1Flower filter in tc(8) Linux Flower filter in tc(8)
2
6 flower - flow based traffic control filter
7
9 tc filter ... flower [ MATCH_LIST ] [ action ACTION_SPEC ] [ classid
10 CLASSID ] [ hw_tc TCID ]
11 MATCH_LIST := [ MATCH_LIST ] MATCH
14 MATCH := { indev ifname | verbose | skip_sw | skip_hw | { dst_mac |
16 src_mac } MASKED_LLADDR | vlan_id VID | vlan_prio PRIORITY |
17 vlan_ethtype { ipv4 | ipv6 | ETH_TYPE } | cvlan_id VID |
18 cvlan_prio PRIORITY | cvlan_ethtype { ipv4 | ipv6 | ETH_TYPE }
19 | pppoe_sid PSID | ppp_proto { ip | ipv6 | mpls_uc | mpls_mc |
20 PPP_PROTO } | mpls LSE_LIST | mpls_label LABEL | mpls_tc TC |
21 mpls_bos BOS | mpls_ttl TTL | l2tpv3_sid LSID | ip_proto { tcp
22 | udp | sctp | icmp | icmpv6 | l2tp | IP_PROTO } | ip_tos
23 MASKED_IP_TOS | ip_ttl MASKED_IP_TTL | { dst_ip | src_ip } PRE‐
24 FIX | { dst_port | src_port } { MASKED_NUMBER | min_port_num‐
25 ber-max_port_number } | tcp_flags MASKED_TCP_FLAGS | type
26 MASKED_TYPE | code MASKED_CODE | { arp_tip | arp_sip }
27 IPV4_PREFIX | arp_op { request | reply | OP } | { arp_tha |
28 arp_sha } MASKED_LLADDR | enc_key_id KEY-ID | { enc_dst_ip |
29 enc_src_ip } { ipv4_address | ipv6_address } | enc_dst_port
30 port_number | enc_tos TOS | enc_ttl TTL | { geneve_opts |
31 vxlan_opts | erspan_opts | gtp_opts } OPTIONS | ip_flags
32 IP_FLAGS }
33 LSE_LIST := [ LSE_LIST ] LSE
35 LSE := lse depth DEPTH { label LABEL | tc TC | bos BOS | ttl TTL }
37
40 The flower filter matches flows to the set of keys specified and as‐
41 signs an arbitrarily chosen class ID to packets belonging to them. Ad‐
42 ditionally (or alternatively) an action from the generic action frame‐
43 work may be called.
44
46 action ACTION_SPEC
47 Apply an action from the generic actions framework on matching
48 packets.
49 classid CLASSID
51 Specify a class to pass matching packets on to. CLASSID is in
52 the form X:Y, while X and Y are interpreted as numbers in hexa‐
53 decimal format.
54 hw_tc TCID
56 Specify a hardware traffic class to pass matching packets on to.
57 TCID is in the range 0 through 15.
58 indev ifname
60 Match on incoming interface name. Obviously this makes sense
61 only for forwarded flows. ifname is the name of an interface
62 which must exist at the time of tc invocation.
63 verbose
65 Enable verbose logging, including offloading errors when not us‐
66 ing skip_sw flag.
67 skip_sw
69 Do not process filter by software. If hardware has no offload
70 support for this filter, or TC offload is not enabled for the
71 interface, operation will fail.
72 skip_hw
74 Do not process filter by hardware.
75 dst_mac MASKED_LLADDR
77 src_mac MASKED_LLADDR
78 Match on source or destination MAC address. A mask may be op‐
79 tionally provided to limit the bits of the address which are
80 matched. A mask is provided by following the address with a
81 slash and then the mask. It may be provided in LLADDR format, in
82 which case it is a bitwise mask, or as a number of high bits to
83 match. If the mask is missing then a match on all bits is as‐
84 sumed.
85 num_of_vlans NUM
87 Match on the number of vlan tags in the packet. NUM can be 0 or
88 small positive integer. Typically in 0-4 range.
89 vlan_id VID
91 Match on vlan tag id. VID is an unsigned 12bit value in decimal
92 format.
