mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-08-31 06:15:47 +00:00
Code Issues Releases Wiki Activity
Files
2956a612651e505e5bcf9bb69414a81b07a03a04
ovs/lib/dpctl.man
Paolo Valerio 9b4d2ad8e8 conntrack: Allow to dump userspace conntrack expectations. 
The patch introduces a new commands ovs-appctl dpctl/dump-conntrack-exp
that allows to dump the existing expectations for the userspace ct.

Signed-off-by: Paolo Valerio <pvalerio@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2023-06-29 22:20:43 +02:00

421 lines
18 KiB
Groff
Raw Blame History

Do not use commands to add or remove or modify datapaths if
\fBovs\-vswitchd\fR is running because this interferes with
\fBovs\-vswitchd\fR's own datapath management.
.TP
\*(DX\fBadd\-dp \fIdp\fR [\fInetdev\fR[\fB,\fIoption\fR]...]
Creates datapath \fIdp\fR, with a local port also named \fIdp\fR.
This will fail if a network device \fIdp\fR already exists.
.IP
If \fInetdev\fRs are specified, \fB\*(PN\fR adds them to the
new datapath, just as if \fBadd\-if\fR was specified.
.
.TP
\*(DX\fBdel\-dp \fIdp\fR
Deletes datapath \fIdp\fR. If \fIdp\fR is associated with any network
devices, they are automatically removed.
.
.TP
\*(DX\fBadd\-if \fIdp netdev\fR[\fB,\fIoption\fR]...
Adds each \fInetdev\fR to the set of network devices datapath
\fIdp\fR monitors, where \fIdp\fR is the name of an existing
datapath, and \fInetdev\fR is the name of one of the host's
network devices, e.g. \fBeth0\fR. Once a network device has been added
to a datapath, the datapath has complete ownership of the network device's
traffic and the network device appears silent to the rest of the
system.
.IP
A \fInetdev\fR may be followed by a comma-separated list of options.
The following options are currently supported:
.
.RS
.IP "\fBtype=\fItype\fR"
Specifies the type of port to add. The default type is \fBsystem\fR.
.IP "\fBport_no=\fIport\fR"
Requests a specific port number within the datapath. If this option is
not specified then one will be automatically assigned.
.IP "\fIkey\fB=\fIvalue\fR"
Adds an arbitrary key-value option to the port's configuration.
.RE
.IP
\fBovs\-vswitchd.conf.db\fR(5) documents the available port types and
options.
.
.IP "\*(DX\fBset\-if \fIdp port\fR[\fB,\fIoption\fR]..."
Reconfigures each \fIport\fR in \fIdp\fR as specified. An
\fIoption\fR of the form \fIkey\fB=\fIvalue\fR adds the specified
key-value option to the port or overrides an existing key's value. An
\fIoption\fR of the form \fIkey\fB=\fR, that is, without a value,
deletes the key-value named \fIkey\fR. The type and port number of a
port cannot be changed, so \fBtype\fR and \fBport_no\fR are only allowed if
they match the existing configuration.
.TP
\*(DX\fBdel\-if \fIdp netdev\fR...
Removes each \fInetdev\fR from the list of network devices datapath
\fIdp\fR monitors.
.
.TP
\*(DX\fBdump\-dps\fR
Prints the name of each configured datapath on a separate line.
.
.TP
.DO "[\fB\-s\fR | \fB\-\-statistics\fR]" "\*(DX\fBshow" "\fR[\fIdp\fR...]"
Prints a summary of configured datapaths, including their datapath
numbers and a list of ports connected to each datapath. (The local
port is identified as port 0.) If \fB\-s\fR or \fB\-\-statistics\fR
is specified, then packet and byte counters are also printed for each
port.
.IP
The datapath numbers consists of flow stats and mega flow mask stats.
.IP
The "lookups" row displays three stats related to flow lookup triggered
by processing incoming packets in the datapath. "hit" displays number
of packets matches existing flows. "missed" displays the number of
packets not matching any existing flow and require user space processing.
"lost" displays number of packets destined for user space process but
subsequently dropped before reaching userspace. The sum of "hit" and "miss"
equals to the total number of packets datapath processed.
.IP
The "flows" row displays the number of flows in datapath.
.IP
The "masks" row displays the mega flow mask stats. This row is omitted
for datapath not implementing mega flow. "hit" displays the total number
of masks visited for matching incoming packets. "total" displays number of
masks in the datapath. "hit/pkt" displays the average number of masks
visited per packet; the ratio between "hit" and total number of
packets processed by the datapath.
