1Flower filter in tc(8)               Linux              Flower filter in tc(8)
2
3
4

NAME

6       flower - flow based traffic control filter
7

SYNOPSIS

9       tc  filter  ...  flower [ MATCH_LIST ] [ action ACTION_SPEC ] [ classid
10               CLASSID ] [ hw_tc TCID ]
11
12
13       MATCH_LIST := [ MATCH_LIST ] MATCH
14
15       MATCH := { indev ifname | verbose  | skip_sw | skip_hw  | {  dst_mac  |
16               src_mac  }  MASKED_LLADDR  | vlan_id VID | vlan_prio PRIORITY |
17               vlan_ethtype { ipv4 | ipv6  |  ETH_TYPE  }  |  cvlan_id  VID  |
18               cvlan_prio  PRIORITY | cvlan_ethtype { ipv4 | ipv6 | ETH_TYPE }
19               | mpls LSE_LIST | mpls_label LABEL | mpls_tc TC | mpls_bos  BOS
20               |  mpls_ttl TTL | ip_proto { tcp | udp | sctp | icmp | icmpv6 |
21               IP_PROTO } | ip_tos MASKED_IP_TOS | ip_ttl  MASKED_IP_TTL  |  {
22               dst_ip  |  src_ip  }  PREFIX  |  {  dst_port  |  src_port  }  {
23               MASKED_NUMBER | min_port_number-max_port_number }  |  tcp_flags
24               MASKED_TCP_FLAGS  |  type  MASKED_TYPE  |  code MASKED_CODE | {
25               arp_tip | arp_sip } IPV4_PREFIX | arp_op { request | reply | OP
26               } | { arp_tha | arp_sha } MASKED_LLADDR | enc_key_id KEY-ID | {
27               enc_dst_ip | enc_src_ip } { ipv4_address  |  ipv6_address  }  |
28               enc_dst_port  port_number  | enc_tos TOS | enc_ttl TTL | { gen‐
29               eve_opts |  vxlan_opts  |  erspan_opts  }  OPTIONS  |  ip_flags
30               IP_FLAGS }
31
32       LSE_LIST := [ LSE_LIST ] LSE
33
34       LSE := lse depth DEPTH { label LABEL | tc TC | bos BOS | ttl TTL }
35
36

DESCRIPTION

38       The  flower  filter  matches flows to the set of keys specified and as‐
39       signs an arbitrarily chosen class ID to packets belonging to them.  Ad‐
40       ditionally  (or alternatively) an action from the generic action frame‐
41       work may be called.
42

