1Flower filter in tc(8)               Linux              Flower filter in tc(8)
2
3
4
5     "Usage:  ct  clear0            "    ct  commit  [force] [zone ZONE] [mark
6MASKED_MARK]   [label   MASKED_LABEL]   [nat    NAT_SPEC]    [OFFLOAD_POLICY]0
7          "    ct  [nat]  [zone ZONE] [OFFLOAD_POLICY]0           "Where: ZONE
8is the conntrack zone table number0           "    NAT_SPEC is {src|dst}  addr
9addr1[-addr2]  [port  port1[-port2]]0            "    OFFLOAD_POLICY  is [pol‐
10icy_pkts PACKETS] [policy_timeout TIMEOUT]0
11

NAME

13       flower - flow based traffic control filter
14

SYNOPSIS

16       tc filter ... flower [ MATCH_LIST ] [ action ACTION_SPEC  ]  [  classid
17               CLASSID ] [ hw_tc TCID ]
18
19
20       MATCH_LIST := [ MATCH_LIST ] MATCH
21
22       MATCH  :=  { indev ifname | verbose  | skip_sw | skip_hw  | { dst_mac |
23               src_mac } MASKED_LLADDR | vlan_id VID |  vlan_prio  PRIORITY  |
24               vlan_ethtype  {  ipv4  |  ipv6  |  ETH_TYPE  } | cvlan_id VID |
25               cvlan_prio PRIORITY | cvlan_ethtype { ipv4 | ipv6 | ETH_TYPE  }
26               |  mpls LSE_LIST | mpls_label LABEL | mpls_tc TC | mpls_bos BOS
27               | mpls_ttl TTL | ip_proto { tcp | udp | sctp | icmp | icmpv6  |
28               IP_PROTO  }  |  ip_tos MASKED_IP_TOS | ip_ttl MASKED_IP_TTL | {
29               dst_ip  |  src_ip  }  PREFIX  |  {  dst_port  |  src_port  }  {
30               MASKED_NUMBER  |  min_port_number-max_port_number } | tcp_flags
31               MASKED_TCP_FLAGS | type MASKED_TYPE  |  code  MASKED_CODE  |  {
32               arp_tip | arp_sip } IPV4_PREFIX | arp_op { request | reply | OP
33               } | { arp_tha | arp_sha } MASKED_LLADDR | enc_key_id KEY-ID | {
34               enc_dst_ip  |  enc_src_ip  }  { ipv4_address | ipv6_address } |
35               enc_dst_port port_number | enc_tos TOS | enc_ttl TTL |  {  gen‐
36               eve_opts  |  vxlan_opts  |  erspan_opts  }  OPTIONS  | ip_flags
37               IP_FLAGS }
38
39       LSE_LIST := [ LSE_LIST ] LSE
40
41       LSE := lse depth DEPTH { label LABEL | tc TC | bos BOS | ttl TTL }
42
43

DESCRIPTION

45       The flower filter matches flows  to  the  set  of  keys  specified  and
46       assigns  an  arbitrarily  chosen class ID to packets belonging to them.
47       Additionally (or alternatively)  an  action  from  the  generic  action
48       framework may be called.
49