93 vlan_prio PRIORITY
95 Match on vlan tag priority. PRIORITY is an unsigned 3bit value
96 in decimal format.
97 vlan_ethtype VLAN_ETH_TYPE
99 Match on layer three protocol. VLAN_ETH_TYPE may be either
100 ipv4, ipv6 or an unsigned 16bit value in hexadecimal format. To
101 match on QinQ packet, it must be 802.1Q or 802.1AD.
102 cvlan_id VID
104 Match on QinQ inner vlan tag id. VID is an unsigned 12bit value
105 in decimal format.
106 cvlan_prio PRIORITY
108 Match on QinQ inner vlan tag priority. PRIORITY is an unsigned
109 3bit value in decimal format.
110 cvlan_ethtype VLAN_ETH_TYPE
112 Match on QinQ layer three protocol. VLAN_ETH_TYPE may be either
113 ipv4, ipv6 or an unsigned 16bit value in hexadecimal format.
114 pppoe_sid PSID
116 Match on PPPoE session id. PSID is an unsigned 16bit value in
117 decimal format.
118 ppp_proto PPP_PROTO
120 Match on PPP layer three protocol. PPP_PROTO may be either ip,
121 ipv6, mpls_uc, mpls_mc or an unsigned 16bit value in hexadecimal
122 format.
123 mpls LSE_LIST
125 Match on the MPLS label stack. LSE_LIST is a list of Label
126 Stack Entries, each introduced by the lse keyword. This option
127 can't be used together with the standalone mpls_label, mpls_tc,
128 mpls_bos and mpls_ttl options.
129 lse LSE_OPTIONS
131 Match on an MPLS Label Stack Entry. LSE_OPTIONS is a
132 list of options that describe the properties of the LSE
133 to match.
134 depth DEPTH
136 The depth of the Label Stack Entry to consider.
137 Depth starts at 1 (the outermost Label Stack En‐
138 try). The maximum usable depth may be limited by
139 the kernel. This option is mandatory. DEPTH is an
140 unsigned 8 bit value in decimal format.
141 label LABEL
143 Match on the MPLS Label field at the specified
144 depth. LABEL is an unsigned 20 bit value in deci‐
145 mal format.
146 tc TC Match on the MPLS Traffic Class field at the spec‐
148 ified depth. TC is an unsigned 3 bit value in
149 decimal format.
150 bos BOS
152 Match on the MPLS Bottom Of Stack field at the
153 specified depth. BOS is a 1 bit value in decimal
154 format.
155 ttl TTL
157 Match on the MPLS Time To Live field at the speci‐
158 fied depth. TTL is an unsigned 8 bit value in
159 decimal format.
160 mpls_label LABEL
163 Match the label id in the outermost MPLS label stack entry. LA‐
164 BEL is an unsigned 20 bit value in decimal format.
165 mpls_tc TC
167 Match on the MPLS TC field, which is typically used for packet
168 priority, in the outermost MPLS label stack entry. TC is an un‐
169 signed 3 bit value in decimal format.
170 mpls_bos BOS
172 Match on the MPLS Bottom Of Stack field in the outermost MPLS
173 label stack entry. BOS is a 1 bit value in decimal format.
174 mpls_ttl TTL
176 Match on the MPLS Time To Live field in the outermost MPLS label
177 stack entry. TTL is an unsigned 8 bit value in decimal format.
178 l2tpv3_sid LSID
180 Match on L2TPv3 session id field transported over IPv4 or IPv6.
181 LSID is an unsigned 32 bit value in decimal format.
182 ip_proto IP_PROTO
184 Match on layer four protocol. IP_PROTO may be tcp, udp, sctp,
185 icmp, icmpv6, l2tp or an unsigned 8bit value in hexadecimal for‐
186 mat.
187 ip_tos MASKED_IP_TOS
189 Match on ipv4 TOS or ipv6 traffic-class - eight bits in hexadec‐
190 imal format. A mask may be optionally provided to limit the
191 bits which are matched. A mask is provided by following the
192 value with a slash and then the mask. If the mask is missing
193 then a match on all bits is assumed.
