if !NDEBUG
AM_LDFLAGS = -export-dynamic
endif
+
+do_subst = sed -e 's,[@]pkidir[@],$(pkidir),g' \
+ -e 's,[@]rundir[@],$(rundir),g' \
+ -e 's,[@]PERL[@],$(PERL),g'
+ro_script = sed "`printf '1a\\' && printf '\\n\# -*- buffer-read-only: t -*-'`"
+ro_man = printf '.\\" Local variables:\n.\\" buffer-read-only: t\n.\\" End:\n'
/Makefile
/Makefile.in
/controller
+/controller.8
include ../Make.vars
bin_PROGRAMS = controller
-dist_man_MANS = controller.8
+man_MANS = controller.8
+DISTCLEANFILES = controller.8
controller_SOURCES = controller.c
controller_LDADD = ../lib/libopenflow.la -ldl
+
+EXTRA_DIST = controller.8.in
+controller.8: controller.8.in Makefile
+ ($(do_subst) && $(ro_man)) < $(srcdir)/controller.8.in > controller.8
+++ /dev/null
-.TH controller 8 "May 2008" "OpenFlow" "OpenFlow Manual"
-
-.SH NAME
-controller \- simple OpenFlow controller reference implementation
-
-.SH SYNOPSIS
-.B controller
-[OPTIONS] ptcp:[\fIPORT\fR] | nl:\fIDP_IDX\fR
-
-.SH DESCRIPTION
-A sample OpenFlow controller which functions as an L2 MAC-learning
-switch or hub. \fBcontroller\fR can manage a remote datapath through
-a secure channel (see \fBsecchan(8)\fR). It can also connect directly
-to a local datapath via netlink.
-
-To connect over netlink to a local datapath number \fIDP_IDX\fR (Linux
-only), specify nl:\fIDP_IDX\fR on the command line. To listen for
-TCP connections from remote datapaths on port \fIPORT\fR, specify
-ptcp:[\fIPORT\fR]. (\fIPORT\fR defaults to 975 if omitted.)
-
-\fBcontroller\fR can control multiple datapaths. Multiple ptcp: or
-nl: arguments may be given. Multiple TCP clients may connect to a
-single TCP server port.
-
-.SH OPTIONS
-.TP
-.BR \-H ", " \-\^\-hub
-By default, the controller acts as an L2 MAC-learning switch. This
-option changes its behavior to that of a hub that floods packets on
-all but the incoming port.
-
-.TP
-.BR \-h ", " \-\^\-help
-Prints a brief help message to the console.
-
-.TP
-.BR \-n ", " \-\^\-noflow
-This is similar to the \fB\-\^\-hub\fR option, but does not add a
-flow entry in the switch. This causes all traffic seen by the switch
-to be passed to the controller before being sent out all but the
-incoming port.
-
-.TP
-.BR \-v ", " \-\^\-verbose
-Prints debug messages to the console.
-
-.TP
-.BR \-V ", " \-\^\-version
-Prints version information to the console.
-
-.SH EXAMPLES
-
-.TP
-To connect directly to local datapath 0 over netlink (Linux only):
-
-.B % controller nl:0
-
-.TP
-To bind locally to port 975 (the default) and wait for incoming connections from secure channels:
-
-.B % controller ptcp:
-
-.SH "SEE ALSO"
-
-.BR dpctl (8),
-.BR switch (8),
-.BR secchan (8)
-.BR vlogconf (8)
-
-.SH BUGS
-Currently \fBcontroller\fR does not support SSL.
--- /dev/null
+.TH controller 8 "May 2008" "OpenFlow" "OpenFlow Manual"
+
+.SH NAME
+controller \- simple OpenFlow controller reference implementation
+
+.SH SYNOPSIS
+.B controller
+[\fIoptions\fR] \fImethod\fR \fB[\fImethod\fR]\&...
+
+.SH DESCRIPTION
+A sample OpenFlow controller which functions as an L2 MAC-learning
+switch or hub. \fBcontroller\fR can manage a remote datapath through
+a secure channel (see \fBsecchan(8)\fR). It can also connect directly
+to a local datapath via Netlink.
+
+\fBcontroller\fR controls one or more OpenFlow switches, specified as
+one or more of the following OpenFlow connection methods:
+
+.TP
+\fBpssl:\fR[\fIport\fR]
+Listens for SSL connections from remote OpenFlow switches on
+\fIport\fR (default: 976). The \fB--private-key\fR,
+\fB--certificate\fR, and \fB--ca-cert\fR options are mandatory when
+this form is used.
+
+.TP
+\fBptcp:\fR[\fIport\fR]
+Listens for TCP connections from remote OpenFlow switches on
+\fIport\fR (default: 975).
+
+.TP
+\fBnl:\fIdp_idx\fR
+The local Netlink datapath numbered \fIdp_idx\fR, as configured with
+.BR dpctl (8).
+This form requires that the local host has the OpenFlow kernel
+module for Linux loaded.
+
+.TP
+\fBssl:\fIhost\fR[\fB:\fIport\fR]
+The specified SSL \fIport\fR (default: 976) on the given remote
+\fIhost\fR. The \fB--private-key\fR, \fB--certificate\fR, and
+\fB--ca-cert\fR options are mandatory when this form is used.
+
+.TP
+\fBtcp:\fIhost\fR[\fB:\fIport\fR]
+The specified TCP \fIport\fR (default: 975) on the given remote
+\fIhost\fR.
+
+.SH OPTIONS
+.TP
+\fB-p\fR, \fB--private-key=\fIprivkey.pem\fR
+Specifies a PEM file containing the private key used as the switch's
+identity for SSL connections to the controller.
+
+.TP
+\fB-c\fR, \fB--certificate=\fIcert.pem\fR
+Specifies a PEM file containing a certificate, signed by the
+controller's certificate authority (CA), that certifies the switch's
+private key to identify a trustworthy switch.
+
+.TP
+\fB-C\fR, \fB--ca-cert=\fIcacert.pem\fR
+Specifies a PEM file containing the CA certificate used to verify that
+the switch is connected to a trustworthy controller.
+
+.TP
+.BR \-n ", " \-\^\-noflow
+By default, the controller sets up a flow in each OpenFlow switch
+whenever it receives a packet whose destination is known due through
+MAC learning. This option disables flow setup, so that every packet
+in the network passes through the controller.
+
+This option is most useful for debugging. It reduces switching
+performance, so it should not be used in production.
+
+.TP
+.BR \-H ", " \-\^\-hub
+By default, the controller acts as an L2 MAC-learning switch. This
+option changes its behavior to that of a hub that floods packets on
+all but the incoming port.
+
+If \fB-H\fR (or \fB--hub\fR) and \fB-n\fR (or \fB--noflow\fR) are used
+together, then the cumulative effect is that every packet passes
+through the controller and every packet is flooded.
+
+This option is most useful for debugging. It reduces switching
+performance, so it should not be used in production.
+
+.TP
+\fB-P\fR[\fIpidfile\fR], \fB--pidfile\fR[\fB=\fIpidfile\fR]
+Causes a file (by default, \fBcontroller.pid\fR) to be created indicating
+the PID of the running process. If \fIpidfile\fR is not specified, or
+if it does not begin with \fB/\fR, then it is created in
+\fB@rundir@\fR.
+
+.TP
+\fB-D\fR, \fB--detach\fR
+Causes \fBcontroller\fR to detach itself from the foreground session and
+run as a background process.
+
+.TP
+.BR \-h ", " \-\^\-help
+Prints a brief help message to the console.