.IP
If one or more datapaths are specified, information on only those
datapaths are displayed. Otherwise, \fB\*(PN\fR displays information
about all configured datapaths.
.SS "DATAPATH FLOW TABLE DEBUGGING COMMANDS"
The following commands are primarily useful for debugging Open
vSwitch. The flow table entries (both matches and actions) that they
work with are not OpenFlow flow entries. Instead, they are different
and considerably simpler flows maintained by the Open vSwitch kernel
module. Do not use commands to add or remove or modify datapath flows
if \fBovs\-vswitchd\fR is running because it interferes with
\fBovs\-vswitchd\fR's own datapath flow management. Use
\fBovs\-ofctl\fR(8), instead, to work with OpenFlow flow entries.
.
.PP
The \fIdp\fR argument to each of these commands is optional when
exactly one datapath exists, in which case that datapath is the
default. When multiple datapaths exist, then a datapath name is
required.
.
.TP
.DO "[\fB\-m \fR| \fB\-\-more\fR] [\fB\-\-names \fR| \fB\-\-no\-names\fR]" \*(DX\fBdump\-flows\fR "[\fIdp\fR] [\fBfilter=\fIfilter\fR] [\fBtype=\fItype\fR] [\fBpmd=\fIpmd\fR]"
Prints to the console all flow entries in datapath \fIdp\fR's flow
table. Without \fB\-m\fR or \fB\-\-more\fR, output omits match fields
that a flow wildcards entirely; with \fB\-m\fR or \fB\-\-more\fR,
output includes all wildcarded fields.
.IP
If \fBfilter=\fIfilter\fR is specified, only displays the flows
that match the \fIfilter\fR. \fIfilter\fR is a flow in the form similar
to that accepted by \fBovs\-ofctl\fR(8)'s \fBadd\-flow\fR command. (This is
not an OpenFlow flow: besides other differences, it never contains wildcards.)
The \fIfilter\fR is also useful to match wildcarded fields in the datapath
flow. As an example, \fBfilter='tcp,tp_src=100'\fR will match the
datapath flow containing '\fBtcp(src=80/0xff00,dst=8080/0xff)\fR'.
.IP
If \fBpmd=\fIpmd\fR is specified, only displays flows of the specified pmd.
Using \fBpmd=\fI-1\fR will restrict the dump to flows from the main thread.
This option is only supported by the \fBuserspace datapath\fR.
.IP
If \fBtype=\fItype\fR is specified, only displays flows of the specified types.
This option supported only for \fBovs\-appctl dpctl/dump\-flows\fR.
\fItype\fR is a comma separated list, which can contain any of the following:
.
\fBovs\fR - displays flows handled in the ovs dp
\fBtc\fR - displays flows handled in the tc dp
\fBdpdk\fR - displays flows fully offloaded by dpdk
\fBoffloaded\fR - displays flows offloaded to the HW
\fBnon-offloaded\fR - displays flows not offloaded to the HW
\fBpartially-offloaded\fR - displays flows where only part of their proccessing is done in HW
\fBall\fR - displays all the types of flows
.IP
By default all the types of flows are displayed.
\fBovs\-dpctl\fR always acts as if the \fBtype\fR was \fIovs\fR.
.
.IP "\*(DX\fBadd\-flow\fR [\fIdp\fR] \fIflow actions\fR"
.TP
.DO "[\fB\-\-clear\fR] [\fB\-\-may-create\fR] [\fB\-s\fR | \fB\-\-statistics\fR]" "\*(DX\fBmod\-flow\fR" "[\fIdp\fR] \fIflow actions\fR"
Adds or modifies a flow in \fIdp\fR's flow table that, when a packet
matching \fIflow\fR arrives, causes \fIactions\fR to be executed.
.IP
The \fBadd\-flow\fR command succeeds only if \fIflow\fR does not
already exist in \fIdp\fR. Contrariwise, \fBmod\-flow\fR without
\fB\-\-may\-create\fR only modifies the actions for an existing flow.
With \fB\-\-may\-create\fR, \fBmod\-flow\fR will add a new flow or
modify an existing one.
.IP
If \fB\-s\fR or \fB\-\-statistics\fR is specified, then
\fBmod\-flow\fR prints the modified flow's statistics. A flow's
statistics are the number of packets and bytes that have passed
through the flow, the elapsed time since the flow last processed a
packet (if ever), and (for TCP flows) the union of the TCP flags
processed through the flow.
