-When \fBdl_type\fR is wildcarded or set to a value other than 0x0800
-or 0x0806, the value of \fBnw_proto\fR is ignored (see \fBFlow
+When \fBdl_type\fR is wildcarded or set to a value other than 0x0800,
+0x0806, or 0x86dd, the value of \fBnw_proto\fR is ignored (see \fBFlow
Syntax\fR above).
.
.IP \fBnw_tos=\fItos\fR
-Matches IP ToS/DSCP field \fItos\fR, which is specified as a decimal
-number between 0 and 255, inclusive. Note that the two lower reserved
-bits are ignored for matching purposes.
+Matches IP ToS/DSCP or IPv6 traffic class field \fItos\fR, which is
+specified as a decimal number between 0 and 255, inclusive. Note that
+the two lower reserved bits are ignored for matching purposes.
.IP
-The value of \fBnw_proto\fR is ignored unless \fBdl_type=0x0800\fR,
-\fBip\fR, \fBicmp\fR, \fBtcp\fR, or \fBudp\fR is also specified (see
-\fBFlow Syntax\fR above).
+When \fBdl_type\fR is wildcarded or set to a value other than 0x0800,
+0x0806, or 0x86dd, the value of \fBnw_tos\fR is ignored (see \fBFlow
+Syntax\fR above).
.
.IP \fBtp_src=\fIport\fR
.IQ \fBtp_dst=\fIport\fR
.
.IP \fBicmp_type=\fItype\fR
.IQ \fBicmp_code=\fIcode\fR
-When \fBdl_type\fR and \fBnw_proto\fR specify ICMP, \fItype\fR matches
-the ICMP type and \fIcode\fR matches the ICMP code. Each is specified
-as a decimal number between 0 and 255, inclusive.
+When \fBdl_type\fR and \fBnw_proto\fR specify ICMP or ICMPv6, \fItype\fR
+matches the ICMP type and \fIcode\fR matches the ICMP code. Each is
+specified as a decimal number between 0 and 255, inclusive.
.IP
When \fBdl_type\fR and \fBnw_proto\fR take other values, the values of
these settings are ignored (see \fBFlow Syntax\fR above).
-.IP \fBtun_id=\fItunnel\-id\fR
-Matches tunnel identifier \fItunnel\-id\fR. Only packets that arrive
-over a tunnel that carries a key (e.g. GRE with the RFC 2890 key
-extension) will have a nonzero tunnel ID.
-.IP
-\fBtun_id\fR requires use of one of two Nicira extensions to OpenFlow:
-.RS
-.IP "NXM (Nicira Extended Match)"
-This extension fully supports \fBtun_id\fR.
-.IP "Tunnel ID from Cookie"
-This extension supports \fBtun_id\fR with two caveats: the top 32 bits
-of the \fBcookie\fR (see below) are used for \fItunnel\-id\fR and thus
-unavailable for other use, and specifying \fBtun_id\fR on
-\fBdump\-flows\fR or \fBdump\-aggregate\fR has no effect.
-.RE
-.IP
-When \fBtun_id\fR is specified, \fBovs\-ofctl\fR will automatically
-attempt to negotiate use of one of these extensions. It will use the
-``tunnel ID from cookie'' extension if neither caveat applies and NXM
-otherwise. If the switch does not support the needed extension, then
-\fBovs\-ofctl\fR will report a fatal error.
-.IP "\fBreg\fIidx\fB=\fIvalue\fR[\fB/\fImask\fR]"
-Matches \fIvalue\fR either exactly or with optional \fImask\fR in
-register number \fIidx\fR. The valid range of \fIidx\fR depends on
-the switch. \fIvalue\fR and \fImask\fR are 32-bit integers, by
-default in decimal (use a \fB0x\fR prefix to specify hexadecimal).
-Arbitrary \fImask\fR values are allowed: a 1-bit in \fImask\fR
-indicates that the corresponding bit in \fIvalue\fR must match
-exactly, and a 0-bit wildcards that bit.
-.IP
-When a packet enters an OpenFlow switch, all of the registers are set
-to 0. Only explicit Nicira extension actions change register values.
+.
+.IP \fBtable=\fInumber\fR
+If specified, limits the flow manipulation and flow dump commands to
+only apply to the table with the given \fInumber\fR.
+\fInumber\fR is a number between 0 and 254, inclusive.
+.
+Behavior varies if \fBtable\fR is not specified. For flow table
+modification commands without \fB\-\-strict\fR, the switch will choose
+the table for these commands to operate on. For flow table
+modification commands with \fB\-\-strict\fR, the command will operate
+on any single matching flow in any table; it will do nothing if there
+are matches in more than one table. The \fBdump-flows\fR and
+\fBdump-aggregate\fR commands will gather statistics about flows from
+all tables.
.IP
-Register matches require support for the NXM (Nicira Extended Match)
-extension to OpenFlow. When a register match is specified,
-\fBovs\-ofctl\fR will automatically attempt to negotiate use of this
-extension. If the switch does not support NXM, then \fBovs\-ofctl\fR
-will report a fatal error.