+
+.TP
+\fB-v\fR \fImodule\fB:\fIfacility\fB:\fIlevel\fR, \fB--verbose=\fImodule\fB:\fIfacility\fB:\fIlevel\fR
+Sets the logging level for \fImodule\fR in \fIfacility\fR to
+\fIlevel\fR. The \fImodule\fR may be any valid module name (as
+displayed by the \fB--list\fR action on \fBvlogconf\fR(8)), or the
+special name \fBANY\fR to set the logging levels for all modules. The
+\fIfacility\fR may be \fBsyslog\fR or \fBconsole\fR to set the levels
+for logging to the system log or to the console, respectively, or
+\fBANY\fR to set the logging levels for both facilities. The
+\fIlevel\fR must be one of \fBemer\fR, \fBerr\fR, \fBwarn\fR, or
+\fBdbg\fR, designating the minimum severity of a message for it to be
+logged.
+
+.TP
+\fB-v\fR, \fB--verbose\fR
+Sets the maximum logging verbosity level, equivalent to
+\fB--verbose=ANY:ANY:dbg\fR.
+
+.TP
+.BR \-V ", " \-\^\-version
+Prints version information to the console.
+
+.SH EXAMPLES
+
+.TP
+To connect directly to local datapath 0 over netlink (Linux only):
+
+.B % controller nl:0
+
+.TP
+To bind locally to port 975 (the default) and wait for incoming connections from OpenFlow switches:
+
+.B % controller ptcp:
+
+.SH "SEE ALSO"
+
+.BR dpctl (8),
+.BR switch (8),
+.BR secchan (8),
+.BR vlogconf (8)
" -P, --pidfile[=FILE] create pidfile (default: %s/controller.pid)\n"
" -H, --hub act as hub instead of learning switch\n"
" -n, --noflow pass traffic, but don't add flows\n"
+ " -v, --verbose=MODULE:FACILITY:LEVEL configure logging levels\n"
" -v, --verbose set maximum verbosity level\n"
" -h, --help display this help message\n"
" -V, --version display version information\n",
/ctlpath-lite
/dpctl-lite
/secchan
+/secchan.8
if HAVE_NETLINK
bin_PROGRAMS = secchan
-dist_man_MANS = secchan.8
+man_MANS = secchan.8
else
bin_PROGRAMS =
-dist_man_MANS =
+man_MANS =
endif
secchan_SOURCES = secchan.c
secchan_LDADD = ../lib/libopenflow.la -ldl
+
+EXTRA_DIST = secchan.8.in
+DISTCLEANFILES = secchan.8
+secchan.8: secchan.8.in Makefile
+ ($(do_subst) && $(ro_man)) < $(srcdir)/secchan.8.in > secchan.8
+++ /dev/null
-.TH secchan 8 "May 2008" "OpenFlow" "OpenFlow Manual"
-
-.SH NAME
-secchan \- secure channel connecting an OpenFlow datapath to a controller
-
-.SH SYNOPSIS
-.B secchan
-[OPTIONS] nl:\fIDP_IDX\fR tcp:\fICONTROLLER_IP\fR[:\fICONTROLLER_TCP_PORT\fR]
-
-.SH DESCRIPTION
-The \fBsecchan\fR program sets up a secure channel between a local
-OpenFlow datapath and a remote controller. \fBsecchan\fR connects to
-the datapath over netlink and to the controller over TCP, and then
-proceeds to forward packets from one endpoint to the other.
-
-\fIDP_IDX\fR \- the ID of the local datapath to connect to
-
-\fICONTROLLER_IP\fR \- the controller's IP address
-
-\fICONTROLLER_TCP_PORT\fR \- the controller's TCP port to connect to \- defaults to 975
-
-.SH OPTIONS
-.TP
-.BR \-h ", " \-\^\-help
-Prints a brief help message to the console.
-
-.TP
-.BR \-v ", " \-\^\-verbose
-Prints debug messages to the console.
-
-.TP
-.BR \-V ", " \-\^\-version
-Prints version information to the console.
-
-.SH "SEE ALSO"
-
-.BR dpctl (8),
-.BR switch (8),
-.BR controller (8)
-.BR vlogconf (8)
-
-.SH BUGS
-Currently \fBsecchan\fR does not support SSL
--- /dev/null
+.TH secchan 8 "May 2008" "OpenFlow" "OpenFlow Manual"
+
+.SH NAME
+secchan \- secure channel connecting an OpenFlow datapath to a controller
+
+.SH SYNOPSIS
+.B secchan
+[\fIoptions\fR] \fBnl:\fIdp_idx\fR \fIremote\fR
+
+.SH DESCRIPTION
+The \fBsecchan\fR program sets up a secure channel between a local
+OpenFlow datapath and a remote controller. \fBsecchan\fR connects to
+the local datapath over Netlink and to the controller over TCP or SSL,
+and then forwards OpenFlow messages from one endpoint to the other.
+
+The mandatory \fBnl:\fIdp_idx\fR argument specifies the local datapath
+to relay. Within this argument, \fIdp_idx\fR is the number of a
+datapath that has been created with
+.BR dpctl (8).
+
+The mandatory \fIcontroller\fR argument specifies how to connect to
+the OpenFlow controller. It takes one of the following forms:
+
+.TP
+\fBssl:\fIhost\fR[\fB:\fIport\fR]
+The specified SSL \fIport\fR (default: 976) on the given remote
+\fIhost\fR. The \fB--private-key\fR, \fB--certificate\fR, and
+\fB--ca-cert\fR options are mandatory when this form is used.
+
+.TP
+\fBtcp:\fIhost\fR[\fB:\fIport\fR]
+The specified TCP \fIport\fR (default: 975) on the given remote
+\fIhost\fR.
+
+.SH "CONTACTING THE CONTROLLER"
+The OpenFlow switch must be able to contact the OpenFlow controller
+over the network. It can do so in one of two ways:
+
+.IP out-of-band
+In this configuration, OpenFlow traffic uses a network separate from
+the data traffic that it controls, that is, the switch does not use
+any of the network devices added to the datapath with \fBdpctl
+addif\fR in its communication with the controller.
+
+To use \fBsecchan\fR in a network with out-of-band control, the
+control network must be configured for use by \fBsecchan\fR at the
+time it is started. No additional setup is required. In particular,
+the \fBof\fIn\fR device should not be up or configured with an IP
+address (see below).
+
+.IP in-band
+In this configuration, a single network is used for OpenFlow traffic
+and other data traffic, that is, the switch contacts the controller
+over one of the network devices added to the datapath with \fBdpctl
+addif\fR. This configuration is often more convenient than
+out-of-band control, because it is not necessary to maintain two
+independent networks.
+
+Using \fBsecchan\fR in a network with in-band control requires
+additional setup before starting \fBsecchan\fR. At a minimum, the
+special OpenFlow network device \fBof\fIn\fR, where \fIn\fR is same as
+the \fIdp_idx\fR specified on the \fBsecchan\fR command line, must be
+brought up using
+.BR ifconfig (8),
+e.g.:
+.RS
+.IP
+ifconfig of0 up
+.RE
+.IP
+Before \fBsecchan\fR starts, the \fBof\fIn\fR device cannot send or
+receive any packets, so the next step depends on whether connectivity
+is required to configure the device's IP address. If the switch has a
+static IP address, you may configure its IP address now with a command
+such as:
+.RS
+.IP
+ifconfig of0 192.168.1.1
+.RE
+.IP
+and then invoke \fBsecchan\fR.
+
+On the other hand, if the switch does not have a static IP address,
+e.g. it obtains its IP address dynamically via DHCP, the DHCP client
+will not be able to contact the DHCP server until the secure channel
+has started up. Thus, start \fBsecchan\fR without configuring
+\fBof\fIn\fR further, and start the DHCP client afterward.
+
+.SH OPTIONS
+.TP
+\fB-f\fR, \fB--fail=\fR[\fBopen\fR|\fBclosed\fR]
+The controller is, ordinarily, responsible for setting up all flows on
+the OpenFlow switch. Thus, if the connection to the controller fails,
+no new network connections can be set up. If the connection to the
+controller stays down long enough, no packets can pass through the
+switch at all.
