Skip to content

ofprotocol Man Page

Jump to bottom Edit New page
Eder Leão Fernandes edited this page Sep 12, 2018 · 3 revisions

Description

The ofprotocol program sets up a secure channel between a local OpenFlow datapath and a remote controller. It connects to the local datapath over Netlink or TCP and to the controller over TCP or SSL, and then forwards OpenFlow messages from one endpoint to the other.

Synopsis

 ofprotocol [options] datapath controller[,controller...]

The mandatory datapath argument argument specifies the local datapath to relay. It takes one of the following forms:

  • unix:file : Attach to the userspace datapath implemented by ofdatapath. The file argument must the same one specified on the ofdatapath command line.

  • tcp:HOST[:PORT] : Connect to the IP address of a remote TCP HOST in the selected port. The default PORT is 6653.

The optional controller argument specifies supports only the tcp option.

Contacting the Controller

The OpenFlow switch must be able to contact the OpenFlow controller over the network. It can do so in one of two ways:

  • out-of-band: In this configuration, OpenFlow traffic uses a network separate from the data traffic that it controls, that is, the switch does not use any of the network devices added to the datapath with dpctl addif in its communication with the controller. To use ofprotocol in a network with out-of-band control, specify --out-of-band on the ofprotocol command line. The control network must be configured separately, before or after ofprotocol is started.

  • in-band: In this configuration, a single network is used for OpenFlow traffic and other data traffic, that is, the switch contacts the controller over one of the network devices added to the datapath. It is the default option.
    Manual configuration
    To configure in-band control manually, specify the location of the controller on the ofprotocol command line as the controller argument. You must also configure the network device for the OpenFlow local port to allow ofprotocol to connect to that controller. The OpenFlow local port is a virtual network port that ofprotocol bridges to the physical switch ports. The local port network device name may be specified on the ofdatapath command line, using the --local-port option. It is often tap0.

Networking Options

  • -F, --fail=[open|closed]: The controller is, ordinarily, responsible for setting up all flows on the OpenFlow switch. Thus, if the connection to the controller fails, no new network connections can be set up. If the connection to the controller stays down long enough, no packets can pass through the switch at all.

If this option is set to open (the default), ofprotocol will take over responsibility for setting up flows in the local datapath when no message has been received from the controller for three times the inactivity probe interval (see below), or 45 seconds by default. In this fail open mode, ofprotocol causes the datapath to act like an ordinary MAC-learning switch. ofprotocol will continue to retry connection to the controller in the background and, when the connection succeeds, it discontinues its fail-open behavior.

If this option is set to closed, then ofprotocol will not set up flows on its own when the controller connection fails.

  • --inactivity-probe=secs: When the secure channel is connected to the controller, the secure channel waits for a message to be received from the controller for secs seconds before it sends a inactivity probe to the controller. After sending the inactivity probe, if no response is received for an additional secs seconds, the secure channel assumes that the connection has been broken and attempts to reconnect. The default is 15 seconds, and the minimum value is 1 seconds.

When fail-open mode is configured, changing the inactivity probe interval also changes the interval before entering fail-open mode (see above).

  • --max-idle=secs|permanent: Sets secs as the number of seconds that a flow set up by the secure channel will remain in the switch's flow table without any matching packets being seen. If permanent is specified, which is not recommended, flows set up by the secure channel will never expire. The default is 15 seconds.

Most flows are set up by the OpenFlow controller, not by the secure channel. This option affects only the following flows, which the secure channel sets up itself:

When --fail=open is specified, flows set up when the secure channel has not been able to contact the controller for the configured fail-open delay.

When in-band control is in use, flows set up to bootstrap contacting the controller (see CONTACTING THE CONTROLLER, above, for more information about in-band control).

As a result, when both --fail=closed and --out-of-band are specified, this option has no effect.

  • --max-backoff=secs: Sets the maximum time between attempts to connect to the controller to secs, which must be at least 1. The actual interval between connection attempts starts at 1 second and doubles on each failing attempt until it reaches the maximum. The default maximum backoff time is 15 seconds.

