ovs-dpctl(8)                  Open vSwitch Manual                 ovs-dpctl(8)

       ovs-dpctl - administer Open vSwitch datapaths

       ovs-dpctl [options] command [switch] [args...]

       The ovs-dpctl program can create, modify, and delete Open vSwitch data‐
       paths.  A single machine may host any number of datapaths.

       This program works only with datapaths that are implemented outside  of
       ovs-vswitchd  itself,  such as the Linux and Windows kernel-based data‐
       paths.  To manage datapaths that are integrated into ovs-vswitchd, such
       as  the  userspace  (netdev)  datapath, use ovs-appctl(8) to invoke the
       dpctl/* commands, which are documented in ovs-vswitchd(8).

       A newly created datapath is associated with only one network device,  a
       virtual  network device sometimes called the datapath's ``local port''.
       A newly created datapath is not, however, associated with  any  of  the
       host's  other  network  devices.  To intercept and process traffic on a
       given network device, use the add-if command  to  explicitly  add  that
       network device to the datapath.

       If ovs-vswitchd(8) is in use, use ovs-vsctl(8) instead of ovs-dpctl.

       Most  ovs-dpctl commands that work with datapaths take an argument that
       specifies the name of the  datapath.   Datapath  names  take  the  form
       [type@]name, where name is the network device associated with the data‐
       path's local port.   If  type  is  given,  it  specifies  the  datapath
       provider of name, otherwise the default provider system is assumed.

       The following commands manage datapaths.

       add-dp dp [netdev[,option]...]
              Creates datapath dp, with a local port also named dp.  This will
              fail if a network device dp already exists.

              If netdevs are specified, ovs-dpctl adds them to the  new  data‐
              path, just as if add-if was specified.

       del-dp dp
              Deletes  datapath  dp.   If  dp  is  associated with any network
              devices, they are automatically removed.

       add-if dp netdev[,option]...
              Adds each netdev to the set of network devices datapath dp moni‐
              tors,  where  dp is the name of an existing datapath, and netdev
              is the name of one of the host's  network  devices,  e.g.  eth0.
              Once a network device has been added to a datapath, the datapath
              has complete ownership of the network device's traffic  and  the
              network device appears silent to the rest of the system.

              A  netdev  may be followed by a comma-separated list of options.
              The following options are currently supported:

                     Specifies the type of port to add.  The default  type  is

                     Requests  a specific port number within the datapath.  If
                     this option is not specified then one will  be  automati‐
                     cally assigned.

                     Adds an arbitrary key-value option to the port's configu‐

              ovs-vswitchd.conf.db(5) documents the available port  types  and

       set-if dp port[,option]...
              Reconfigures  each  port  in  dp as specified.  An option of the
              form key=value adds the specified key-value option to  the  port
              or  overrides  an  existing  key's value.  An option of the form
              key=, that is, without a value, deletes the key-value named key.
              The  type  and  port number of a port cannot be changed, so type
              and port_no are only allowed if they match the existing configu‐

       del-if dp netdev...
              Removes each netdev from the list of network devices datapath dp

              Prints the name of each configured datapath on a separate line.

       [-s | --statistics] show [dp...]
              Prints a summary of configured datapaths, including their  data‐
              path  numbers  and  a  list of ports connected to each datapath.
              (The local port is identified as port 0.)  If -s or --statistics
              is specified, then packet and byte counters are also printed for
              each port.

              The datapath numbers consists of flow stats and mega  flow  mask

              The  "lookups"  row  displays three stats related to flow lookup
              triggered by processing incoming packets in the datapath.  "hit"
              displays number of packets matches existing flows. "missed" dis‐
              plays the number of packets not matching any existing  flow  and
              require  user space processing.  "lost" displays number of pack‐
              ets destined for user space  process  but  subsequently  dropped
              before reaching userspace. The sum of "hit" and "miss" equals to
              the total number of packets datapath processed.

              The "flows" row displays the number of flows in datapath.

              The "masks" row displays the mega flow mask stats. This  row  is
              omitted  for datapath not implementing mega flow. "hit" displays
              the total number of masks visited for matching incoming packets.
              "total" displays number of masks in the datapath. "hit/pkt" dis‐
              plays the average number of masks visited per packet; the  ratio
              between "hit" and total number of packets processed by the data‐

              If one or more datapaths  are  specified,  information  on  only
              those  datapaths  are  displayed.  Otherwise, ovs-dpctl displays
              information about all configured datapaths.

       The following commands are primarily useful for debugging Open vSwitch.
       The  flow  table entries (both matches and actions) that they work with
       are not OpenFlow flow entries.  Instead, they are different and consid‐
       erably simpler flows maintained by the Open vSwitch kernel module.  Use
       ovs-ofctl(8), instead, to work with OpenFlow flow entries.