+
+If this option is set to \fBopen\fR (the default), \fBsecchan\fR will
+take over responsibility for setting up flows in the local datapath
+when the controller connection stays down for long enough. In this
+``fail open'' mode, \fBsecchan\fR causes the datapath to act like an
+ordinary MAC-learning switch. \fBsecchan\fR will continue to retry
+connection to the controller in the background and, when the
+connection succeeds, it discontinues its fail-open behavior.
+
+If this option is set to \fBclosed\fR, then \fBsecchan\fR will not
+set up flows on its own when the controller connection fails.
+
+.TP
+\fB-d\fR, \fB--fail-open-delay=\fIsecs\fR
+Sets the number of seconds of failed controller connection attempts
+after which the switch enters fail-open mode. The default is 30
+seconds.
+
+This option has no effect when \fB--fail=closed\fR is specified.
+
+.TP
+\fB-l\Fr, \Fb--listen=\fImethod\fR
+Configures the switch to additionally listen for incoming OpenFlow
+connections for switch management with \fBdpctl\fR. The \fImethod\fR
+must be given as one of the following passive OpenFlow connection
+methods:
+
+.RS
+.TP
+\fBpssl:\fR[\fIport\fR]
+Listens for SSL connections on \fIport\fR (default: 976). The
+\fB--private-key\fR, \fB--certificate\fR, and \fB--ca-cert\fR options
+are mandatory when this form is used.
+
+.TP
+\fBptcp:\fR[\fIport\fR]
+Listens for TCP connections on \fIport\fR (default: 975).
+.RE
+
+.TP
+\fB-p\fR, \fB--private-key=\fIprivkey.pem\fR
+Specifies a PEM file containing the private key used as the switch's
+identity for SSL connections to the controller.
+
+.TP
+\fB-c\fR, \fB--certificate=\fIcert.pem\fR
+Specifies a PEM file containing a certificate, signed by the
+controller's certificate authority (CA), that certifies the switch's
+private key to identify a trustworthy switch.
+
+.TP
+\fB-C\fR, \fB--ca-cert=\fIcacert.pem\fR
+Specifies a PEM file containing the CA certificate used to verify that
+the switch is connected to a trustworthy controller.
+
+.TP
+\fB-P\fR[\fIpidfile\fR], \fB--pidfile\fR[\fB=\fIpidfile\fR]
+Causes a file (by default, \fBsecchan.pid\fR) to be created indicating
+the PID of the running process. If \fIpidfile\fR is not specified, or
+if it does not begin with \fB/\fR, then it is created in
+\fB@rundir@\fR.
+
+.TP
+\fB-D\fR, \fB--detach\fR
+Causes \fBsecchan\fR to detach itself from the foreground session and
+run as a background process.
+
+.TP
+.BR \-h ", " \-\^\-help
+Prints a brief help message to the console.
+
+.TP
+\fB-v\fR \fImodule\fB:\fIfacility\fB:\fIlevel\fR, \fB--verbose=\fImodule\fB:\fIfacility\fB:\fIlevel\fR
+Sets the logging level for \fImodule\fR in \fIfacility\fR to
+\fIlevel\fR. The \fImodule\fR may be any valid module name (as
+displayed by the \fB--list\fR action on \fBvlogconf\fR(8)), or the
+special name \fBANY\fR to set the logging levels for all modules. The
+\fIfacility\fR may be \fBsyslog\fR or \fBconsole\fR to set the levels
+for logging to the system log or to the console, respectively, or
+\fBANY\fR to set the logging levels for both facilities. The
+\fIlevel\fR must be one of \fBemer\fR, \fBerr\fR, \fBwarn\fR, or
+\fBdbg\fR, designating the minimum severity of a message for it to be
+logged.
+
+.TP
+\fB-v\fR, \fB--verbose\fR
+Sets the maximum logging verbosity level, equivalent to
+\fB--verbose=ANY:ANY:dbg\fR.
+
+.TP
+.BR \-V ", " \-\^\-version
+Prints version information to the console.
+
+.SH "SEE ALSO"
+
+.BR dpctl (8),
+.BR controller (8),
+.BR ofp-pki (8),
+.BR vlogconf (8),
+.BR switch (8)
static void
usage(void)
{
- printf("%s: Secure Channel, a relay for OpenFlow messages.\n"
- "usage: %s [OPTIONS] LOCAL REMOTE\n"
- "where LOCAL and REMOTE are active OpenFlow connection methods.\n",
+ printf("%s: secure channel, a relay for OpenFlow messages.\n"
+ "usage: %s [OPTIONS] nl:DP_IDX CONTROLLER\n"
+ "where nl:DP_IDX is a datapath that has been added with dpctl\n"
+ "and CONTROLLER is an active OpenFlow connection method.\n",
program_name, program_name);
vconn_usage(true, true);
printf("\nNetworking options:\n"
"\nOther options:\n"
" -D, --detach run in background as daemon\n"
" -P, --pidfile[=FILE] create pidfile (default: %s/secchan.pid)\n"
+ " -v, --verbose=MODULE:FACILITY:LEVEL configure logging levels\n"
" -v, --verbose set maximum verbosity level\n"
" -h, --help display this help message\n"
" -V, --version display version information\n",
/Makefile
/Makefile.in
/switch
+/switch.8
include ../Make.vars
bin_PROGRAMS = switch
-dist_man_MANS = switch.8
+man_MANS = switch.8
switch_SOURCES = \
chain.c \
table-linear.c
switch_LDADD = ../lib/libopenflow.la -ldl
+
+EXTRA_DIST = switch.8.in
+DISTCLEANFILES = switch.8
+switch.8: switch.8.in Makefile
+ ($(do_subst) && $(ro_man)) < $(srcdir)/switch.8.in > switch.8
+++ /dev/null
-.TH secchan 8 "May 2008" "OpenFlow" "OpenFlow Manual"
-
-.SH NAME
-switch \- userspace implementation of OpenFlow switch
-
-.SH SYNOPSIS
-.B switch
-[\fIoptions\fR]
-\fB-i\fR \fInetdev\fR[\fB,\fInetdev\fR]...
-\fIcontroller\fR
-
-.SH DESCRIPTION
-The \fBswitch\fR is a userspace implementation of an OpenFlow switch.
-It implements all three parts of the OpenFlow switch specification: a
-``flow table'' in which each flow entry is associated with an action
-telling the switch how to process the flow; a ``secure channel''
-connecting the switch to a remote process (a controller), allowing
-commands and packets to be sent between the controller and the switch;
-and an OpenFlow protocol implementation.
-
-\fBswitch\fR monitors one or more network device interfaces,
-forwarding packets between them according to the entries in the flow
-table. It also maintains a connection to an OpenFlow controller over
-a TCP or SSL connection, relaying packets that do not match a flow
-table entry to the controller and executing commands sent by the
-controller.
-
-For access to network devices, the switch program must normally run as
-root.
-
-The mandatory \fIcontroller\fR argument specifies how to connect to
-the OpenFlow controller. It takes one of the following forms:
-
-.TP
-\fBtcp:\fIhost\fR[\fB:\fIport\fR]
-The specified TCP \fIport\fR (default: 975) on the given remote
-\fIhost\fR.
-
-.TP
-\fBssl:\fIhost\fR[\fB:\fIport\fR]
-The specified SSL \fIport\fR (default: 976) on the given remote
-\fIhost\fR. The \fB--private-key\fR, \fB--certificate\fR, and
-\fB--ca-cert\fR options are mandatory when this form is used.
-
-.SH OPTIONS
-.TP
-\fB-i\fR, \fB--interfaces=\fR\fInetdev\fR[\fB,\fInetdev\fR]...