.IP
With \fB\-\-clear\fR, \fBmod\-flow\fR zeros out the flow's
statistics. The statistics printed if \fB\-s\fR or
\fB\-\-statistics\fR is also specified are those from just before
clearing the statistics.
.IP
NOTE:
\fIflow\fR and \fIactions\fR do not match the syntax used with
\fBovs\-ofctl\fR(8)'s \fBadd\-flow\fR command.
.
.IP
\fBUsage Examples\fR
.
.RS
.PP
Forward ARP between ports 1 and 2 on datapath myDP:
.IP
ovs-dpctl add-flow myDP \\
.
"in_port(1),eth(),eth_type(0x0806),arp()" 2
.
.IP
ovs-dpctl add-flow myDP \\
.
"in_port(2),eth(),eth_type(0x0806),arp()" 1
.
.PP
Forward all IPv4 traffic between two addresses on ports 1 and 2:
.
.IP
ovs-dpctl add-flow myDP \\
.
"in_port(1),eth(),eth_type(0x800),\\
ipv4(src=172.31.110.4,dst=172.31.110.5)" 2
.
.IP
ovs-dpctl add-flow myDP \\
.
"in_port(2),eth(),eth_type(0x800),\\
ipv4(src=172.31.110.5,dst=172.31.110.4)" 1
.
.RE
.TP
\*(DX\fBadd\-flows\fR [\fIdp\fR] \fIfile\fR
.TQ
\*(DX\fBmod\-flows\fR [\fIdp\fR] \fIfile\fR
.TQ
\*(DX\fBdel\-flows\fR [\fIdp\fR] \fIfile\fR
Reads flow entries from \fIfile\fR (or \fBstdin\fR if \fIfile\fR is
\fB\-\fR) and adds, modifies, or deletes each entry to the datapath.
.
Each flow specification (e.g., each line in \fIfile\fR) may start with
\fBadd\fR, \fBmodify\fR, or \fBdelete\fR keyword to specify whether a
flow is to be added, modified, or deleted. A flow specification without
one of these keywords is treated based on the used command. All flow
modifications are executed as individual transactions in the order
specified.
.
.TP
.DO "[\fB\-s\fR | \fB\-\-statistics\fR]" "\*(DX\fBdel\-flow\fR" "[\fIdp\fR] \fIflow\fR"
Deletes the flow from \fIdp\fR's flow table that matches \fIflow\fR.
If \fB\-s\fR or \fB\-\-statistics\fR is specified, then
\fBdel\-flow\fR prints the deleted flow's statistics.
.
.TP
.DO "[\fB\-m \fR| \fB\-\-more\fR] [\fB\-\-names \fR| \fB\-\-no\-names\fR]" "\*(DX\fBget\-flow\fR [\fIdp\fR] ufid:\fIufid\fR"
Fetches the flow from \fIdp\fR's flow table with unique identifier \fIufid\fR.
\fIufid\fR must be specified as a string of 32 hexadecimal characters.
.
.IP "\*(DX\fBdel\-flows\fR [\fIdp\fR]"
Deletes all flow entries from datapath \fIdp\fR's flow table.
.SS "DATAPATH FLOW CACHE COMMANDS"
The following commands are useful for debugging and configuring
the datapath flow cache settings.
.
.TP
\*(DX\fBcache\-get\-size\fR [\fIdp\fR]
Prints the current cache sizes to the console.
.
.TP
\*(DX\fBcache\-set\-size\fR \fIdp\fR \fIcache\fR \fIsize\fR
Set the \fIdp\fR's specific \fIcache\fR to the given \fIsize\fR.
The cache name can be found by using the \fBcache\-get\-size\fR
command.
.
.SS "CONNECTION TRACKING TABLE COMMANDS"
The following commands are useful for debugging and configuring
the connection tracking table in the datapath.
.
.PP
The \fIdp\fR argument to each of these commands is optional when
exactly one datapath exists, in which case that datapath is the
default. When multiple datapaths exist, then a datapath name is
required.
.
.PP
\fBN.B.\fR(Linux specific): the \fIsystem\fR datapaths (i.e. the Linux
kernel module Open vSwitch datapaths) share a single connection tracking
table (which is also used by other kernel subsystems, such as iptables,
nftables and the regular host stack). Therefore, the following commands
do not apply specifically to one datapath.
.