OPTIONS

51       action ACTION_SPEC
52              Apply  an  action from the generic actions framework on matching
53              packets.
54
55       classid CLASSID
56              Specify a class to pass matching packets on to.  CLASSID  is  in
57              the  form X:Y, while X and Y are interpreted as numbers in hexa‐
58              decimal format.
59
60       hw_tc TCID
61              Specify a hardware traffic class to pass matching packets on to.
62              TCID is in the range 0 through 15.
63
64       indev ifname
65              Match  on  incoming  interface  name. Obviously this makes sense
66              only for forwarded flows.  ifname is the name  of  an  interface
67              which must exist at the time of tc invocation.
68
69       verbose
70              Enable  verbose  logging,  including  offloading errors when not
71              using skip_sw flag.
72
73       skip_sw
74              Do not process filter by software. If hardware  has  no  offload
75              support  for  this  filter, or TC offload is not enabled for the
76              interface, operation will fail.
77
78       skip_hw
79              Do not process filter by hardware.
80
81       dst_mac MASKED_LLADDR
82       src_mac MASKED_LLADDR
83              Match on source or destination  MAC  address.   A  mask  may  be
84              optionally  provided  to limit the bits of the address which are
85              matched. A mask is provided by  following  the  address  with  a
86              slash and then the mask. It may be provided in LLADDR format, in
87              which case it is a bitwise mask, or as a number of high bits  to
88              match.  If  the  mask  is  missing  then  a match on all bits is
89              assumed.
90
91       vlan_id VID
92              Match on vlan tag id.  VID is an unsigned 12bit value in decimal
93              format.
94
95       vlan_prio PRIORITY
96              Match  on vlan tag priority.  PRIORITY is an unsigned 3bit value
97              in decimal format.
98
99       vlan_ethtype VLAN_ETH_TYPE
100              Match on layer three  protocol.   VLAN_ETH_TYPE  may  be  either
101              ipv4,  ipv6 or an unsigned 16bit value in hexadecimal format. To
102              match on QinQ packet, it must be 802.1Q or 802.1AD.
103
104       cvlan_id VID
105              Match on QinQ inner vlan tag id.  VID is an unsigned 12bit value
106              in decimal format.
107
108       cvlan_prio PRIORITY
109              Match  on QinQ inner vlan tag priority.  PRIORITY is an unsigned
110              3bit value in decimal format.
111
112       cvlan_ethtype VLAN_ETH_TYPE
113              Match on QinQ layer three protocol.  VLAN_ETH_TYPE may be either
114              ipv4, ipv6 or an unsigned 16bit value in hexadecimal format.
115
116
117       mpls LSE_LIST
118              Match  on  the  MPLS  label  stack.  LSE_LIST is a list of Label
119              Stack Entries, each introduced by the lse keyword.  This  option
120              can't  be used together with the standalone mpls_label, mpls_tc,
121              mpls_bos and mpls_ttl options.
122
123              lse LSE_OPTIONS
124                     Match on an MPLS Label Stack  Entry.   LSE_OPTIONS  is  a
125                     list  of  options that describe the properties of the LSE
126                     to match.
127
128                     depth DEPTH
129                            The depth of the Label Stack  Entry  to  consider.
130                            Depth  starts  at  1  (the  outermost  Label Stack
131                            Entry). The maximum usable depth may be limited by
132                            the kernel. This option is mandatory.  DEPTH is an
133                            unsigned 8 bit value in decimal format.
134
135                     label LABEL
136                            Match on the MPLS Label  field  at  the  specified
137                            depth.  LABEL is an unsigned 20 bit value in deci‐
138                            mal format.
139
140                     tc TC  Match on the MPLS Traffic Class field at the spec‐
141                            ified  depth.   TC  is  an unsigned 3 bit value in
142                            decimal format.
143
144                     bos BOS
145                            Match on the MPLS Bottom Of  Stack  field  at  the
146                            specified  depth.  BOS is a 1 bit value in decimal
147                            format.
148
149                     ttl TTL
150                            Match on the MPLS Time To Live field at the speci‐
151                            fied  depth.   TTL  is  an unsigned 8 bit value in
152                            decimal format.
153
154
155       mpls_label LABEL
156              Match the label id in the  outermost  MPLS  label  stack  entry.
157              LABEL is an unsigned 20 bit value in decimal format.