-Specifies each \fInetdev\fR (e.g., \fBeth0\fR) as a switch port. The
-specified network devices should not have any configured IP addresses.
-This option may be given any number of times to specify additional
-network devices.
-
-.TP
-\fB-d\fR, \fB--datapath-id=\fIdpid\fR
-Specifies the OpenFlow switch ID (a 48-bit number that uniquely
-identifies a controller) as \fIdpid\fR, which consists of exactly 12
-hex digits. Without this option, \fBswitch\fR picks an ID randomly.
-
-.TP
-\fB-p\fR, \fB--private-key=\fIprivkey.pem\fR
-Specifies a PEM file containing the private key used as the switch's
-identity for SSL connections to the controller.
-
-.TP
-\fB-c\fR, \fB--certificate=\fIcert.pem\fR
-Specifies a PEM file containing a certificate, signed by the
-controller's certificate authority (CA), that certifies the switch's
-private key to identify a trustworthy switch.
-
-.TP
-\fB-C\fR, \fB--ca-cert=\fIcacert.pem\fR
-Specifies a PEM file containing the CA certificate used to verify that
-the switch is connected to a trustworthy controller.
-
-.TP
-.BR \-h ", " \-\^\-help
-Prints a brief help message to the console.
-
-.TP
-.BR \-v ", " \-\^\-verbose
-Prints debug messages to the console.
-
-.TP
-.BR \-V ", " \-\^\-version
-Prints version information to the console.
-
-.SH "SEE ALSO"
-
-.BR dpctl (8),
-.BR ofp-pki (8),
-.BR controller (8)
-.BR vlogconf (8)
--- /dev/null
+.TH secchan 8 "May 2008" "OpenFlow" "OpenFlow Manual"
+
+.SH NAME
+switch \- userspace implementation of OpenFlow switch
+
+.SH SYNOPSIS
+.B switch
+[\fIoptions\fR]
+\fB-i\fR \fInetdev\fR[\fB,\fInetdev\fR]...
+\fIcontroller\fR
+
+.SH DESCRIPTION
+The \fBswitch\fR is a userspace implementation of an OpenFlow switch.
+It implements all three parts of the OpenFlow switch specification: a
+``flow table'' in which each flow entry is associated with an action
+telling the switch how to process the flow; a ``secure channel''
+connecting the switch to a remote process (a controller), allowing
+commands and packets to be sent between the controller and the switch;
+and an OpenFlow protocol implementation.
+
+\fBswitch\fR monitors one or more network device interfaces,
+forwarding packets between them according to the entries in the flow
+table. It also maintains a connection to an OpenFlow controller over
+a TCP or SSL connection, relaying packets that do not match a flow
+table entry to the controller and executing commands sent by the
+controller.
+
+For access to network devices, the switch program must normally run as
+root.
+
+The mandatory \fIcontroller\fR argument specifies how to connect to
+the OpenFlow controller. It takes one of the following forms:
+
+.TP
+\fBssl:\fIhost\fR[\fB:\fIport\fR]
+The specified SSL \fIport\fR (default: 976) on the given remote
+\fIhost\fR. The \fB--private-key\fR, \fB--certificate\fR, and
+\fB--ca-cert\fR options are mandatory when this form is used.
+
+.TP
+\fBtcp:\fIhost\fR[\fB:\fIport\fR]
+The specified TCP \fIport\fR (default: 975) on the given remote
+\fIhost\fR.
+
+.SH OPTIONS
+.TP
+\fB-i\fR, \fB--interfaces=\fR\fInetdev\fR[\fB,\fInetdev\fR]...
+Specifies each \fInetdev\fR (e.g., \fBeth0\fR) as a switch port. The
+specified network devices should not have any configured IP addresses.
+This option may be given any number of times to specify additional
+network devices.
+
+.TP
+\fB-d\fR, \fB--datapath-id=\fIdpid\fR
+Specifies the OpenFlow switch ID (a 48-bit number that uniquely
+identifies a controller) as \fIdpid\fR, which consists of exactly 12
+hex digits. Without this option, \fBswitch\fR picks an ID randomly.
+
+.TP
+\fB-p\fR, \fB--private-key=\fIprivkey.pem\fR
+Specifies a PEM file containing the private key used as the switch's
+identity for SSL connections to the controller.
+
+.TP
+\fB-c\fR, \fB--certificate=\fIcert.pem\fR
+Specifies a PEM file containing a certificate, signed by the
+controller's certificate authority (CA), that certifies the switch's
+private key to identify a trustworthy switch.
+
+.TP
+\fB-C\fR, \fB--ca-cert=\fIcacert.pem\fR
+Specifies a PEM file containing the CA certificate used to verify that
+the switch is connected to a trustworthy controller.
+
+.TP
+\fB-P\fR[\fIpidfile\fR], \fB--pidfile\fR[\fB=\fIpidfile\fR]
+Causes a file (by default, \fBswitch.pid\fR) to be created indicating
+the PID of the running process. If \fIpidfile\fR is not specified, or
+if it does not begin with \fB/\fR, then it is created in
+\fB@rundir@\fR.
+
+.TP
+\fB-D\fR, \fB--detach\fR
+Causes \fBswitch\fR to detach itself from the foreground session and
+run as a background process.
+
+.TP
+.BR \-h ", " \-\^\-help
+Prints a brief help message to the console.
+
+.TP
+\fB-v\fR \fImodule\fB:\fIfacility\fB:\fIlevel\fR, \fB--verbose=\fImodule\fB:\fIfacility\fB:\fIlevel\fR
+Sets the logging level for \fImodule\fR in \fIfacility\fR to
+\fIlevel\fR. The \fImodule\fR may be any valid module name (as
+displayed by the \fB--list\fR action on \fBvlogconf\fR(8)), or the
+special name \fBANY\fR to set the logging levels for all modules. The
+\fIfacility\fR may be \fBsyslog\fR or \fBconsole\fR to set the levels
+for logging to the system log or to the console, respectively, or
+\fBANY\fR to set the logging levels for both facilities. The
+\fIlevel\fR must be one of \fBemer\fR, \fBerr\fR, \fBwarn\fR, or
+\fBdbg\fR, designating the minimum severity of a message for it to be
+logged.
+
+.TP
+\fB-v\fR, \fB--verbose\fR
+Sets the maximum logging verbosity level, equivalent to
+\fB--verbose=ANY:ANY:dbg\fR.
+
+.TP
+.BR \-V ", " \-\^\-version
+Prints version information to the console.
+
+.SH BUGS
+
+The userspace switch implementation lags significantly behind the
+kernel-based switch, both in implementation quality and performance.
+It should only be used when the kernel-based switch cannot be.
+
+General-purpose support for VLAN tag rewriting is precluded by the
+Linux kernel AF_PACKET implementation.
+
+.SH "SEE ALSO"
+
+.BR dpctl (8),
+.BR ofp-pki (8),
+.BR controller (8),
+.BR vlogconf (8)
"\nOther options:\n"
" -D, --detach run in background as daemon\n"
" -P, --pidfile[=FILE] create pidfile (default: %s/switch.pid)\n"
+ " -v, --verbose=MODULE:FACILITY:LEVEL configure logging levels\n"
" -v, --verbose set maximum verbosity level\n"
" -h, --help display this help message\n"
" -V, --version display version information\n",
.TH dpctl 8 "May 2008" "OpenFlow" "OpenFlow Manual"
.SH NAME
-dpctl \- command line tool to administer OpenFlow datapaths
+dpctl \- administer OpenFlow datapaths
.SH SYNOPSIS
.B dpctl
-[OPTIONS] COMMAND [SWITCH] [ARGS...]
+[\fIoptions\fR] \fIcommand \fR[\fIswitch\fR] [\fIargs\fR&...]
.SH DESCRIPTION
The
.B dpctl
is used to add, delete, modify, and monitor datapaths.