  • -l, --listen=method: Configures the switch to additionally listen for incoming OpenFlow connections for switch management with dpctl. The method must be given as one of the passive OpenFlow connection methods listed below. This option may be specified multiple times to listen to multiple connection methods.

            ptcp:[port]: Listens for TCP connections on port (default: 6653).

        punix:file:Listens for connections on Unix domain server socket named file.

  • -m, --monitor=method: Configures the switch to additionally listen for incoming OpenFlow connections for switch monitoring with dpctl's monitor command. The method must be given as one of the passive OpenFlow connection methods listed above as acceptable for --listen.

When dpctl monitor makes a monitoring connection, ofprotocol sends it a copy of every OpenFlow message sent to or received from the kernel in the normal course of its operations. It does not send a copy of any messages sent to or from the OpenFlow connection to the controller. Most of these messages will be seen anyhow, however, because ofprotocol mainly acts as a relay between the controller and the kernel. ofprotocol also does not send a copy of any messages sent to or from the OpenFlow connection to the controller. Such messages will typically not be seen, because ofprotocol maintains a separate connection to the kernel for each management connection.

Messages are copied to the monitoring connections on a best-effort basis. In particular, if the socket buffer of the monitoring connection fills up, some messages will be lost.

  • --in-band, --out-of-band: Configures ofprotocol to operate in in-band or out-of-band control mode (see CONTACTING THE CONTROLLER above). When neither option is given, the default is in-band control.

Rate-Limiting Options

   These options configure how the switch applies a ``token bucket'' to limit the rate at which packets in unknown flows are forwarded to an  OpenFlow controller for flow-setup processing.  This feature prevents a single OpenFlow switch from overwhelming a controller.
  • --rate-limit[=rate]: Limits the maximum rate at which packets will be forwarded to the OpenFlow controller to rate packets per second. If rate is not specified then the default of 1,000 packets per second is used.

If --rate-limit is not used, then the switch does not limit the rate at which packets are forwarded to the controller.

  • --burst-limit=burst: Sets the maximum number of unused packet credits that the switch will allow to accumulate during time in which no packets are being forwarded to the OpenFlow controller to burst (measured in packets). The default burst is one-quarter of the rate specified on --rate-limit.

This option takes effect only when --rate-limit is also specified.

Daemon Options

  • -P[pidfile], --pidfile[=pidfile]: Causes a file (by default, ofprotocol.pid) to be created indicating the PID of the running process. If pidfile is not specified, or if it does not begin with /, then it is created in /usr/local/var/run.

  • -f, --force: By default, when -P or --pidfile is specified and the specified pidfile already exists and is locked by a running process, ofprotocol refuses to start. Specify -f or --force to cause it to instead overwrite the pidfile.

When -P or --pidfile is not specified, this option has no effect.

  • *-D, --detach: Causes ofprotocol to detach itself from the foreground session and run as a background process.

Logging Options

  • -vmodule[:facility[:level]], --verbose=module[:facility[:level]]: Sets the logging level for module in facility to level:

    module: may be any valid module name (emer, err, warn, info, or dbg), or the special name ANY to set the logging levels for all modules.

    facility: may be syslog, console, or file to set the levels for logging to the system log, the console, or a file respectively, or ANY to set the logging levels for both facilities. If it is omitted, facility defaults to ANY. Regardless of the log levels set for file, logging to a file will not take place unless --log-file is also specified (see below).

    level: must be one of emer, err, warn, info, or dbg, designating the minimum severity of a message for it to be logged. If it is omitted, level defaults to dbg.

  • -v, --verbose: Sets the maximum logging verbosity level, equivalent to --verbose=ANY:ANY:dbg.

  • --log-file[=file]: Enables logging to a file. If file is specified, then it is used as the exact name for the log file.

Other Options

  • -h, --help: Prints a brief help message to the console.

  • -V, --version: Prints version information to the console.

Add a custom footer
Add a custom sidebar
Clone this wiki locally