.TP
\*(DX\fBipf\-set\-enabled\fR [\fIdp\fR] \fBv4\fR|\fBv6\fR
.TQ
\*(DX\fBipf\-set\-disabled\fR [\fIdp\fR] \fBv4\fR|\fBv6\fR
Enables or disables IP fragmentation handling for the userspace
connection tracker. Either \fBv4\fR or \fBv6\fR must be specified.
Both IPv4 and IPv6 fragment reassembly are enabled by default. Only
supported for the userspace datapath.
.
.TP
\*(DX\fBipf\-set\-min\-frag\fR [\fIdp\fR] \fBv4\fR|\fBv6\fR \fIminfrag\fR
Sets the minimum fragment size (L3 header and data) for non-final fragments to
\fIminfrag\fR. Either \fBv4\fR or \fBv6\fR must be specified. For
enhanced DOS security, higher minimum fragment sizes can usually be used.
The default IPv4 value is 1200 and the clamped minimum is 400. The default
IPv6 value is 1280, with a clamped minimum of 400, for testing
flexibility. The maximum fragment size is not clamped, however, setting
this value too high might result in valid fragments being dropped. Only
supported for userspace datapath.
.
.TP
\*(DX\fBipf\-set\-max\-nfrags\fR [\fIdp\fR] \fImaxfrags\fR
Sets the maximum number of fragments tracked by the userspace datapath
connection tracker to \fImaxfrags\fR. The default value is 1000 and the
clamped maximum is 5000. Note that packet buffers can be held by the
fragmentation module while fragments are incomplete, but will timeout
after 15 seconds. Memory pool sizing should be set accordingly when
fragmentation is enabled. Only supported for userspace datapath.
.
.TP
.DO "[\fB\-m\fR | \fB\-\-more\fR]" "\*(DX\fBipf\-get\-status\fR [\fIdp\fR]"
Gets the configuration settings and fragment counters associated with the
fragmentation handling of the userspace datapath connection tracker.
With \fB\-m\fR or \fB\-\-more\fR, also dumps the IP fragment lists.
Only supported for userspace datapath.
.
.TP
.DO "[\fB\-m\fR | \fB\-\-more\fR] [\fB\-s\fR | \fB\-\-statistics\fR]" "\*(DX\fBdump\-conntrack\fR" "[\fIdp\fR] [\fBzone=\fIzone\fR]"
Prints to the console all the connection entries in the tracker used by
\fIdp\fR. If \fBzone=\fIzone\fR is specified, only shows the connections
in \fIzone\fR. With \fB\-\-more\fR, some implementation specific details
are included. With \fB\-\-statistics\fR timeouts and timestamps are
added to the output.
.
.TP
\*(DX\fBdump\-conntrack\-exp\fR [\fIdp\fR] [\fBzone=\fIzone\fR]
Prints to the console all the expectation entries in the tracker used by
\fIdp\fR. If \fBzone=\fIzone\fR is specified, only shows the expectations
in \fIzone\fR. Only supported for userspace datapath.
.
.TP
\*(DX\fBflush\-conntrack\fR [\fIdp\fR] [\fBzone=\fIzone\fR] [\fIct-origin-tuple\fR [\fIct-reply-tuple\fR]]
Flushes the connection entries in the tracker used by \fIdp\fR based on
\fIzone\fR and connection tracking tuple \fIct-origin-tuple\fR.
If \fIct-tuple\fR is not provided, flushes all the connection entries.
If \fBzone\fR=\fIzone\fR is specified, only flushes the connections in
\fIzone\fR.
.IP
If \fIct-[orig|reply]-tuple\fR is provided, flushes the connection entry
specified by \fIct-[orig|reply]-tuple\fR in \fIzone\fR. The zone defaults
to 0 if it is not provided. The userspace connection tracker requires flushing
with the original pre-NATed tuple and a warning log will be otherwise
generated. The tuple can be partial and will remove all connections that are
matching on the specified fields. In order to specify only
\fIct-reply-tuple\fR, provide empty string as \fIct-origin-tuple\fR.
.IP
Note: Currently there is a limitation for matching on ICMP, in order to
partially match on ICMP parameters the \fIct-[orig|reply]-tuple\fR has
to include either source or destination IP.
.IP
An example of an IPv4 ICMP \fIct-[orig|reply]-tuple\fR:
.IP
"ct_nw_src=10.1.1.1,ct_nw_dst=10.1.1.2,ct_nw_proto=1,icmp_type=8,icmp_code=0,icmp_id=10"
.IP
An example of an IPv6 TCP \fIct-[orig|reply]-tuple\fR:
.IP
"ct_ipv6_src=fc00::1,ct_ipv6_dst=fc00::2,ct_nw_proto=6,ct_tp_src=1,ct_tp_dst=2"
.