       The dp argument to each of these commands is optional when exactly  one
       datapath exists, in which case that datapath is the default.  When mul‐
       tiple datapaths exist, then a datapath name is required.

       [-m | --more] [--names | --no-names]  dump-flows  [dp]  [filter=filter]
              Prints to the console all flow entries in datapath dp's flow ta‐
              ble.  Without -m or --more, output omits  match  fields  that  a
              flow  wildcards entirely; with -m or --more, output includes all
              wildcarded fields.

              If filter=filter is specified,  only  displays  the  flows  that
              match  the filter. filter is a flow in the form similiar to that
              accepted by ovs-ofctl(8)'s add-flow command.  (This  is  not  an
              OpenFlow  flow:  besides  other  differences,  it never contains
              wildcards.)  The filter  is  also  useful  to  match  wildcarded
              fields   in   the   datapath   flow.   As   an   example,   fil
              ter='tcp,tp_src=100' will match  the  datapath  flow  containing

              If  type=type  is  specified,  only displays flows of a specific
              type.  type can be offloaded to display only offloaded rules  or
              OVS  to  display only non-offloaded rules.  By default both off‐
              loaded and non-offloaded rules are displayed.

       add-flow [dp] flow actions

       [--clear] [--may-create] [-s | --statistics] mod-flow [dp] flow actions
              Adds or modifies a flow in dp's flow table that, when  a  packet
              matching flow arrives, causes actions to be executed.

              The  add-flow  command  succeeds  only  if flow does not already
              exist in dp.  Contrariwise, mod-flow without  --may-create  only
              modifies  the  actions for an existing flow.  With --may-create,
              mod-flow will add a new flow or modify an existing one.

              If -s or --statistics is specified,  then  mod-flow  prints  the
              modified  flow's statistics.  A flow's statistics are the number
              of packets and bytes that have  passed  through  the  flow,  the
              elapsed  time  since the flow last processed a packet (if ever),
              and (for TCP flows) the union of the TCP flags processed through
              the flow.

              With  --clear,  mod-flow  zeros  out the flow's statistics.  The
              statistics printed if -s or --statistics is also  specified  are
              those from just before clearing the statistics.

              NOTE:  flow  and  actions  do  not  match  the  syntax used with
              ovs-ofctl(8)'s add-flow command.

              Usage Examples

              Forward ARP between ports 1 and 2 on datapath myDP:

                     ovs-dpctl add-flow myDP \
                       "in_port(1),eth(),eth_type(0x0806),arp()" 2

                     ovs-dpctl add-flow myDP \
                       "in_port(2),eth(),eth_type(0x0806),arp()" 1

              Forward all IPv4 traffic between two addresses on ports 1 and 2:

                     ovs-dpctl add-flow myDP \
                        ipv4(src=,dst=" 2

                     ovs-dpctl add-flow myDP \
                        ipv4(src=,dst=" 1

       [-s | --statistics] del-flow [dp] flow
              Deletes the flow from dp's flow table that matches flow.  If  -s
              or  --statistics  is specified, then del-flow prints the deleted
              flow's statistics.

       [-m | --more] [--names | --no-names] get-flow [dp] ufid:ufid
              Fetches the flow from dp's flow  table  with  unique  identifier
              ufid.   ufid  must  be  specified  as a string of 32 hexadecimal

       del-flows [dp]
              Deletes all flow entries from datapath dp's flow table.

       The following commands are primarily useful for debugging  the  connec‐
       tion tracking entries in the datapath.

       The  dp argument to each of these commands is optional when exactly one
       datapath exists, in which case that datapath is the default.  When mul‐
       tiple datapaths exist, then a datapath name is required.

       N.B.(Linux  specific): the system datapaths (i.e. the Linux kernel mod‐
       ule Open vSwitch datapaths) share a single  connection  tracking  table
       (which is also used by other kernel subsystems, such as iptables, nfta‐
       bles and the regular host stack).  Therefore, the following commands do
       not apply specifically to one datapath.