194 ip_ttl MASKED_IP_TTL
196 Match on ipv4 TTL or ipv6 hop-limit - eight bits value in deci‐
197 mal or hexadecimal format. A mask may be optionally provided to
198 limit the bits which are matched. Same logic is used for the
199 mask as with matching on ip_tos.
200 dst_ip PREFIX
202 src_ip PREFIX
203 Match on source or destination IP address. PREFIX must be a
204 valid IPv4 or IPv6 address, depending on the protocol option to
205 tc filter, optionally followed by a slash and the prefix length.
206 If the prefix is missing, tc assumes a full-length host match.
207 dst_port { MASKED_NUMBER | MIN_VALUE-MAX_VALUE }
209 src_port { MASKED_NUMBER | MIN_VALUE-MAX_VALUE }
210 Match on layer 4 protocol source or destination port number,
211 with an optional mask. Alternatively, the minimum and maximum
212 values can be specified to match on a range of layer 4 protocol
213 source or destination port numbers. Only available for ip_proto
214 values udp, tcp and sctp which have to be specified in before‐
215 hand.
216 tcp_flags MASKED_TCP_FLAGS
218 Match on TCP flags represented as 12bit bitfield in in hexadeci‐
219 mal format. A mask may be optionally provided to limit the bits
220 which are matched. A mask is provided by following the value
221 with a slash and then the mask. If the mask is missing then a
222 match on all bits is assumed.
223 type MASKED_TYPE
225 code MASKED_CODE
226 Match on ICMP type or code. A mask may be optionally provided to
227 limit the bits of the address which are matched. A mask is pro‐
228 vided by following the address with a slash and then the mask.
229 The mask must be as a number which represents a bitwise mask If
230 the mask is missing then a match on all bits is assumed. Only
231 available for ip_proto values icmp and icmpv6 which have to be
232 specified in beforehand.
233 arp_tip IPV4_PREFIX
235 arp_sip IPV4_PREFIX
236 Match on ARP or RARP sender or target IP address. IPV4_PREFIX
237 must be a valid IPv4 address optionally followed by a slash and
238 the prefix length. If the prefix is missing, tc assumes a full-
239 length host match.
240 arp_op ARP_OP
242 Match on ARP or RARP operation. ARP_OP may be request, reply or
243 an integer value 0, 1 or 2. A mask may be optionally provided
244 to limit the bits of the operation which are matched. A mask is
245 provided by following the address with a slash and then the
246 mask. It may be provided as an unsigned 8 bit value representing
247 a bitwise mask. If the mask is missing then a match on all bits
248 is assumed.
249 arp_sha MASKED_LLADDR
251 arp_tha MASKED_LLADDR
252 Match on ARP or RARP sender or target MAC address. A mask may
253 be optionally provided to limit the bits of the address which
254 are matched. A mask is provided by following the address with a
255 slash and then the mask. It may be provided in LLADDR format, in
256 which case it is a bitwise mask, or as a number of high bits to
257 match. If the mask is missing then a match on all bits is as‐
258 sumed.
259 enc_key_id NUMBER
261 enc_dst_ip PREFIX
262 enc_src_ip PREFIX
263 enc_dst_port NUMBER
264 enc_tos NUMBER
265 enc_ttl NUMBER
266 ct_state CT_STATE
269 ct_zone CT_MASKED_ZONE
270 ct_mark CT_MASKED_MARK
271 ct_label CT_MASKED_LABEL
272 Matches on connection tracking info
273 CT_STATE
275 Match the connection state, and can be combination of
276 [{+|-}flag] flags, where flag can be one of
277 trk - Tracked connection.
279 new - New connection.
281 est - Established connection.
283 rpl - The packet is in the reply direction, meaning that
285 it is in the opposite direction from the packet that ini‐
286 tiated the connection.
287 inv - The state is invalid. The packet couldn't be asso‐
289 ciated to a connection.
290 rel - The packet is related to an existing connection.
292 Example: +trk+est
294 CT_MASKED_ZONE
296 Match the connection zone, and can be masked.
297 CT_MASKED_MARK
299 32bit match on the connection mark, and can be masked.
