X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=blobdiff_plain;f=utilities%2Fovs-openflowd.8.in;h=2441279ed9a821c0ddf453d30ff2d75849ff57c2;hb=fb214965c60bdc7f7ff139356e50916bdabda9be;hp=312e7f73e7a15bf02a3e68d93f9d74fa16583f68;hpb=d17ee8689bff22541dccaa792b70a848641f3646;p=openvswitch diff --git a/utilities/ovs-openflowd.8.in b/utilities/ovs-openflowd.8.in index 312e7f73..2441279e 100644 --- a/utilities/ovs-openflowd.8.in +++ b/utilities/ovs-openflowd.8.in @@ -21,23 +21,9 @@ to relay. It takes one of the following forms: .PP The optional \fIcontroller\fR argument specifies how to connect to the OpenFlow controller. It takes one of the following forms: - -.RS -.IP "\fBssl:\fIip\fR[\fB:\fIport\fR]" -The specified SSL \fIport\fR (default: 6633) on the host at the given -\fIip\fR, which must be expressed as an IP address (not a DNS name). -The \fB--private-key\fR, \fB--certificate\fR, and \fB--ca-cert\fR -options are mandatory when this form is used. - -.IP "\fBtcp:\fIip\fR[\fB:\fIport\fR]" -The specified TCP \fIport\fR (default: 6633) on the host at the given -\fIip\fR, which must be expressed as an IP address (not a DNS name). - -.TP -\fBunix:\fIfile\fR -The Unix domain server socket named \fIfile\fR. -.RE - +. +.so lib/vconn-active.man +. .PP If \fIcontroller\fR is omitted, \fBovs\-openflowd\fR attempts to discover the location of the controller automatically (see below). @@ -218,14 +204,6 @@ If this option is omitted, the default datapath ID is taken from the Ethernet address of the datapath's local port (which is typically randomly generated). -.TP -\fB--mgmt-id=\fImgmtid\fR -Sets \fImgmtid\fR, which must consist of exactly 12 hexadecimal -digits, as the switch's management ID. - -If this option is omitted, the management ID defaults to 0, signaling -to the controller that management is supported but not configured. - .TP \fB--fail=\fR[\fBopen\fR|\fBclosed\fR] The controller is, ordinarily, responsible for setting up all flows on @@ -310,25 +288,7 @@ multiple connection methods. If a single \fImethod\fR of \fBnone\fR is used, no listeners will be created. .RS -.TP -\fBpssl:\fR[\fIport\fR][\fB:\fIip\fR] -Listens for SSL connections on \fIport\fR (default: 6633). The -\fB--private-key\fR, \fB--certificate\fR, and \fB--ca-cert\fR options -are mandatory when this form is used. -By default, \fB\*(PN\fR listens for connections to any local IP -address, but \fIip\fR may be specified to listen only for connections -to the given \fIip\fR. - -.TP -\fBptcp:\fR[\fIport\fR][\fB:\fIip\fR] -Listens for TCP connections on \fIport\fR (default: 6633). -By default, \fB\*(PN\fR listens for connections to any local IP -address, but \fIip\fR may be specified to listen only for connections -to the given \fIip\fR. - -.TP -\fBpunix:\fIfile\fR -Listens for connections on Unix domain server socket named \fIfile\fR. +.so lib/vconn-passive.man .RE .TP @@ -388,74 +348,27 @@ specified on \fB--rate-limit\fR. This option takes effect only when \fB--rate-limit\fR is also specified. -.SS "Remote Command Execution Options" - -.TP -\fB--command-acl=\fR[\fB!\fR]\fIglob\fR[\fB,\fR[\fB!\fR]\fIglob\fR...] -Configures the commands that remote OpenFlow connections are allowed -to invoke using (e.g.) \fBovs\-ofctl execute\fR. The argument is a -comma-separated sequence of shell glob patterns. A glob pattern -specified without a leading \fB!\fR is a ``whitelist'' that specifies -a set of commands that are that may be invoked, whereas a pattern that -does begin with \fB!\fR is a ``blacklist'' that specifies commands -that may not be invoked. To be permitted, a command name must be -whitelisted and must not be blacklisted; -e.g. \fB--command-acl=up*,!upgrade\fR would allow any command whose name -begins with \fBup\fR except for the command named \fBupgrade\fR. -Command names that include characters other than upper- and lower-case -English letters, digits, and the underscore and hyphen characters are -unconditionally disallowed. - -When the whitelist and blacklist permit a command name, \fBovs\-openflowd\fR -looks for a program with the same name as the command in the commands -directory (see below). Other directories are not searched. - -.TP -\fB--command-dir=\fIdirectory\fR -Sets the directory searched for remote command execution to -\fBdirectory\fR. The default directory is -\fB@pkgdatadir@/commands\fR. +.SS "Datapath Options" +. +.IP "\fB\-\-ports=\fIport\fR[\fB,\fIport\fR...]" +Ordinarily, \fBovs\-openflowd\fR expects the administrator to create +the specified \fIdatapath\fR and add ports to it externally with a +utility such as \fBovs\-dpctl\fR. However, the userspace switch +datapath is implemented inside \fBovs\-openflowd\fR itself and does +not (currently) have any external interface for \fBovs\-dpctl\fR to +access. As a stopgap measure, this option specifies one or more ports +to add to the datapath at \fBovs\-openflowd\fR startup time. Multiple +ports may be specified as a comma-separated list or by specifying +\fB\-\-ports\fR multiple times. +.IP +See \fBINSTALL.userspace\fR for more information about userspace +switching. .SS "Daemon Options" .so lib/daemon.man -.SS "Public Key Infrastructure Options" - -.TP -\fB-p\fR, \fB--private-key=\fIprivkey.pem\fR -Specifies a PEM file containing the private key used as the switch's -identity for SSL connections to the controller. - -.TP -\fB-c\fR, \fB--certificate=\fIcert.pem\fR -Specifies a PEM file containing a certificate, signed by the -controller's certificate authority (CA), that certifies the switch's -private key to identify a trustworthy switch. - -.TP -\fB-C\fR, \fB--ca-cert=\fIcacert.pem\fR -Specifies a PEM file containing the CA certificate used to verify that -the switch is connected to a trustworthy controller. - -.TP -\fB--bootstrap-ca-cert=\fIcacert.pem\fR -When \fIcacert.pem\fR exists, this option has the same effect as -\fB-C\fR or \fB--ca-cert\fR. If it does not exist, then \fBovs\-openflowd\fR -will attempt to obtain the CA certificate from the controller on its -first SSL connection and save it to the named PEM file. If it is -successful, it will immediately drop the connection and reconnect, and -from then on all SSL connections must be authenticated by a -certificate signed by the CA certificate thus obtained. - -\fBThis option exposes the SSL connection to a man-in-the-middle -attack obtaining the initial CA certificate\fR, but it may be useful -for bootstrapping. - -This option is only useful if the controller sends its CA certificate -as part of the SSL certificate chain. The SSL protocol does not -require the controller to send the CA certificate, but -\fBcontroller\fR(8) can be configured to do so with the -\fB--peer-ca-cert\fR option. +.so lib/ssl.man +.so lib/ssl-bootstrap.man .SS "Logging Options" .so lib/vlog.man