1Flow filter in tc(8)                 Linux                Flow filter in tc(8)
2
3
4

NAME

6       flow - flow based traffic control filter
7

SYNOPSIS

9       Mapping mode:
10
11              tc filter ... flow map key KEY [ OPS ] [ OPTIONS ]
12
13       Hashing mode:
14
15              tc filter ... flow hash keys KEY_LIST [ perturb secs ] [ OPTIONS
16                      ]
17
18       OPS := [ OPS ] OP
19
20       OPTIONS := [ divisor NUM ] [ baseclass ID ] [  match  EMATCH_TREE  ]  [
21               action ACTION_SPEC ]
22
23       KEY_LIST := [ KEY_LIST ] KEY
24
25       OP := { or | and | xor | rshift | addend } NUM
26
27       ID := X:Y
28
29       KEY  :=  { src | dst | proto | proto-src | proto-dst | iif | priority |
30               mark | nfct | nfct-src |  nfct-dst  |  nfct-proto-src  |  nfct-
31               proto-dst | rt-classid | sk-uid | sk-gid | vlan-tag | rxhash }
32

DESCRIPTION

34       The  flow  classifier  is  meant to extend the SFQ hashing capabilities
35       without hard-coding new hash functions. It  also  allows  deterministic
36       mappings of keys to classes.
37

OPTIONS

39       action ACTION_SPEC
40              Apply  an  action from the generic actions framework on matching
41              packets.
42
43       baseclass ID
44              An offset for the resulting class ID.  ID may be root, none or a
45              hexadecimal   class   ID   in  the  form  [X:]Y.  X  must  match
46              qdisc's/class's major handle (if omitted, the correct  value  is
47              chosen  automatically).  If  the  whole  baseclass is omitted, Y
48              defaults to 1.
49
50       divisor NUM
51              Number of buckets to use for sorting into. Keys  are  calculated
52              modulo NUM.
53
54       hash keys KEY-LIST
55              Perform a jhash2 operation over the keys in KEY-LIST, the result
56              (modulo the divisor if given) is taken as class  ID,  optionally
57              offset  by the value of baseclass.  It is possible to specify an
58              interval (in seconds) after which  jhash2's  entropy  source  is
59              recreated using the perturb parameter.
60
61       map key KEY
62              Packet  data  identified  by KEY is translated into class IDs to
63              push the packet into. The value may be  mangled  by  OPS  before
64              using  it  for the mapping. They are applied in the order listed
65              here:
66
67              and NUM
68                  Perform bitwise AND operation with numeric value NUM.
69
70              or NUM
71                  Perform bitwise OR operation with numeric value NUM.
72
73              xor NUM
74                  Perform bitwise XOR operation with numeric value NUM.
75
76              rshift NUM
77                  Shift the value of KEY to the right by NUM bits.
78
79              addend NUM
80                  Add NUM to the value of KEY.
81
82              For the or, and, xor and rshift operations, NUM is assumed to be
83              an  unsigned, 32bit integer value. For the addend operation, NUM
84              may be much more complex: It may be prefixed by  a  minus  ('-')
85              sign  to  cause  subtraction instead of addition and for keys of
86              src, dst, nfct-src and nfct-dst it may be given  in  IP  address
87              notation. See below for an illustrating example.
88
89       match EMATCH_TREE
90              Match  packets  using the extended match infrastructure. See tc-
91              ematch(8) for a detailed description of the  allowed  syntax  in
92              EMATCH_TREE.
93

KEYS

95       In  mapping  mode, a single key is used (after optional permutation) to
96       build a class ID. The resulting ID is deducible in most cases. In hash‐
97       ing  more,  a number of keys may be specified which are then hashed and
98       the output used as class ID.  This ID is not deducible  in  beforehand,
99       and  may  even  change over time for a given flow if a perturb interval
100       has been given.
101
102       The range of class IDs can be limited by the divisor option,  which  is
103       used for a modulus.
104
105       src, dst
106              Use  source  or  destination address as key. In case of IPv4 and
107              TIPC, this is the actual address value.  For  IPv6,  the  128bit
108              address  is  folded into a 32bit value by XOR'ing the four 32bit
109              words. In all other cases, the kernel-internal socket address is
110              used (after folding into 32bits on 64bit systems).
111
112       proto  Use the layer four protocol number as key.
113
114       proto-src
115              Use  the  layer  four  source port as key. If not available, the
116              kernel-internal socket address is used instead.
117
118       proto-dst
119              Use the layer four destination port as key.  If  not  available,
120              the  associated  kernel-internal dst_entry address is used after
121              XOR'ing with the packet's layer three protocol number.
122
123       iif    Use the incoming interface index as key.
124
125       priority
126              Use the packet's  priority  as  key.  Usually  this  is  the  IP
127              header's DSCP/ECN value.
128
129       mark   Use the netfilter fwmark as key.
130
131       nfct   Use the associated conntrack entry address as key.
132
133       nfct-src, nfct-dst, nfct-proto-src, nfct-proto-dst
134              These  are  conntrack-aware  variants of src, dst, proto-src and
135              proto-dst.  In case of  NAT,  these  are  basically  the  packet
136              header's values before NAT was applied.
137
138       rt-classid
139              Use the packet's destination routing table entry's realm as key.
140
141       sk-uid
142       sk-gid For  locally  generated  packets,  use  the user or group ID the
143              originating socket belongs to as key.
144
145       vlan-tag
146              Use the packet's vlan ID as key.
147
148       rxhash Use the flow hash as key.
149
150

EXAMPLES

152       Classic SFQ hash:
153
154              tc filter add ... flow hash \
155                   keys src,dst,proto,proto-src,proto-dst divisor 1024
156
157       Classic SFQ hash, but using information from conntrack to work properly
158       in combination with NAT:
159
160              tc filter add ... flow hash \
161                   keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst \
162                   divisor 1024
163
164       Map destination IPs of 192.168.0.0/24 to classids 1-256:
165
166              tc filter add ... flow map \
167                   key dst addend -192.168.0.0 divisor 256
168
169       Alternative to the above:
170
171              tc filter add ... flow map \
172                   key dst and 0xff
173
174       The same, but in reverse order:
175
176              tc filter add ... flow map \
177                   key dst and 0xff xor 0xff
178

SEE ALSO

180       tc(8), tc-ematch(8), tc-sfq(8)
181
182
183
184iproute2                          20 Oct 2015             Flow filter in tc(8)
Impressum