158
159       mpls_tc TC
160              Match  on  the MPLS TC field, which is typically used for packet
161              priority, in the outermost MPLS label stack  entry.   TC  is  an
162              unsigned 3 bit value in decimal format.
163
164       mpls_bos BOS
165              Match  on  the  MPLS Bottom Of Stack field in the outermost MPLS
166              label stack entry.  BOS is a 1 bit value in decimal format.
167
168       mpls_ttl TTL
169              Match on the MPLS Time To Live field in the outermost MPLS label
170              stack entry.  TTL is an unsigned 8 bit value in decimal format.
171
172       ip_proto IP_PROTO
173              Match  on  layer four protocol.  IP_PROTO may be tcp, udp, sctp,
174              icmp, icmpv6 or an unsigned 8bit value in hexadecimal format.
175
176       ip_tos MASKED_IP_TOS
177              Match on ipv4 TOS or ipv6 traffic-class - eight bits in hexadec‐
178              imal  format.   A  mask  may be optionally provided to limit the
179              bits which are matched. A mask  is  provided  by  following  the
180              value  with  a  slash  and then the mask. If the mask is missing
181              then a match on all bits is assumed.
182
183       ip_ttl MASKED_IP_TTL
184              Match on ipv4 TTL or ipv6 hop-limit  - eight bits value in deci‐
185              mal or hexadecimal format.  A mask may be optionally provided to
186              limit the bits which are matched. Same logic  is  used  for  the
187              mask as with matching on ip_tos.
188
189       dst_ip PREFIX
190       src_ip PREFIX
191              Match  on  source  or  destination IP address.  PREFIX must be a
192              valid IPv4 or IPv6 address, depending on the protocol option  to
193              tc filter, optionally followed by a slash and the prefix length.
194              If the prefix is missing, tc assumes a full-length host match.
195
196       dst_port { MASKED_NUMBER |  MIN_VALUE-MAX_VALUE }
197       src_port { MASKED_NUMBER |  MIN_VALUE-MAX_VALUE }
198              Match on layer 4 protocol source  or  destination  port  number,
199              with  an  optional  mask. Alternatively, the mininum and maximum
200              values can be specified to match on a range of layer 4  protocol
201              source  or destination port numbers. Only available for ip_proto
202              values udp, tcp and sctp which have to be specified  in  before‐
203              hand.
204
205       tcp_flags MASKED_TCP_FLAGS
206              Match on TCP flags represented as 12bit bitfield in in hexadeci‐
207              mal format.  A mask may be optionally provided to limit the bits
208              which  are  matched.  A  mask is provided by following the value
209              with a slash and then the mask. If the mask is  missing  then  a
210              match on all bits is assumed.
211
212       type MASKED_TYPE
213       code MASKED_CODE
214              Match on ICMP type or code. A mask may be optionally provided to
215              limit the bits of the address which are matched. A mask is  pro‐
216              vided  by  following the address with a slash and then the mask.
217              The mask must be as a number which represents a bitwise mask  If
218              the  mask  is missing then a match on all bits is assumed.  Only
219              available for ip_proto values icmp and icmpv6 which have  to  be
220              specified in beforehand.
221
222       arp_tip IPV4_PREFIX
223       arp_sip IPV4_PREFIX
224              Match  on  ARP or RARP sender or target IP address.  IPV4_PREFIX
225              must be a valid IPv4 address optionally followed by a slash  and
226              the  prefix length. If the prefix is missing, tc assumes a full-
227              length host match.
228
229       arp_op ARP_OP
230              Match on ARP or RARP operation.  ARP_OP may be request, reply or
231              an  integer  value 0, 1 or 2.  A mask may be optionally provided
232              to limit the bits of the operation which are matched. A mask  is
233              provided  by  following  the  address  with a slash and then the
234              mask. It may be provided as an unsigned 8 bit value representing
235              a  bitwise mask. If the mask is missing then a match on all bits
236              is assumed.
237
238       arp_sha MASKED_LLADDR
239       arp_tha MASKED_LLADDR
240              Match on ARP or RARP sender or target MAC address.  A  mask  may
241              be  optionally  provided  to limit the bits of the address which
242              are matched. A mask is provided by following the address with  a
243              slash and then the mask. It may be provided in LLADDR format, in
244              which case it is a bitwise mask, or as a number of high bits  to
245              match.  If  the  mask  is  missing  then  a match on all bits is