+Most \fBdpctl\fR commands take an argument that specifies the
+method for connecting to an OpenFlow switch. The following connection
+methods are supported:
-.SH OPTIONS
.TP
-.BR \-h ", " \-\^\-help
-Prints a brief help message to the console.
+\fBnl:\fIdp_idx\fR
+The local Netlink datapath numbered \fIdp_idx\fR. This form requires
+that the local host has the OpenFlow kernel module for Linux loaded.
.TP
-.BR \-v ", " \-\^\-verbose
-Prints debug messages to the console.
+\fBssl:\fIhost\fR[\fB:\fIport\fR]
+The specified SSL \fIport\fR (default: 976) on the given remote
+\fIhost\fR. The \fB--private-key\fR, \fB--certificate\fR, and
+\fB--ca-cert\fR options are mandatory when this form is used.
.TP
-.BR \-V ", " \-\^\-version
-Prints version information to the console.
+\fBtcp:\fIhost\fR[\fB:\fIport\fR]
+The specified TCP \fIport\fR (default: 975) on the given remote
+\fIhost\fR.
.SH COMMANDS
-Depending on the type of datapath, \fBdpctl\fR communicates using
-different connection methods. As such, one must provide the method to
-use as the \fISWITCH\fR argument. To communicate with userspace,
-\fItcp:host[:port]\fR is used. The netlink interface is used to
-communicate with the kernel module directly. This uses the form
-\fInl:DP_IDX\fR, where \fIDP_IDX\fR is explained below.
-
-.B COMMANDS FOR THE KERNEL MODULE
-
With the \fBdpctl\fR program, datapaths running in the kernel can be
created, deleted, modified, and monitored. A single machine may
host up to 32 datapaths (numbered 0 to 31). In most situations,
a machine hosts only one datapath.
A newly created datapath is not associated with any of the
-host's network interfaces and thus does not process any incoming
-traffic. To intercept and process traffic on a given interface, the
-interface must be explicitly added to a datapath through the
+host's network devices thus does not process any incoming
+traffic. To intercept and process traffic on a given network device, the
+network device must be explicitly added to a datapath through the
\fBaddif\fR command.
+The following commands manage local datapaths.
.TP
-.BI adddp " nl:DP_IDX"
-Creates datapath numbered \fIDP_IDX\fR on the local host. This will
-fail if \fIDP_IDX\fR is not in the range 0 to 31, or if the datapath
+\fBadddp nl:\fIdp_idx\fR
+Creates datapath numbered \fIdp_idx\fR on the local host. This will
+fail if \fIdp_idx\fR is not in the range 0 to 31, or if the datapath
with that number already exists on the host.
.TP
-.BI deldp " nl:DP_IDX"
-Deletes datapath \fIDP_IDX\fR on the local host. \fIDP_IDX\fR must be
-an existing datapath. All of a datapath's interfaces must be
+\fBdeldp nl:\fIdp_idx\fR
+Deletes datapath \fIdp_idx\fR on the local host. \fIdp_idx\fR must be
+an existing datapath. All of a datapath's network devices must be
explicitly removed before the datapath can be deleted (see \fBdelif\fR
command).
.TP
-.BI addif " nl:DP_IDX INTERFACE"
-Adds \fIINTERFACE\fR to the list of network interfaces datapath
-\fIDP_IDX\fR monitors, where \fIDP_IDX\fR is the ID of an existing
-datapath, and \fIINTERFACE\fR is the name of one of the host's
-interfaces, e.g. \fBeth0\fR. Once an interface has been added
-to a datapath, the datapath has complete ownership of the interface's
-traffic and the interface appears silent to the rest of the system.
+\fBaddif nl:\fIdp_idx netdev\fR
+Adds \fInetdev\fR to the list of network devices datapath
+\fIdp_idx\fR monitors, where \fIdp_idx\fR is the ID of an existing
+datapath, and \fInetdev\fR is the name of one of the host's
+network devices, e.g. \fBeth0\fR. Once a network device has been added
+to a datapath, the datapath has complete ownership of the network device's
+traffic and the network device appears silent to the rest of the system.
.TP
-.BI delif " nl:DP_IDX INTERFACE"
-Removes \fIINTERFACE\fR from the list of network interfaces datapath
-\fIDP_IDX\fR monitors.
+\fBdelif nl:\fIdp_idx netdev\fR
+Removes \fInetdev\fR from the list of network devices datapath
+\fIdp_idx\fR monitors.
.TP
-.BI monitor " nl:DP_IDX"
+\fBmonitor nl:\fIdp_idx\fR
Prints to the console all OpenFlow packets sent by datapath
-\fIDP_IDX\fR to its controller, where \fIDP_IDX\fR is the ID of an
+\fIdp_idx\fR to its controller, where \fIdp_idx\fR is the ID of an
existing datapath.
.TP
-.BI benchmark-nl " nl:DP_IDX N SIZE"
+\fBbenchmark-nl nl:\fIdp_idx n size\fR
Checks the netlink performance between the kernel and userspace.
-This is done by sending \fIN\fR packets of \fISIZE\fR bytes from
+This is done by sending \fIN\fR packets of \fIsize\fR bytes from
the kernel module to dpctl.
-
-.TP
-.B GENERAL COMMANDS
-
-.TP
+.PP
The following commands can be used regardless of the connection method.
.TP
-.BI show " SWITCH"
-Prints to the console information on datapath \fISWITCH\fR including
+\fBshow \fIswitch\fR
+Prints to the console information on datapath \fIswitch\fR including
information on its flow tables and ports.
.TP
-.BI dump-tables " SWITCH"
+\fBdump-tables \fIswitch\fR
Prints to the console statistics for each of the flow tables used by
-datapath \fISWITCH\fR.
+datapath \fIswitch\fR.
.TP
-.BI dump-ports " SWITCH"
-Prints to the console statistics for each of the physical interfaces
-associated with datapath \fISWITCH\fR.
+\fBdump-ports \fIswitch\fR
+Prints to the console statistics for each of the network devices
+associated with datapath \fIswitch\fR.
.TP
-.BI dump-flows " SWITCH [FLOW]"
-Prints to the console all flow entries in datapath \fISWITCH\fR's tables
-that match \fIFLOW\fR. If \fIFLOW\fR is omitted, all flows in the
-datapath are retrieved.
+\fBdump-flows \fIswitch \fR[\fIflows\fR]
+Prints to the console all flow entries in datapath \fIswitch\fR's
+tables that match \fIflows\fR. If \fIflows\fR is omitted, all flows
+in the datapath are retrieved. See \fBFLOW SYNTAX\fR, below, for the
+syntax of \fIflows\fR.
.TP
-.BI dump-aggregate " SWITCH [FLOWS]"
+\fBdump-aggregate \fIswitch \fR[\fIflows\fR]
Prints to the console aggregate statistics for flows in datapath
-\fSWITCH\fR's tables that match \fIFLOWS\fR. If \fIFLOWS\fR is omitted,
+\fSWITCH\fR's tables that match \fIflows\fR. If \fIflows\fR is omitted,
the statistics are aggregated across all flows in the datapath's flow
-tables.
+tables. See \fBFLOW SYNTAX\fR, below, for the syntax of \fIflows\fR.
+
+.TP
+\fBadd-flows \fIswitch file\fR
+Add flow entries as described in \fIfile\fR to the datapath \fIswitch\fR's
+tables. Each line in \fIfile\fR is a flow entry in the format
+described in \fBFLOW SYNTAX\fB, below.
+
+.TP
+\fBdel-flows \fIswitch \fR[\fIflow\fR]
+Deletes entries from the datapath \fIswitch\fR's tables that match
+\fIflow\fR. If \fIflow\fR is omitted, all flows in the datapath's
+tables are removed. See \fBFLOW SYNTAX\fR, below, for the syntax of
+\fIflows\fR.