+When this field is specified in \fBadd-flow\fR, \fBadd-flows\fR,
+\fBmod-flows\fR and \fBdel-flows\fR commands, it activates a Nicira
+extension to OpenFlow, which as of this writing is only known to be
+implemented by Open vSwitch.
.
.PP
The following shorthand notations are also available:
Same as \fBdl_type=0x0806\fR.
.
.PP
+The following field assignments require support for the NXM (Nicira
+Extended Match) extension to OpenFlow. When one of these is specified,
+\fBovs\-ofctl\fR will automatically attempt to negotiate use of this
+extension. If the switch does not support NXM, then \fBovs\-ofctl\fR
+will report a fatal error.
+.
+.IP \fBarp_sha=\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fR
+.IQ \fBarp_tha=\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fR
+When \fBdl_type\fR specifies ARP, \fBarp_sha\fR and \fBarp_tha\fR match
+the source and target hardware address, respectively. An address is
+specified as 6 pairs of hexadecimal digits delimited by colons.
+.
+.IP \fBipv6_src=\fIipv6\fR[\fB/\fInetmask\fR]
+.IQ \fBipv6_dst=\fIipv6\fR[\fB/\fInetmask\fR]
+When \fBdl_type\fR is 0x86dd (possibly via shorthand, e.g., \fBipv6\fR
+or \fBtcp6\fR), matches IPv6 source (or destination) address \fIipv6\fR,
+which may be specified as defined in RFC 2373. The preferred format is
+\fIx\fB:\fIx\fB:\fIx\fB:\fIx\fB:\fIx\fB:\fIx\fB:\fIx\fB:\fIx\fR, where
+\fIx\fR are the hexadecimal values of the eight 16-bit pieces of the
+address. A single instance of \fB::\fR may be used to indicate multiple
+groups of 16-bits of zeros. The optional \fInetmask\fR allows
+restricting a match to an IPv6 address prefix. A netmask is specified
+as a CIDR block (e.g. \fB2001:db8:3c4d:1::/64\fR).
+.
+.IP \fBnd_target=\fIipv6\fR
+When \fBdl_type\fR, \fBnw_proto\fR, and \fBicmp_type\fR specify
+IPv6 Neighbor Discovery (ICMPv6 type 135 or 136), matches the target address
+\fIipv6\fR. \fIipv6\fR is in the same format described earlier for the
+\fBipv6_src\fR and \fBipv6_dst\fR fields.
+.
+.IP \fBnd_sll=\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fR
+When \fBdl_type\fR, \fBnw_proto\fR, and \fBicmp_type\fR specify IPv6
+Neighbor Solicitation (ICMPv6 type 135), matches the source link\-layer
+address option. An address is specified as 6 pairs of hexadecimal
+digits delimited by colons.
+.
+.IP \fBnd_tll=\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fR
+When \fBdl_type\fR, \fBnw_proto\fR, and \fBicmp_type\fR specify IPv6
+Neighbor Advertisement (ICMPv6 type 136), matches the target link\-layer
+address option. An address is specified as 6 pairs of hexadecimal
+digits delimited by colons.
+.
+.IP \fBtun_id=\fItunnel-id\fR[\fB/\fImask\fR]
+Matches tunnel identifier \fItunnel-id\fR. Only packets that arrive
+over a tunnel that carries a key (e.g. GRE with the RFC 2890 key
+extension) will have a nonzero tunnel ID. If \fImask\fR is omitted,
+\fItunnel-id\fR is the exact tunnel ID to match; if \fImask\fR is
+specified, then a 1-bit in \fImask\fR indicates that the corresponding
+bit in \fItunnel-id\fR must match exactly, and a 0-bit wildcards that
+bit.
+.IP
+In an attempt to be compatible with more switches, \fBovs\-ofctl\fR will
+prefer to use the ``tunnel ID from cookie'' Nicira extension to NXM.
+The use of this extension comes with three caveats: the top 32 bits of
+the \fBcookie\fR (see below) are used for \fItunnel-id\fR and thus
+unavailable for other use, specifying \fBtun_id\fR on \fBdump\-flows\fR
+or \fBdump\-aggregate\fR has no effect, and \fImask\fR is not supported.
+If any of these caveats apply, \fBovs-ofctl\fR will use NXM.
+.
+.IP "\fBreg\fIidx\fB=\fIvalue\fR[\fB/\fImask\fR]"
+Matches \fIvalue\fR either exactly or with optional \fImask\fR in
+register number \fIidx\fR. The valid range of \fIidx\fR depends on
+the switch. \fIvalue\fR and \fImask\fR are 32-bit integers, by
+default in decimal (use a \fB0x\fR prefix to specify hexadecimal).
+Arbitrary \fImask\fR values are allowed: a 1-bit in \fImask\fR
+indicates that the corresponding bit in \fIvalue\fR must match
+exactly, and a 0-bit wildcards that bit.
+.IP
+When a packet enters an OpenFlow switch, all of the registers are set
+to 0. Only explicit Nicira extension actions change register values.
