1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
.TH ovs\-controller 8 "March 2009" "Open vSwitch" "Open vSwitch Manual"
.ds PN ovs\-controller
.SH NAME
ovs\-controller \- simple OpenFlow controller reference implementation
.SH SYNOPSIS
.B ovs\-controller
[\fIoptions\fR] \fImethod\fR \fB[\fImethod\fR]\&...
.SH DESCRIPTION
\fBovs\-controller\fR manages any number of remote switches over OpenFlow
protocol, causing them to function as L2 MAC-learning switches or hub.
\fBovs\-controller\fR controls one or more OpenFlow switches, specified as
one or more of the following OpenFlow connection methods:
.TP
\fBpssl:\fR[\fIport\fR]
Listens for SSL connections from remote OpenFlow switches on
\fIport\fR (default: 6633). The \fB--private-key\fR,
\fB--certificate\fR, and \fB--ca-cert\fR options are mandatory when
this form is used.
.TP
\fBptcp:\fR[\fIport\fR]
Listens for TCP connections from remote OpenFlow switches on
\fIport\fR (default: 6633).
.TP
\fBpunix:\fIfile\fR
Listens for connections from OpenFlow switches on the Unix domain
server socket named \fIfile\fR.
.TP
\fBssl:\fIhost\fR[\fB:\fIport\fR]
The specified SSL \fIport\fR (default: 6633) on the given remote
\fIhost\fR. The \fB--private-key\fR, \fB--certificate\fR, and
\fB--ca-cert\fR options are mandatory when this form is used.
.TP
\fBtcp:\fIhost\fR[\fB:\fIport\fR]
The specified TCP \fIport\fR (default: 6633) on the given remote
\fIhost\fR.
.TP
\fBunix:\fIfile\fR
The Unix domain server socket named \fIfile\fR.
.SH OPTIONS
.TP
\fB-p\fR, \fB--private-key=\fIprivkey.pem\fR
Specifies a PEM file containing the private key used as the switch's
identity for SSL connections to the controller.
.TP
\fB-c\fR, \fB--certificate=\fIcert.pem\fR
Specifies a PEM file containing a certificate, signed by the
controller's certificate authority (CA), that certifies the switch's
private key to identify a trustworthy switch.
.TP
\fB-C\fR, \fB--ca-cert=\fIswitch-cacert.pem\fR
Specifies a PEM file containing the CA certificate used to verify that
the switch is connected to a trustworthy controller.
.TP
\fB--peer-ca-cert=\fIcontroller-cacert.pem\fR
Specifies a PEM file that contains one or more additional certificates
to send to switches. \fIcontroller-cacert.pem\fR should be the CA
certificate used to sign the controller's own certificate (the
certificate specified on \fB-c\fR or \fB--certificate\fR).
This option is not useful in normal operation, because the switch must
already have the controller CA certificate for it to have any
confidence in the controller's identity. However, this option allows
a newly installed switch to obtain the controller CA certificate on
first boot using, e.g., the \fB--bootstrap-ca-cert\fR option to
\fBsecchan\fR(8).
.IP "\fB-n\fR, \fB--noflow\fR"
By default, \fBovs\-controller\fR sets up a flow in each OpenFlow switch
whenever it receives a packet whose destination is known due through
MAC learning. This option disables flow setup, so that every packet
in the network passes through the controller.
This option is most useful for debugging. It reduces switching
performance, so it should not be used in production.
.TP
\fB--max-idle=\fIsecs\fR|\fBpermanent\fR
Sets \fIsecs\fR as the number of seconds that a flow set up by the
controller will remain in the switch's flow table without any matching
packets being seen. If \fBpermanent\fR is specified, which is not
recommended, flows will never expire. The default is 60 seconds.
This option affects only flows set up by the OpenFlow controller. In
some configurations, the switch can set up some flows
on its own. To set the idle time for those flows, pass
\fB--max-idle\fR to \fBsecchan\fR (on the switch).
This option has no effect when \fB-n\fR (or \fB--noflow\fR) is in use
(because the controller does not set up flows in that case).
.IP "\fB-H\fR, \fB--hub\fR"
By default, the controller acts as an L2 MAC-learning switch. This
option changes its behavior to that of a hub that floods packets on
all but the incoming port.
If \fB-H\fR (or \fB--hub\fR) and \fB-n\fR (or \fB--noflow\fR) are used
together, then the cumulative effect is that every packet passes
through the controller and every packet is flooded.
This option is most useful for debugging. It reduces switching
performance, so it should not be used in production.
.so lib/daemon.man
.so lib/vlog.man
.so lib/common.man
.SH EXAMPLES
.TP
To bind locally to port 6633 (the default) and wait for incoming connections from OpenFlow switches:
.B % ovs\-controller ptcp:
.SH "SEE ALSO"
.BR secchan (8),
.BR ovs\-appctl (8),
.BR ovs\-dpctl (8)
|