+
+.SH "FLOW SYNTAX"
+
+Some \fBdpctl\fR commands accept an argument that describes a flow or
+flows. Such flow descriptions comprise a series
+\fIfield\fB=\fIvalue\fR assignments, separated by commas or white
+space.
+
+The following field assignments describe how a flow matches a packet.
+If any of these assignments is omitted from the flow syntax, the field
+is treated as a wildcard; thus, if all of them are omitted, the
+resulting flow matches all packets. The string \fB*\fR or \fBANY\fR
+may be specified a value to explicitly mark any of these fields as a
+wildcard.
+
+.IP \fBin_port=\fIport_no\fR
+Matches physical port \fIport_no\fR. Switch ports are numbered as
+displayed by \fBdpctl show\fR.
+
+.IP \fBdl_vlan=\fIvlan\fR
+Matches IEEE 802.1q virtual LAN tag \fIvlan\fR. Specify \fB0xffff\fR
+as \fIvlan\fR to match packets that are not tagged with a virtual LAN;
+otherwise, specify a number between 0 and 4095, inclusive, as the
+12-bit VLAN ID to match.
+
+.IP \fBdl_src=\fImac\fR
+Matches Ethernet source address \fImac\fR, which should be specified
+as 6 pairs of hexadecimal digits delimited by colons,
+e.g. \fB00:0A:E4:25:6B:B0\fR.
+
+.IP \fBdl_dst=\fImac\fR
+Matches Ethernet destination address \fImac\fR.
+
+.IP \fBdl_type=\fIethertype\fR
+Matches Ethernet protocol type \fIethertype\fR, which should be
+specified as a integer between 0 and 65535, inclusive, either in
+decimal or as a hexadecimal number prefixed by \fB0x\fR,
+e.g. \fB0x0806\fR to match ARP packets.
+
+.IP \fBnw_src=\fIip\fR
+Matches IPv4 source address \fIip\fR, which should be specified as an
+IP address or host name, e.g. \fB192.168.1.1\fR or
+\fBwww.example.com\fR.
+
+.IP \fBnw_dst=\fInw_dst\fR
+Matches IPv4 destination address \fIip\fR.
+
+.IP \fBnw_proto=\fIproto\fR
+Matches IP protocol type \fIproto\fR, which should be specified as a
+decimal number between 0 and 255, inclusive, e.g. 6 to match TCP
+packets.
+
+.IP \fBtp_src=\fIport\fR
+Matches UDP or TCP source port \fIport\fR, which should be specified
+as a decimal number between 0 and 65535, inclusive, e.g. 80 to match
+packets originating from a HTTP server.
+
+.IP \fBtp_dst=\fIport\fR
+Matches UDP or TCP destination port \fIport\fR.
+
+.PP
+The \fBadd-flow\fR command requires an additional field:
+
+.IP \fBaction=\fItarget\fR
+Specifies the action to take on a packet when the flow entry matches.
+The \fItarget\fR may be a decimal port number designating the physical
+port on which to output the packet, or one of the following keywords:
+
+.RS
+.IP \fBnormal\fR
+Subjects the packet to the device's normal L2/L3 processing. This
+action is not implemented by all OpenFlow switches.
+
+.IP \fBflood\fR
+Outputs the packet on all switch physical ports other than the port on
+which it was received and any ports on which flooding is disabled
+(typically, these would be ports disabled by the IEEE 802.1D spanning
+tree protocol).
+
+.IP \fBall\fR
+Outputs the packet on all switch physical ports other than the port on
+which it was received.
+
+.IP \fBcontroller\fR
+Sends the packet to the OpenFlow controller as a ``packet in''
+message.
+
+.IP \fBlocal\fR
+Outputs the packet on the ``local port,'' which corresponds to the
+\fBof\fIn\fR network device (see \fBCONTACTING THE CONTROLLER\fR in
+\fBsecchan\fR(8) for information on the \fBof\fIn\fR network device).
+.RE
+
+.IP
+(The OpenFlow protocol supports other actions that \fBdpctl\fR does
+not yet expose to the user.)
+
+.PP
+The \fBadd-flows\fR and \fBdel-flows\fR commands support an additional
+optional field:
+
+.IP \fBpriority=\fIvalue\fR
+Sets the priority of the flow to be added or deleted to \fIvalue\fR,
+which should be a number between 0 and 65535, inclusive. If this
+field is not specified, it defaults to 32768.
+
+.PP
+The \fBdump-flows\fR and \fBdump-aggregate\fR commands support an
+additional optional field:
+
+.IP \fBtable=\fInumber\fR
+If specified, limits the flows about which statistics are gathered to
+those in the table with the given \fInumber\fR. Tables are numbered
+as shown by the \fBdump-tables\fR command.
+
+If this field is not specified, or if \fInumber\fR is given as
+\fB255\fR, statistics are gathered about flows from all tables.
+
+.SH OPTIONS
+.TP
+\fB-p\fR, \fB--private-key=\fIprivkey.pem\fR
+Specifies a PEM file containing the private key used as the
+identity for SSL connections to a switch.
+
+.TP
+\fB-c\fR, \fB--certificate=\fIcert.pem\fR
+Specifies a PEM file containing a certificate, signed by the
+controller's certificate authority (CA), that certifies the
+private key to identify a trustworthy controller.
.TP
-.BI add-flows " SWITCH FILE"
-Add flow entries as described in \fIFILE\fR to the datapath \fISWITCH\fR's
-tables. Each line in \fIFILE\fR describes an entry in the format used
-to describe a \fIFLOW\fR in other commands..
+\fB-C\fR, \fB--ca-cert=\fIcacert.pem\fR
+Specifies a PEM file containing the CA certificate used to verify that
+a switch is trustworthy.
.TP
-.BI del-flows " SWITCH [FLOW]"
-Deletes entries from the datapath \fISWITCH\fR's tables that match
-\fIFLOW\fR. If \fIFLOW\fR is omitted, all flows in the datapath's
-tables are removed.
+.BR \-h ", " \-\^\-help
+Prints a brief help message to the console.
+
+.TP
+\fB-v\fR \fImodule\fB:\fIfacility\fB:\fIlevel\fR, \fB--verbose=\fImodule\fB:\fIfacility\fB:\fIlevel\fR
+Sets the logging level for \fImodule\fR in \fIfacility\fR to
+\fIlevel\fR. The \fImodule\fR may be any valid module name (as
+displayed by the \fB--list\fR action on \fBvlogconf\fR(8)), or the
+special name \fBANY\fR to set the logging levels for all modules. The
+\fIfacility\fR may be \fBsyslog\fR or \fBconsole\fR to set the levels
+for logging to the system log or to the console, respectively, or
+\fBANY\fR to set the logging levels for both facilities. The
+\fIlevel\fR must be one of \fBemer\fR, \fBerr\fR, \fBwarn\fR, or
+\fBdbg\fR, designating the minimum severity of a message for it to be
+logged.
+
+.TP
+\fB-v\fR, \fB--verbose\fR
+Sets the maximum logging verbosity level, equivalent to
+\fB--verbose=ANY:ANY:dbg\fR.
+
+.TP
+.BR \-V ", " \-\^\-version
+Prints version information to the console.