246              assumed.
247
248       enc_key_id NUMBER
249       enc_dst_ip PREFIX
250       enc_src_ip PREFIX
251       enc_dst_port NUMBER
252       enc_tos NUMBER
253       enc_ttl NUMBER
254
255
256       ct_state CT_STATE
257       ct_zone CT_MASKED_ZONE
258       ct_mark CT_MASKED_MARK
259       ct_label CT_MASKED_LABEL
260              Matches on connection tracking info
261
262              CT_STATE
263                     Match the connection state, and  can  ne  combination  of
264                     [{+|-}flag] flags, where flag can be one of
265
266                     trk - Tracked connection.
267
268                     new - New connection.
269
270                     est - Established connection.
271
272                     Example: +trk+est
273
274              CT_MASKED_ZONE
275                     Match the connection zone, and can be masked.
276
277              CT_MASKED_MARK
278                     32bit match on the connection mark, and can be masked.
279
280              CT_MASKED_LABEL
281                     128bit match on the connection label, and can be masked.
282
283       geneve_opts OPTIONS
284       vxlan_opts OPTIONS
285       erspan_opts OPTIONS
286              Match  on  IP  tunnel metadata. Key id NUMBER is a 32 bit tunnel
287              key id (e.g. VNI for VXLAN tunnel).  PREFIX must be a valid IPv4
288              or  IPv6  address  optionally followed by a slash and the prefix
289              length. If the prefix is missing, tc assumes a full-length  host
290              match.   Dst port NUMBER is a 16 bit UDP dst port. Tos NUMBER is
291              an 8 bit tos (dscp+ecn) value, ttl NUMBER is an 8  bit  time-to-
292              live  value.  geneve_opts OPTIONS must be a valid list of comma-
293              separated geneve options where each option  consists  of  a  key
294              optionally  followed  by  a slash and corresponding mask. If the
295              masks is missing, tc assumes a full-length  match.  The  options
296              can         be        described        in        the        form
297              CLASS:TYPE:DATA/CLASS_MASK:TYPE_MASK:DATA_MASK, where  CLASS  is
298              represented  as a 16bit hexadecimal value, TYPE as an 8bit hexa‐
299              decimal value and DATA as a variable length  hexadecimal  value.
300              vxlan_opts OPTIONS doesn't support multiple options, and it con‐
301              sists of a key followed by a slash and  corresponding  mask.  If
302              the  mask is missing, tc assumes a full-length match. The option
303              can be described in the form GBP/GBP_MASK, where GBP  is  repre‐
304              sented  as  a 32bit number.  erspan_opts OPTIONS doesn't support
305              multiple options, and it consists of a key followed by  a  slash
306              and  corresponding  mask.  If  the mask is missing, tc assumes a
307              full-length match. The option can be described in the form  VER‐
308              SION:INDEX:DIR:HWID/VERSION:INDEX_MASK:DIR_MASK:HWID_MASK, where
309              VERSION is represented as a 8bit number, INDEX as an 32bit  num‐
310              ber, DIR and HWID as a 8bit number. Multiple options is not sup‐
311              ported. Note INDEX/INDEX_MASK is used when  VERSION  is  1,  and
312              DIR/DIR_MASK and HWID/HWID_MASK are used when VERSION is 2.
313
314       ip_flags IP_FLAGS
315              IP_FLAGS  may  be  either frag, nofrag, firstfrag or nofirstfrag
316              where frag and nofrag could be used to match on fragmented pack‐
317              ets  or not, respectively. firstfrag and nofirstfrag can be used
318              to further distinguish fragmented packet. firstfrag can be  used
319              to indicate the first fragmented packet. nofirstfrag can be used
320              to indicates subsequent  fragmented  packets  or  non-fragmented
321              packets.
322

NOTES

324       As stated above where applicable, matches of a certain layer implicitly
325       depend on the matches of the next lower layer. Precisely, layer one and
326       two  matches (indev,  dst_mac and src_mac) have no dependency, MPLS and
327       layer three matches (mpls,  mpls_label,  mpls_tc,  mpls_bos,  mpls_ttl,
328       ip_proto,  dst_ip,  src_ip,  arp_tip, arp_sip, arp_op, arp_tha, arp_sha
329       and ip_flags) depend on the protocol option of tc  filter,  layer  four
330       port  matches  (dst_port  and src_port) depend on ip_proto being set to
331       tcp, udp or sctp, and finally ICMP matches (code and  type)  depend  on
332       ip_proto being set to icmp or icmpv6.
333
334       There  can be only used one mask per one prio. If user needs to specify
335       different mask, he has to use different prio.
336

SEE ALSO

338       tc(8), tc-flow(8)
339
340
341
342iproute2                          22 Oct 2015           Flower filter in tc(8)
Impressum