300 CT_MASKED_LABEL
302 128bit match on the connection label, and can be masked.
303 geneve_opts OPTIONS
305 vxlan_opts OPTIONS
306 erspan_opts OPTIONS
307 gtp_opts OPTIONS
308 Match on IP tunnel metadata. Key id NUMBER is a 32 bit tunnel
309 key id (e.g. VNI for VXLAN tunnel). PREFIX must be a valid IPv4
310 or IPv6 address optionally followed by a slash and the prefix
311 length. If the prefix is missing, tc assumes a full-length host
312 match. Dst port NUMBER is a 16 bit UDP dst port. Tos NUMBER is
313 an 8 bit tos (dscp+ecn) value, ttl NUMBER is an 8 bit time-to-
314 live value. geneve_opts OPTIONS must be a valid list of comma-
315 separated geneve options where each option consists of a key op‐
316 tionally followed by a slash and corresponding mask. If the
317 masks is missing, tc assumes a full-length match. The options
318 can be described in the form
319 CLASS:TYPE:DATA/CLASS_MASK:TYPE_MASK:DATA_MASK, where CLASS is
320 represented as a 16bit hexadecimal value, TYPE as an 8bit hexa‐
321 decimal value and DATA as a variable length hexadecimal value.
322 vxlan_opts OPTIONS doesn't support multiple options, and it con‐
323 sists of a key followed by a slash and corresponding mask. If
324 the mask is missing, tc assumes a full-length match. The option
325 can be described in the form GBP/GBP_MASK, where GBP is repre‐
326 sented as a 32bit number. erspan_opts OPTIONS doesn't support
327 multiple options, and it consists of a key followed by a slash
328 and corresponding mask. If the mask is missing, tc assumes a
329 full-length match. The option can be described in the form VER‐
330 SION:INDEX:DIR:HWID/VERSION:INDEX_MASK:DIR_MASK:HWID_MASK, where
331 VERSION is represented as a 8bit number, INDEX as an 32bit num‐
332 ber, DIR and HWID as a 8bit number. Multiple options is not sup‐
333 ported. Note INDEX/INDEX_MASK is used when VERSION is 1, and
334 DIR/DIR_MASK and HWID/HWID_MASK are used when VERSION is 2.
335 gtp_opts OPTIONS doesn't support multiple options, and it con‐
336 sists of a key followed by a slash and corresponding mask. If
337 the mask is missing, tc assumes a full-length match. The option
338 can be described in the form PDU_TYPE:QFI/PDU_TYPE_MASK:QFI_MASK
339 where both PDU_TYPE and QFI are represented as a 8bit hexadeci‐
340 mal values.
341 ip_flags IP_FLAGS
343 IP_FLAGS may be either frag, nofrag, firstfrag or nofirstfrag
344 where frag and nofrag could be used to match on fragmented pack‐
345 ets or not, respectively. firstfrag and nofirstfrag can be used
346 to further distinguish fragmented packet. firstfrag can be used
347 to indicate the first fragmented packet. nofirstfrag can be used
348 to indicates subsequent fragmented packets or non-fragmented
349 packets.
350
352 As stated above where applicable, matches of a certain layer implicitly
353 depend on the matches of the next lower layer. Precisely, layer one and
354 two matches (indev, dst_mac and src_mac) have no dependency, MPLS and
355 layer three matches (mpls, mpls_label, mpls_tc, mpls_bos, mpls_ttl,
356 ip_proto, dst_ip, src_ip, arp_tip, arp_sip, arp_op, arp_tha, arp_sha
357 and ip_flags) depend on the protocol option of tc filter, layer four
358 port matches (dst_port and src_port) depend on ip_proto being set to
359 tcp, udp or sctp, and finally ICMP matches (code and type) depend on
360 ip_proto being set to icmp or icmpv6.
361 There can be only used one mask per one prio. If user needs to specify
363 different mask, he has to use different prio.
364
366 tc(8), tc-flow(8)
367iproute2 22 Oct 2015 Flower filter in tc(8)