.SH EXAMPLES
.B % dpctl adddp nl:0
.TP
-Add two interfaces to the new datapath:
+Add two network devices to the new datapath:
.B % dpctl addif nl:0 eth0
.B % dpctl addif nl:0 eth1
.B % dpctl dump-flows nl:0
.TP
-Remove interfaces from the datapath when finished:
+Remove network devices from the datapath when finished:
.B % dpctl delif nl:0 eth0
.B % dpctl delif nl:0 eth1
.SH "SEE ALSO"
.BR secchan (8),
-.BR switch (8)
-.BR controller (8)
+.BR switch (8),
+.BR controller (8),
.BR vlogconf (8)
program_name, program_name);
vconn_usage(true, false);
printf("\nOptions:\n"
+ " -v, --verbose=MODULE:FACILITY:LEVEL configure logging levels\n"
" -v, --verbose set maximum verbosity level\n"
" -h, --help display this help message\n"
" -V, --version display version information\n");
--- /dev/null
+.TH ofp\-pki 8 "May 2008" "OpenFlow" "OpenFlow Manual"
+
+.SH NAME
+ofp\-pki \- OpenFlow public key infrastructure management utility
+
+.SH SYNOPSIS
+\fBofp\-pki\fR [\fIOPTIONS\fR] \fICOMMAND\fR [\fIARGS\fR]
+.sp
+Stand-alone commands with their arguments:
+.br
+\fBofp\-pki\fR \fBinit\fR
+.br
+\fBofp\-pki\fR \fBreq\fR \fINAME\fR
+.br
+\fBofp\-pki\fR \fBsign\fR \fINAME\fR [\fITYPE\fR]
+.br
+\fBofp\-pki\fR \fBreq+sign\fR \fINAME\fR [\fITYPE\fR]
+.br
+\fBofp\-pki\fR \fBverify\fR \fINAME\fR [\fITYPE\fR]
+.br
+\fBofp\-pki\fR \fBfingerprint\fR \fIFILE\fR
+.sp
+The following additional commands manage an online PKI:
+.br
+\fBofp\-pki\fR \fBls\fR [\fIPREFIX\fR] [\fITYPE\fR]
+.br
+\fBofp\-pki\fR \fBflush\fR [\fITYPE\fR]
+.br
+\fBofp\-pki\fR \fBreject\fR \fIPREFIX\fR [\fITYPE\fR]
+.br
+\fBofp\-pki\fR \fBapprove\fR \fIPREFIX\fR [\fITYPE\fR]
+.br
+\fBofp\-pki\fR \fBprompt\fR [\fITYPE\fR]
+.br
+\fBofp\-pki\fR \fBexpire\fR [\fIAGE\fR]
+.sp
+Each \fITYPE\fR above is a certificate type, either \fBswitch\fR
+(default) or \fBcontroller\fR.
+.sp
+The available options are:
+.br
+[\fB-d\fR \fIDIR\fR | \fB--dir=\fR\fIDIR\fR] [\fB-f\fR | \fB--force\fR] [\fB-b\fR | \fB--batch\fR] [\fB-l\fR \fIFILE\fR | \fB--log=\fIFILE\fR] [\fB-h\fR | \fB--help\fR]
+
+.SH DESCRIPTION
+The \fBofp\-pki\fR program sets up and manages a public key
+infrastructure for use with OpenFlow. It is intended to be a simple
+interface for organizations that do not have an established public key
+infrastructure. Other PKI tools can substitute for or supplement the
+use of \fBofp\-pki\fR.
+
+\fBofp\-pki\fR uses \fBopenssl\fR(1) for certificate management and key
+generation.
+
+.SH "OFFLINE COMMANDS"
+
+The following \fBofp\-pki\fR commands support manual PKI
+administration:
+
+.TP
+\fBinit\fR
+Initializes a new PKI (by default in directory \fB@pkidir@\fR) and populates
+it with a pair of certificate authorities for controllers and
+switches.
+
+This command should ideally be run on a high-security machine separate
+from any OpenFlow controller or switch, called the CA machine. The
+files \fBpki/controllerca/cacert.pem\fR and
+\fBpki/switchca/cacert.pem\fR that it produces will need to be copied
+over to the OpenFlow switches and controllers, respectively. Their
+contents may safely be made public.
+
+Other files generated by \fBinit\fR may remain on the CA machine.
+The files \fBpki/controllerca/private/cakey.pem\fR and
+\fBpki/switchca/private/cakey.pem\fR have particularly sensitive
+contents that should not be exposed.
+
+.TP
+\fBreq\fR \fINAME\fR
+Generates a new private key named \fINAME\fR\fB-privkey.pem\fR and
+corresponding certificate request named \fINAME\fR\fB-req.pem\fR.
+The private key can be intended for use by a switch or a controller.
+
+This command should ideally be run on the switch or controller that
+will use the private key to identify itself. The file
+\fINAME\fR\fB-req.pem\fR must be copied to the CA machine for signing
+with the \fBsign\fR command (below).
+
+This command will output a fingerprint to stdout as its final step.
+Write down the fingerprint and take it to the CA machine before
+continuing with the \fBsign\fR step.
+
+\fINAME\fR\fB-privkey.pem\fR has sensitive contents that should not be
+exposed. \fINAME\fR\fB-req.pem\fR may be safely made public.
+
+.TP
+\fBsign\fR \fINAME\fR [\fITYPE\fR]
+Signs the certificate request named \fINAME\fR\fB-req.pem\fR that was
+produced in the previous step, producing a certificate named
+\fINAME\fR\fB-cert.pem\fR. \fITYPE\fR, either \fBswitch\fR (default) or
+\fBcontroller\fR, indicates the use for which the key is being
+certified.
+
+This command must be run on the CA machine.
+
+The command will output a fingerprint to stdout and request that you
+verify that it is the same fingerprint output by the \fBreq\fR
+command. This ensures that the request being signed is the same one
+produced by \fBreq\fR. (The \fB-b\fR or \fB--batch\fR option
+suppresses the verification step.)
+
+The file \fINAME\fR\fB-cert.pem\fR will need to be copied back to the
+switch or controller for which it is intended. Its contents may
+safely be made public.
+
+.TP
+\fBreq+sign\fR \fINAME\fR [\fITYPE\fR]
+Combines the \fBreq\fR and \fBsign\fR commands into a single step,
+outputting all the files produced by each. The
+\fINAME\fR\fB-privkey.pem\fR and \fINAME\fR\fB-cert.pem\fR files must
+be copied securely to the switch or controller.
+\fINAME\fR\fB-privkey.pem\fR has sensitive contents and must not be
+exposed in transit. Afterward, it should be deleted from the CA
+machine.
+
+This combined method is, theoretically, less secure than the
+individual steps performed separately on two different machines,
+because there is additional potential for exposure of the private
+key. However, it is also more convenient.
+
+.TP
+\fBverify\fR \fINAME\fR [\fITYPE\fR]
+Verifies that \fINAME\fR\fB-cert.pem\fR is a valid certificate for the
+given \fITYPE\fR of use, either \fBswitch\fR (default) or
+\fBcontroller\fR. If the certificate is valid for this use, it prints
+the message ``\fINAME\fR\fB-cert.pem\fR: OK''; otherwise, it prints an
+error message.
+
+.TP
+\fBofp\-pki\fR \fBfingerprint\fR \fIFILE\fR
+Prints the fingerprint for \fIFILE\fR. If \fIFILE\fR is a
+certificate, then this is the SHA-1 digest of the DER encoded version
+of the certificate; otherwise, it is the SHA-1 digest of the entire
+file.
+
+.SH "ONLINE COMMANDS"
+
+An OpenFlow PKI can be administered online, in conjunction with
+.BR ofp-pki-cgi (8)
+and a web server such as Apache:
+
+.IP \(bu
+The web server exports the contents of the PKI via HTTP. All files in
+a PKI hierarchy files may be made public, except for the files
+\fBpki/controllerca/private/cakey.pem\fR and
+\fBpki/switchca/private/cakey.pem\fR, which must not be exposed.
+
+.IP \(bu
+\fBofp\-pki\-cgi\fR allows newly generated certificate requests for
+controllers and switches to be uploaded into the
+\fBpki/controllerca/incoming\fR and \fBpki/switchca/incoming\fR
+directories, respectively. Uploaded certificate requests are stored
+in those directories under names of the form
+\fIFINGERPRINT\fB-req.pem\fR, which \fIFINGERPRINT\fR is the SHA-1
+hash of the file.