.TP
.DO "[\fB\-m\fR | \fB\-\-more\fR]" "\*(DX\fBct\-stats\-show\fR [\fIdp\fR] [\fBzone=\fIzone\fR]"
Displays the number of connections grouped by protocol used by \fIdp\fR.
If \fBzone=\fIzone\fR is specified, numbers refer to the connections in
\fIzone\fR. With \fB\-\-more\fR, groups by connection state for each
protocol.
.
.TP
\*(DX\fBct\-bkts\fR [\fIdp\fR] [\fBgt=\fIthreshold\fR]
For each conntrack bucket, displays the number of connections used
by \fIdp\fR.
If \fBgt=\fIthreshold\fR is specified, bucket numbers are displayed when
the number of connections in a bucket is greater than \fIthreshold\fR.
.
.TP
\*(DX\fBct\-set\-maxconns\fR [\fIdp\fR] \fImaxconns\fR
Sets the maximum limit of connection tracker entries to \fImaxconns\fR
on \fIdp\fR. This can be used to reduce the processing load on the
system due to connection tracking or simply limiting connection
tracking. If the number of connections is already over the new maximum
limit request then the new maximum limit will be enforced when the
number of connections decreases to that limit, which normally happens
due to connection expiry. Only supported for userspace datapath.
.
.TP
\*(DX\fBct\-get\-maxconns\fR [\fIdp\fR]
Prints the maximum limit of connection tracker entries on \fIdp\fR.
Only supported for userspace datapath.
.
.TP
\*(DX\fBct\-get\-nconns\fR [\fIdp\fR]
Prints the current number of connection tracker entries on \fIdp\fR.
Only supported for userspace datapath.
.
.TP
\*(DX\fBct\-enable\-tcp\-seq\-chk\fR [\fIdp\fR]
.TQ
\*(DX\fBct\-disable\-tcp\-seq\-chk\fR [\fIdp\fR]
Enables or disables TCP sequence checking. When set to disabled, all sequence
number verification is disabled, including for TCP resets. This is
similar, but not the same as 'be_liberal' mode, as in Netfilter. Disabling
sequence number verification is not an optimization in itself, but is needed
for some hardware offload support which might offer some performance
advantage. Sequence number checking is enabled by default to enforce better
security and should only be disabled if required for hardware offload support.
This command is only supported for the userspace datapath.
.
.TP
\*(DX\fBct\-get\-tcp\-seq\-chk\fR [\fIdp\fR]
Prints whether TCP sequence checking is enabled or disabled on \fIdp\fR. Only
supported for the userspace datapath.
.
.TP
\*(DX\fBct\-set\-sweep\-interval\fR [\fIdp\fR] \fIms\fR
Sets the sweep interval. Only supported for the userspace datapath.
.
.TP
\*(DX\fBct\-get\-sweep\-interval\fR [\fIdp\fR]
Prints the current sweep interval in ms. Only supported for the userspace
datapath.
.
.TP
\*(DX\fBct\-set\-limits\fR [\fIdp\fR] [\fBdefault=\fIdefault_limit\fR] [\fBzone=\fIzone\fR,\fBlimit=\fIlimit\fR]...
Sets the maximum allowed number of connections in a connection tracking
zone. A specific \fIzone\fR may be set to \fIlimit\fR, and multiple zones
may be specified with a comma-separated list. If a per-zone limit for a
particular zone is not specified in the datapath, it defaults to the
default per-zone limit. A default zone may be specified with the
\fBdefault=\fIdefault_limit\fR argument. Initially, the default
per-zone limit is unlimited. An unlimited number of entries may be set
with \fB0\fR limit.
.
.TP
\*(DX\fBct\-del\-limits\fR [\fIdp\fR] \fBzone=\fIzone[,zone]\fR...
Deletes the connection tracking limit for \fIzone\fR. Multiple zones may
be specified with a comma-separated list.
.
.TP
\*(DX\fBct\-get\-limits\fR [\fIdp\fR] [\fBzone=\fIzone\fR[\fB,\fIzone\fR]...]
Retrieves the maximum allowed number of connections and current
counts per-zone. If \fIzone\fR is given, only the specified zone(s) are
printed. If no zones are specified, all the zone limits and counts are
provided. The command always displays the default zone limit.
Reference in New Issue View Git Blame Copy Permalink