       [-m | --more] [-s | --statistics] dump-conntrack [dp] [zone=zone]
              Prints  to the console all the connection entries in the tracker
              used by dp.  If zone=zone is specified, only shows  the  connec‐
              tions  in  zone.   With  --more,  some  implementation  specific
              details are included. With --statistics timeouts and  timestamps
              are added to the output.

       flush-conntrack [dp] [zone=zone]
              Flushes  all  the  connection entries in the tracker used by dp.
              If zone=zone is specified, only flushes the connections in zone.

       ct-stats-show [dp] [zone=zone] [verbose]
              Displays the number of connections grouped by protocol  used  by
              dp.  If zone=zone is specified, numbers refer to the connections
              in zone. The verbose option allows to group by connection  state
              for each protocol.

       ct-bkts [dp] [gt=Threshold]
              For  each ConnTracker bucket, displays the number of connections
              used by dp.  If gt=Threshold is specified,  bucket  numbers  are
              displayed  when the number of connections in a bucket is greater
              than Threshold.

              Causes the show command to print packet and  byte  counters  for
              each port within the datapaths that it shows.

       --more Increases verbosity of output for dump-flows and get-flow.

              Enables  or  disables  showing port names in place of numbers in
              output for dump-flows and get-flow.  By default, names are shown
              if at least one -m or --more is specified.

              Limits  ovs-dpctl runtime to approximately secs seconds.  If the
              timeout expires, ovs-dpctl will exit with a SIGALRM signal.

              Sets logging levels.  Without any spec, sets the log  level  for
              every  module and destination to dbg.  Otherwise, spec is a list
              of words separated by spaces or commas or colons, up to one from
              each category below:

              ·      A  valid  module name, as displayed by the vlog/list com‐
                     mand on ovs-appctl(8), limits the log level change to the
                     specified module.

              ·      syslog,  console,  or file, to limit the log level change
                     to only to the system log, to the console, or to a  file,
                     respectively.    (If  --detach  is  specified,  ovs-dpctl
                     closes its standard file descriptors, so logging  to  the
                     console will have no effect.)

                     On  Windows platform, syslog is accepted as a word and is
                     only useful along with the  --syslog-target  option  (the
                     word has no effect otherwise).

              ·      off,  emer,  err,  warn, info, or dbg, to control the log
                     level.  Messages of the given severity or higher will  be
                     logged,  and  messages of lower severity will be filtered
                     out.  off filters out all  messages.   See  ovs-appctl(8)
                     for a definition of each log level.

              Case is not significant within spec.

              Regardless  of  the  log  levels set for file, logging to a file
              will not take place unless --log-file  is  also  specified  (see

              For compatibility with older versions of OVS, any is accepted as
              a word but has no effect.

              Sets the maximum logging verbosity level, equivalent  to  --ver

              Sets  the  log  pattern  for  destination  to pattern.  Refer to
              ovs-appctl(8) for a description of the valid syntax for pattern.

              Sets the RFC5424 facility of the log message.  facility  can  be
              one  of kern, user, mail, daemon, auth, syslog, lpr, news, uucp,
              clock, ftp, ntp, audit, alert, clock2, local0,  local1,  local2,
              local3,  local4, local5, local6 or local7. If this option is not
              specified, daemon is used as the default for  the  local  system
              syslog  and local0 is used while sending a message to the target
              provided via the --syslog-target option.

              Enables logging to a file.  If file is  specified,  then  it  is
              used  as  the exact name for the log file.  The default log file
              name  used  if  file  is  omitted  is   /usr/local/var/log/open

              Send  syslog  messages  to  UDP port on host, in addition to the
              system syslog.  The host must be a numerical IP address,  not  a

              Specify method how syslog messages should be sent to syslog dae‐
              mon.  Following forms are supported:

              ·      libc, use libc syslog() function.  This  is  the  default
                     behavior.   Downside  of  using this options is that libc
                     adds fixed prefix to every message before it is  actually
                     sent  to  the  syslog  daemon  over  /dev/log UNIX domain

              ·      unix:file, use UNIX domain socket directly.  It is possi‐
                     ble to specify arbitrary message format with this option.
                     However, rsyslogd 8.9 and older versions use  hard  coded
                     parser  function  anyway  that  limits UNIX domain socket
                     use.  If you want to use arbitrary  message  format  with
                     older rsyslogd versions, then use UDP socket to localhost
                     IP address instead.

              ·      udp:ip:port, use UDP socket.  With this method it is pos‐
                     sible  to  use  arbitrary  message format also with older
                     rsyslogd.  When sending syslog messages over  UDP  socket
                     extra  precaution  needs  to  be  taken into account, for
                     example, syslog daemon needs to be configured  to  listen
                     on  the  specified  UDP  port,  accidental iptables rules
                     could be interfering with local syslog traffic and  there
                     are  some security considerations that apply to UDP sock‐
                     ets, but do not apply to UNIX domain sockets.

       --help Prints a brief help message to the console.

              Prints version information to the console.

       ovs-appctl(8), ovs-vswitchd(8)

Open vSwitch                        2.8.90                        ovs-dpctl(8)