+
+.IP \(bu
+These \fBofp\-pki\fR commands allow incoming certificate requests to
+be approved or rejected, in a form are suitable for use by humans or
+other software.
+
+.PP
+The following \fBofp\-pki\fR commands support online administration:
+
+.TP
+\fBofp\-pki\fR \fBls\fR [\fIPREFIX\fR] [\fITYPE\fR]
+Lists all of the incoming certificate requests of the given \fITYPE\fR
+(either \fBswitch\fR, the default, or \fBcontroller\fR). If
+\fIPREFIX\fR, which must be at least 4 characters long, is specified,
+it causes the list to be limited to files whose names begin with
+\fIPREFIX\fR. This is useful, for example, to avoid typing in an
+entire fingerprint when checking that a specific certificate request
+has been received.
+
+.TP
+\fBofp\-pki\fR \fBflush\fR [\fITYPE\fR]
+Deletes all certificate requests of the given \fITYPE\fR.
+
+.TP
+\fBofp\-pki\fR \fBreject\fR \fIPREFIX\fR [\fITYPE\fR]
+Rejects the certificate request whose name begins with \fIPREFIX\fR,
+which must be at least 4 characters long, of the given type (either
+\fBswitch\fR, the default, or \fBcontroller\fR). \fIPREFIX\fR must
+match exactly one certificate request; its purpose is to allow the
+user to type fewer characters, not to match multiple certificate
+requests.
+
+.TP
+\fBofp\-pki\fR \fBapprove\fR \fIPREFIX\fR [\fITYPE\fR]
+Approves the certificate request whose name begins with \fIPREFIX\fR,
+which must be at least 4 characters long, of the given \fITYPE\fR
+(either \fBswitch\fR, the default, or \fBcontroller\fR). \fIPREFIX\fR
+must match exactly one certificate request; its purpose is to allow
+the user to type fewer characters, not to match multiple certificate
+requests.
+
+The command will output a fingerprint to stdout and request that you
+verify that it is correct. (The \fB-b\fR or \fB--batch\fR option
+suppresses the verification step.)
+
+.TP
+\fBofp\-pki\fR \fBprompt\fR [\fITYPE\fR]
+Prompts the user for each incoming certificate request of the given
+\fITYPE\fR (either \fBswitch\fR, the default, or \fBcontroller\fR).
+Based on the certificate request's fingerprint, the user is given the
+option of approving, rejecting, or skipping the certificate request.
+
+.TP
+\fBofp\-pki\fR \fBexpire\fR [\fIAGE\fR]
+
+Rejects all the incoming certificate requests, of either type, that is
+older than \fIAGE\fR, which must in one of the forms \fIN\fBs\fR,
+\fIN\fBmin\fR, \fIN\fBh\fR, \fIN\fBday\fR. The default is \fB1day\fR.
+
+.SH OPTIONS
+.TP
+[\fB-d\fR \fIDIR\fR | \fB--dir=\fR\fIDIR\fR]
+Specifies the location of the PKI hierarchy to be used or created by
+the command (default: \fB@pkidir@\fR). All commands, except \fBreq\fR,
+need access to a PKI hierarchy.
+
+.TP
+[\fB-f\fR | \fB--force\fR]
+By default, \fBofp\-pki\fR will not overwrite existing files or
+directories. This option overrides this behavior.
+
+.TP
+[\fB-b\fR | \fB--batch\fR]
+Suppresses the interactive verification of fingerprints that the
+\fBsign\fR command by default requires.
+
+.TP
+[\fB-l\fR \fIFILE\fR | \fB--log=\fIFILE\fR]
+Sets the log file to \fIFILE\fR. If \fIFILE\fR starts with \fB/\fR,
+it is taken as an absolute path; otherwise it is relative to the PKI
+hierarchy. Default: \fBofp-pki.log\fR.
+
+.TP
+[\fB-h\fR | \fB--help\fR]
+Prints a help usage message and exits.
+
+.SH "SEE ALSO"
+
+.BR ofp-pki-cgi (8),
+.BR dpctl (8),
+.BR switch (8),
+.BR secchan (8),
+.BR controller (8)
-.TH vlogconf 8 "March 2008" "OpenFlow" "OpenFlow Manual"
+.TH vlogconf 8 "June 2008" "OpenFlow" "OpenFlow Manual"
.SH NAME
vlogconf \- configuration utility for OpenFlow logging in userspace
.SH SYNOPSIS
-\fBvlogconf\fR [\fB-h\fR | \fB--help\fR] [TARGET...] [ACTION...]
+\fBvlogconf\fR [\fB-h\fR | \fB--help\fR] [\fItarget\fR...] [\fIaction\fR...]
.sp 1
-The available TARGET options are:
+The available \fItarget\fR options are:
.br
-[\fB-a\fR | \fB--all\fR] [\fB-t\fR PID | \fB--target=\fIPID\fR]
+[\fB-a\fR | \fB--all\fR] [\fB-t\fR \fIpid\fR | \fB--target=\fIpid\fR]
.sp 1
-The available ACTION options are:
+The available \fIaction\fR options are:
.br
[\fB-l\fR | \fB--list\fR] [\fB-s\fR
-\fIMODULE\fB:\fIFACILITY\fB:\fILEVEL\fR |
-\fB--set=\fIMODULE\fB:\fIFACILITY\fB:\fILEVEL\fR]
+\fImodule\fB:\fIfacility\fB:\fIlevel\fR |
+\fB--set=\fImodule\fB:\fIfacility\fB:\fIlevel\fR]
.SH DESCRIPTION
-The \fBvlogconf\fR program configures the logging system used by the
+The \fBvlogconf\fR program configures the logging system used by
OpenFlow userspace programs. The logging configuration may be modified
while OpenFlow programs are running.
All running processes that \fBvlogconf\fR can control.
.TP
-\fB-t \fIPID\fR, \fB--target=\fIPID\fR
-The process with the specified \fIPID\fR. \fIPID\fR may also specify
+\fB-t \fIpid\fR, \fB--target=\fIpid\fR
+The process with the specified \fIpid\fR. \fIpid\fR may also specify
an absolute path (beginning with `/') to the Unix domain socket for a
\fBvlogconf\fR-controllable process.
stdout.
.TP
-\fB-s\fR \fIMODULE\fB:\fIFACILITY\fB:\fILEVEL\fR, \fB--set=\fIMODULE\fB:\fIFACILITY\fB:\fILEVEL\fR
+\fB-s\fR \fImodule\fB:\fIfacility\fB:\fIlevel\fR, \fB--set=\fImodule\fB:\fIfacility\fB:\fIlevel\fR
-Sets the logging level for \fIMODULE\fR in \fIFACILITY\fR to
-\fILEVEL\fR. \fIMODULE\fR may be any valid module name (as displayed
-by the \fB--list\fR option) or the special name \fBANY\fR to set all
-modules logging level. \fIFACILITY\fR may be \fBsyslog\fR or
+Sets the logging level for \fImodule\fR in \fIfacility\fR to
+\fIlevel\fR. The \fImodule\fR may be any valid module name (as displayed
+by the \fB--list\fR option) or the special name \fBANY\fR to set the
+logging levels for all modules. The \fIfacility\fR may be \fBsyslog\fR or
\fBconsole\fR to set the levels for logging to the system log or to
the console, respectively, or \fBANY\fR to set the logging levels for
-both modules. \fILEVEL\fR must be one of \fBemer\fR, \fBerr\fR,
+both facilities. The \fIlevel\fR must be one of \fBemer\fR, \fBerr\fR,
\fBwarn\fR, or \fBdbg\fR, designating the minimum severity of a
message for it to be logged.
projects / openvswitch / commitdiff