1Flower filter in tc(8) Linux Flower filter in tc(8)
2
6 flower - flow based traffic control filter
7
9 tc filter ... flower [ MATCH_LIST ] [ action ACTION_SPEC ] [ classid
10 CLASSID ]
11 MATCH_LIST := [ MATCH_LIST ] MATCH
13 MATCH := { indev ifname | skip_sw | skip_hw | { dst_mac | src_mac }
15 MASKED_LLADDR | vlan_id VID | vlan_prio PRIORITY | vlan_ethtype
16 { ipv4 | ipv6 | ETH_TYPE } | ip_proto { tcp | udp | sctp | icmp
17 | icmpv6 | IP_PROTO } | ip_tos MASKED_IP_TOS | ip_ttl
18 MASKED_IP_TTL | { dst_ip | src_ip } PREFIX | { dst_port |
19 src_port } port_number } | tcp_flags MASKED_TCP_FLAGS | type
20 MASKED_TYPE | code MASKED_CODE | { arp_tip | arp_sip }
21 IPV4_PREFIX | arp_op { request | reply | OP } | { arp_tha |
22 arp_sha } MASKED_LLADDR | enc_key_id KEY-ID | { enc_dst_ip |
23 enc_src_ip } { ipv4_address | ipv6_address } | enc_dst_port
24 port_number | ip_flags IP_FLAGS
25
27 The flower filter matches flows to the set of keys specified and
28 assigns an arbitrarily chosen class ID to packets belonging to them.
29 Additionally (or alternatively) an action from the generic action
30 framework may be called.
31
33 action ACTION_SPEC
34 Apply an action from the generic actions framework on matching
35 packets.
36 classid CLASSID
38 Specify a class to pass matching packets on to. CLASSID is in
39 the form X:Y, while X and Y are interpreted as numbers in hexa‐
40 decimal format.
41 indev ifname
43 Match on incoming interface name. Obviously this makes sense
44 only for forwarded flows. ifname is the name of an interface
45 which must exist at the time of tc invocation.
46 skip_sw
48 Do not process filter by software. If hardware has no offload
49 support for this filter, or TC offload is not enabled for the
50 interface, operation will fail.
51 skip_hw
53 Do not process filter by hardware.
54 dst_mac MASKED_LLADDR
56 src_mac MASKED_LLADDR
57 Match on source or destination MAC address. A mask may be
58 optionally provided to limit the bits of the address which are
59 matched. A mask is provided by following the address with a
60 slash and then the mask. It may be provided in LLADDR format, in
61 which case it is a bitwise mask, or as a number of high bits to
62 match. If the mask is missing then a match on all bits is
63 assumed.
64 vlan_id VID
66 Match on vlan tag id. VID is an unsigned 12bit value in decimal
67 format.
68 vlan_prio PRIORITY
70 Match on vlan tag priority. PRIORITY is an unsigned 3bit value
71 in decimal format.
72 vlan_ethtype VLAN_ETH_TYPE
74 Match on layer three protocol. VLAN_ETH_TYPE may be either
75 ipv4, ipv6 or an unsigned 16bit value in hexadecimal format.
76 ip_proto IP_PROTO
78 Match on layer four protocol. IP_PROTO may be tcp, udp, sctp,
79 icmp, icmpv6 or an unsigned 8bit value in hexadecimal format.
80 ip_tos MASKED_IP_TOS
82 Match on ipv4 TOS or ipv6 traffic-class - eight bits in hexadec‐
83 imal format. A mask may be optionally provided to limit the
84 bits which are matched. A mask is provided by following the
85 value with a slash and then the mask. If the mask is missing
86 then a match on all bits is assumed.
87 ip_ttl MASKED_IP_TTL
89 Match on ipv4 TTL or ipv6 hop-limit - eight bits value in deci‐
90 mal or hexadecimal format. A mask may be optionally provided to
91 limit the bits which are matched. Same logic is used for the
92 mask as with matching on ip_tos.