+.
+.PP
+Defining IPv6 flows (those with \fBdl_type\fR equal to 0x86dd) requires
+support for NXM. The following shorthand notations are available for
+IPv6-related flows:
+.
+.IP \fBipv6\fR
+Same as \fBdl_type=0x86dd\fR.
+.
+.IP \fBtcp6\fR
+Same as \fBdl_type=0x86dd,nw_proto=6\fR.
+.
+.IP \fBudp6\fR
+Same as \fBdl_type=0x86dd,nw_proto=17\fR.
+.
+.IP \fBicmp6\fR
+Same as \fBdl_type=0x86dd,nw_proto=58\fR.
+.
+.PP
The \fBadd\-flow\fR and \fBadd\-flows\fR commands require an additional
field, which must be the final field specified:
.
.
.IP \fBlocal\fR
Outputs the packet on the ``local port,'' which corresponds to the
-\fBof\fIn\fR network device (see \fBCONTACTING THE CONTROLLER\fR in
-\fBovs\-openflowd\fR(8) for information on the \fBof\fIn\fR network device).
+network device that has the same name as the bridge.
.
.IP \fBdrop\fR
Discards the packet, so no further processing or forwarding takes place.
1.0 and later. Otherwise, if \fIid\fR is a 64-bit value, it requires
Open vSwitch 1.1 or later.
.
-.IP \fBdrop_spoofed_arp\fR
-Stops processing further actions, if the packet being processed is an
-Ethernet+IPv4 ARP packet for which the source Ethernet address inside
-the ARP packet differs from the source Ethernet address in the
-Ethernet header.
-.
-This is useful because OpenFlow does not provide a way to match on the
-Ethernet addresses inside ARP packets, so there is no other way to
-drop spoofed ARPs other than sending every ARP packet to a controller.
-.
.IP \fBset_queue\fB:\fIqueue\fR
Sets the queue that should be used to \fIqueue\fR when packets are
output. The number of supported queues depends on the switch; some
the \fBiter_hash\fR algorithm uses \fIarg\fR.
.IP
Refer to \fBnicira\-ext.h\fR for more details.
+.
+.IP "\fBautopath(\fIid\fB, \fIdst\fB[\fIstart\fB..\fIend\fB])\fR"
+Given \fIid\fR, chooses an OpenFlow port and populates it in
+\fIdst\fB[\fIstart\fB..\fIend\fB]\fR, which must be an NXM register as
+described above.
+.IP
+Currently, \fIid\fR should be the OpenFlow port number of an interface on the
+bridge. If it isn't then \fIdst\fB[\fIstart\fB..\fIend\fB]\fR will be
+populated with the OpenFlow port "none". If \fIid\fR is a member of a bond,
+the normal bond selection logic will be used to choose the destination port.
+Otherwise, the register will be populated with \fIid\fR itself.
+.IP
+Refer to \fBnicira\-ext.h\fR for more details.
.RE
.
.IP
The \fBdump\-flows\fR and \fBdump\-aggregate\fR commands support an
additional optional field:
.
-.IP \fBtable=\fInumber\fR
-If specified, limits the flows about which statistics are gathered to
-those in the table with the given \fInumber\fR. Tables are numbered
-as shown by the \fBdump\-tables\fR command.
-.
-If this field is not specified, or if \fInumber\fR is given as
-\fB255\fR, statistics are gathered about flows from all tables.
-.
.SS "Table Entry Output"
.
The \fBdump\-tables\fR and \fBdump\-aggregate\fR commands print information
This is the standard OpenFlow 1.0 flow format. It should be supported
by all OpenFlow switches.
.
-.IP "\fBtun_id_from_cookie\fR"
-This Nicira extension to OpenFlow adds minimal and limited support for
-\fBtun_id\fR, but it does not support any other Nicira flow
-extensions. (This flow format is deprecated.)
-.
.IP "\fBnxm\fR (Nicira Extended Match)"
This Nicira extension to OpenFlow is flexible and extensible. It
supports all of the Nicira flow extensions, such as \fBtun_id\fR and
.
.SH EXAMPLES
.
-The following examples assume that an OpenFlow switch on the local
-host has been configured to listen for management connections on a
-Unix domain socket named \fB@RUNDIR@/openflow.sock\fR, e.g. by
-specifying \fB\-\-listen=punix:@RUNDIR@/openflow.sock\fR on the
-\fBovs\-openflowd\fR(8) command line.
+The following examples assume that \fBovs\-vswitchd\fR has a bridge
+named \fBbr0\fR configured.
.
.TP
-\fBovs\-ofctl dump\-tables unix:@RUNDIR@/openflow.sock\fR
+\fBovs\-ofctl dump\-tables br0\fR
Prints out the switch's table stats. (This is more interesting after
some traffic has passed through.)
.
.TP
-\fBovs\-ofctl dump\-flows unix:@RUNDIR@/openflow.sock\fR
+\fBovs\-ofctl dump\-flows br0\fR
Prints the flow entries in the switch.
.
.SH "SEE ALSO"