1Flow filter in tc(8) Linux Flow filter in tc(8)
2
6 flow - flow based traffic control filter
7
9 Mapping mode:
10 tc filter ... flow map key KEY [ OPS ] [ OPTIONS ]
12 Hashing mode:
14 tc filter ... flow hash keys KEY_LIST [ perturb secs ] [ OPTIONS
16 ]
17 OPS := [ OPS ] OP
19 OPTIONS := [ divisor NUM ] [ baseclass ID ] [ match EMATCH_TREE ] [
21 action ACTION_SPEC ]
22 KEY_LIST := [ KEY_LIST ] KEY
24 OP := { or | and | xor | rshift | addend } NUM
26 ID := X:Y
28 KEY := { src | dst | proto | proto-src | proto-dst | iif | priority |
30 mark | nfct | nfct-src | nfct-dst | nfct-proto-src | nfct-
31 proto-dst | rt-classid | sk-uid | sk-gid | vlan-tag | rxhash }
32
34 The flow classifier is meant to extend the SFQ hashing capabilities
35 without hard-coding new hash functions. It also allows deterministic
36 mappings of keys to classes.
37
39 action ACTION_SPEC
40 Apply an action from the generic actions framework on matching
41 packets.
42 baseclass ID
44 An offset for the resulting class ID. ID may be root, none or a
45 hexadecimal class ID in the form [X:]Y. If X is omitted, it is
46 assumed to be zero.
47 divisor NUM
49 Number of buckets to use for sorting into. Keys are calculated
50 modulo NUM.
51 hash keys KEY-LIST
53 Perform a jhash2 operation over the keys in KEY-LIST, the result
54 (modulo the divisor if given) is taken as class ID, optionally
55 offset by the value of baseclass. It is possible to specify an
56 interval (in seconds) after which jhash2's entropy source is
57 recreated using the perturb parameter.
58 map key KEY
60 Packet data identified by KEY is translated into class IDs to
61 push the packet into. The value may be mangled by OPS before
62 using it for the mapping. They are applied in the order listed
63 here:
64 and NUM
66 Perform bitwise AND operation with numeric value NUM.
67 or NUM
69 Perform bitwise OR operation with numeric value NUM.
70 xor NUM
72 Perform bitwise XOR operation with numeric value NUM.
73 rshift NUM
75 Shift the value of KEY to the right by NUM bits.
76 addend NUM
78 Add NUM to the value of KEY.
79 For the or, and, xor and rshift operations, NUM is assumed to be
81 an unsigned, 32bit integer value. For the addend operation, NUM
82 may be much more complex: It may be prefixed by a minus ('-')
83 sign to cause subtraction instead of addition and for keys of
84 src, dst, nfct-src and nfct-dst it may be given in IP address
85 notation. See below for an illustrating example.
86 match EMATCH_TREE
88 Match packets using the extended match infrastructure. See tc-
89 ematch(8) for a detailed description of the allowed syntax in
90 EMATCH_TREE.
91
93 In mapping mode, a single key is used (after optional permutation) to
94 build a class ID. The resulting ID is deducible in most cases. In hash‐
95 ing more, a number of keys may be specified which are then hashed and
96 the output used as class ID. This ID is not deducible in beforehand,
97 and may even change over time for a given flow if a perturb interval
98 has been given.
99 The range of class IDs can be limited by the divisor option, which is
101 used for a modulus.
102 src, dst
104 Use source or destination address as key. In case of IPv4 and
105 TIPC, this is the actual address value. For IPv6, the 128bit
106 address is folded into a 32bit value by XOR'ing the four 32bit
107 words. In all other cases, the kernel-internal socket address is
108 used (after folding into 32bits on 64bit systems).
109 proto Use the layer four protocol number as key.
111 proto-src
113 Use the layer four source port as key. If not available, the
114 kernel-internal socket address is used instead.
115 proto-dst
117 Use the layer four destination port as key. If not available,
118 the associated kernel-internal dst_entry address is used after
119 XOR'ing with the packet's layer three protocol number.
120 iif Use the incoming interface index as key.
122 priority
124 Use the packet's priority as key. Usually this is the IP
125 header's DSCP/ECN value.
126 mark Use the netfilter fwmark as key.
128 nfct Use the associated conntrack entry address as key.
130 nfct-src, nfct-dst, nfct-proto-src, nfct-proto-dst
132 These are conntrack-aware variants of src, dst, proto-src and
133 proto-dst. In case of NAT, these are basically the packet
134 header's values before NAT was applied.
135 rt-classid
137 Use the packet's destination routing table entry's realm as key.
138 sk-uid
140 sk-gid For locally generated packets, use the user or group ID the
141 originating socket belongs to as key.
142 vlan-tag
144 Use the packet's vlan ID as key.
145 rxhash Use the flow hash as key.
147
150 Classic SFQ hash:
151 tc filter add ... flow hash \
153 keys src,dst,proto,proto-src,proto-dst divisor 1024
154 Classic SFQ hash, but using information from conntrack to work properly
156 in combination with NAT:
157 tc filter add ... flow hash \
159 keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst \
160 divisor 1024
161 Map destination IPs of 192.168.0.0/24 to classids 1-257:
163 tc filter add ... flow map \
165 key dst addend -192.168.0.0 divisor 256
166 Alternative to the above:
168 tc filter add ... flow map \
170 key dst and 0xff
171 The same, but in reverse order:
173 tc filter add ... flow map \
175 key dst and 0xff xor 0xff
176
178 tc(8), tc-ematch(8), tc-sfq(8)
179iproute2 20 Oct 2015 Flow filter in tc(8)