93 dst_ip PREFIX
95 src_ip PREFIX
96 Match on source or destination IP address. PREFIX must be a
97 valid IPv4 or IPv6 address, depending on the protocol option to
98 tc filter, optionally followed by a slash and the prefix length.
99 If the prefix is missing, tc assumes a full-length host match.
100 dst_port NUMBER
102 src_port NUMBER
103 Match on layer 4 protocol source or destination port number.
104 Only available for ip_proto values udp, tcp and sctp which have
105 to be specified in beforehand.
106 tcp_flags MASKED_TCP_FLAGS
108 Match on TCP flags represented as 12bit bitfield in in hexadeci‐
109 mal format. A mask may be optionally provided to limit the bits
110 which are matched. A mask is provided by following the value
111 with a slash and then the mask. If the mask is missing then a
112 match on all bits is assumed.
113 type MASKED_TYPE
115 code MASKED_CODE
116 Match on ICMP type or code. A mask may be optionally provided to
117 limit the bits of the address which are matched. A mask is pro‐
118 vided by following the address with a slash and then the mask.
119 The mask must be as a number which represents a bitwise mask If
120 the mask is missing then a match on all bits is assumed. Only
121 available for ip_proto values icmp and icmpv6 which have to be
122 specified in beforehand.
123 arp_tip IPV4_PREFIX
125 arp_sip IPV4_PREFIX
126 Match on ARP or RARP sender or target IP address. IPV4_PREFIX
127 must be a valid IPv4 address optionally followed by a slash and
128 the prefix length. If the prefix is missing, tc assumes a full-
129 length host match.
130 arp_op ARP_OP
132 Match on ARP or RARP operation. ARP_OP may be request, reply or
133 an integer value 0, 1 or 2. A mask may be optionally provided
134 to limit the bits of the operation which are matched. A mask is
135 provided by following the address with a slash and then the
136 mask. It may be provided as an unsigned 8 bit value representing
137 a bitwise mask. If the mask is missing then a match on all bits
138 is assumed.
139 arp_sha MASKED_LLADDR
141 arp_tha MASKED_LLADDR
142 Match on ARP or RARP sender or target MAC address. A mask may
143 be optionally provided to limit the bits of the address which
144 are matched. A mask is provided by following the address with a
145 slash and then the mask. It may be provided in LLADDR format, in
146 which case it is a bitwise mask, or as a number of high bits to
147 match. If the mask is missing then a match on all bits is
148 assumed.
149 enc_key_id NUMBER
151 enc_dst_ip PREFIX
152 enc_src_ip PREFIX
153 enc_dst_port NUMBER
154 Match on IP tunnel metadata. Key id NUMBER is a 32 bit tunnel
155 key id (e.g. VNI for VXLAN tunnel). PREFIX must be a valid IPv4
156 or IPv6 address optionally followed by a slash and the prefix
157 length. If the prefix is missing, tc assumes a full-length host
158 match. Dst port NUMBER is a 16 bit UDP dst port.
159 ip_flags IP_FLAGS
161 IP_FLAGS may be either frag or nofrag to match on fragmented
162 packets or not respectively.
163
165 As stated above where applicable, matches of a certain layer implicitly
166 depend on the matches of the next lower layer. Precisely, layer one and
167 two matches (indev, dst_mac and src_mac) have no dependency, layer
168 three matches (ip_proto, dst_ip, src_ip, arp_tip, arp_sip, arp_op,
169 arp_tha, arp_sha and ip_flags) depend on the protocol option of tc fil‐
170 ter, layer four port matches (dst_port and src_port) depend on ip_proto
171 being set to tcp, udp or sctp, and finally ICMP matches (code and type)
172 depend on ip_proto being set to icmp or icmpv6.
173 There can be only used one mask per one prio. If user needs to specify
175 different mask, he has to use different prio.
176
178 tc(8), tc-flow(8)
179iproute2 22 Oct 2015 Flower filter in tc(8)