OPTIONS

44       action ACTION_SPEC
45              Apply an action from the generic actions framework  on  matching
46              packets.
47
48       classid CLASSID
49              Specify  a  class to pass matching packets on to.  CLASSID is in
50              the form X:Y, while X and Y are interpreted as numbers in  hexa‐
51              decimal format.
52
53       hw_tc TCID
54              Specify a hardware traffic class to pass matching packets on to.
55              TCID is in the range 0 through 15.
56
57       indev ifname
58              Match on incoming interface name.  Obviously  this  makes  sense
59              only  for  forwarded  flows.  ifname is the name of an interface
60              which must exist at the time of tc invocation.
61
62       verbose
63              Enable verbose logging, including offloading errors when not us‐
64              ing skip_sw flag.
65
66       skip_sw
67              Do  not  process  filter by software. If hardware has no offload
68              support for this filter, or TC offload is not  enabled  for  the
69              interface, operation will fail.
70
71       skip_hw
72              Do not process filter by hardware.
73
74       dst_mac MASKED_LLADDR
75       src_mac MASKED_LLADDR
76              Match  on  source or destination MAC address.  A mask may be op‐
77              tionally provided to limit the bits of  the  address  which  are
78              matched.  A  mask  is  provided  by following the address with a
79              slash and then the mask. It may be provided in LLADDR format, in
80              which  case it is a bitwise mask, or as a number of high bits to
81              match. If the mask is missing then a match on all  bits  is  as‐
82              sumed.
83
84       vlan_id VID
85              Match on vlan tag id.  VID is an unsigned 12bit value in decimal
86              format.
87
88       vlan_prio PRIORITY
89              Match on vlan tag priority.  PRIORITY is an unsigned 3bit  value
90              in decimal format.
91
92       vlan_ethtype VLAN_ETH_TYPE
93              Match  on  layer  three  protocol.   VLAN_ETH_TYPE may be either
94              ipv4, ipv6 or an unsigned 16bit value in hexadecimal format.  To
95              match on QinQ packet, it must be 802.1Q or 802.1AD.
96
97       cvlan_id VID
98              Match on QinQ inner vlan tag id.  VID is an unsigned 12bit value
99              in decimal format.
100
101       cvlan_prio PRIORITY
102              Match on QinQ inner vlan tag priority.  PRIORITY is an  unsigned
103              3bit value in decimal format.
104
105       cvlan_ethtype VLAN_ETH_TYPE
106              Match on QinQ layer three protocol.  VLAN_ETH_TYPE may be either
107              ipv4, ipv6 or an unsigned 16bit value in hexadecimal format.
108
109
110       mpls LSE_LIST
111              Match on the MPLS label stack.  LSE_LIST  is  a  list  of  Label
112              Stack  Entries, each introduced by the lse keyword.  This option
113              can't be used together with the standalone mpls_label,  mpls_tc,
114              mpls_bos and mpls_ttl options.
115
116              lse LSE_OPTIONS
117                     Match  on  an  MPLS  Label Stack Entry.  LSE_OPTIONS is a
118                     list of options that describe the properties of  the  LSE
119                     to match.
120
121                     depth DEPTH
122                            The  depth  of  the Label Stack Entry to consider.
123                            Depth starts at 1 (the outermost Label  Stack  En‐
124                            try).  The  maximum usable depth may be limited by
125                            the kernel. This option is mandatory.  DEPTH is an
126                            unsigned 8 bit value in decimal format.
127
128                     label LABEL
129                            Match  on  the  MPLS  Label field at the specified
130                            depth.  LABEL is an unsigned 20 bit value in deci‐
131                            mal format.
132
133                     tc TC  Match on the MPLS Traffic Class field at the spec‐
134                            ified depth.  TC is an unsigned  3  bit  value  in
135                            decimal format.
136
137                     bos BOS
138                            Match  on  the  MPLS  Bottom Of Stack field at the
139                            specified depth.  BOS is a 1 bit value in  decimal
140                            format.
141
142                     ttl TTL
143                            Match on the MPLS Time To Live field at the speci‐
144                            fied depth.  TTL is an unsigned  8  bit  value  in
145                            decimal format.
146
147
148       mpls_label LABEL
149              Match the label id in the outermost MPLS label stack entry.  LA‐
150              BEL is an unsigned 20 bit value in decimal format.
151
152       mpls_tc TC
153              Match on the MPLS TC field, which is typically used  for  packet
154              priority, in the outermost MPLS label stack entry.  TC is an un‐
155              signed 3 bit value in decimal format.
156
157       mpls_bos BOS
158              Match on the MPLS Bottom Of Stack field in  the  outermost  MPLS
159              label stack entry.  BOS is a 1 bit value in decimal format.
160
161       mpls_ttl TTL
162              Match on the MPLS Time To Live field in the outermost MPLS label
163              stack entry.  TTL is an unsigned 8 bit value in decimal format.
164
165       ip_proto IP_PROTO
166              Match on layer four protocol.  IP_PROTO may be tcp,  udp,  sctp,
167              icmp, icmpv6 or an unsigned 8bit value in hexadecimal format.
168
169       ip_tos MASKED_IP_TOS
170              Match on ipv4 TOS or ipv6 traffic-class - eight bits in hexadec‐
171              imal format.  A mask may be optionally  provided  to  limit  the
172              bits  which  are  matched.  A  mask is provided by following the
173              value with a slash and then the mask. If  the  mask  is  missing
174              then a match on all bits is assumed.
175
176       ip_ttl MASKED_IP_TTL
177              Match on ipv4 TTL or ipv6 hop-limit  - eight bits value in deci‐
178              mal or hexadecimal format.  A mask may be optionally provided to
179              limit  the  bits  which  are matched. Same logic is used for the
180              mask as with matching on ip_tos.
181
182       dst_ip PREFIX
183       src_ip PREFIX
184              Match on source or destination IP address.   PREFIX  must  be  a
185              valid  IPv4 or IPv6 address, depending on the protocol option to
186              tc filter, optionally followed by a slash and the prefix length.
187              If the prefix is missing, tc assumes a full-length host match.
188
189       dst_port { MASKED_NUMBER |  MIN_VALUE-MAX_VALUE }
190       src_port { MASKED_NUMBER |  MIN_VALUE-MAX_VALUE }
191              Match  on  layer  4  protocol source or destination port number,
192              with an optional mask. Alternatively, the  minimum  and  maximum
193              values  can be specified to match on a range of layer 4 protocol
194              source or destination port numbers. Only available for  ip_proto
195              values  udp,  tcp and sctp which have to be specified in before‐
196              hand.
197
198       tcp_flags MASKED_TCP_FLAGS
199              Match on TCP flags represented as 12bit bitfield in in hexadeci‐
200              mal format.  A mask may be optionally provided to limit the bits
201              which are matched. A mask is provided  by  following  the  value
202              with  a  slash  and then the mask. If the mask is missing then a
203              match on all bits is assumed.
204
205       type MASKED_TYPE
206       code MASKED_CODE
207              Match on ICMP type or code. A mask may be optionally provided to
208              limit  the bits of the address which are matched. A mask is pro‐
209              vided by following the address with a slash and then  the  mask.
210              The  mask must be as a number which represents a bitwise mask If
211              the mask is missing then a match on all bits is  assumed.   Only
212              available  for  ip_proto values icmp and icmpv6 which have to be
213              specified in beforehand.
214
215       arp_tip IPV4_PREFIX
216       arp_sip IPV4_PREFIX
217              Match on ARP or RARP sender or target IP  address.   IPV4_PREFIX
218              must  be a valid IPv4 address optionally followed by a slash and
219              the prefix length. If the prefix is missing, tc assumes a  full-
220              length host match.
221
222       arp_op ARP_OP
223              Match on ARP or RARP operation.  ARP_OP may be request, reply or
224              an integer value 0, 1 or 2.  A mask may be  optionally  provided
225              to  limit the bits of the operation which are matched. A mask is
226              provided by following the address with  a  slash  and  then  the
227              mask. It may be provided as an unsigned 8 bit value representing
228              a bitwise mask. If the mask is missing then a match on all  bits
229              is assumed.
230
231       arp_sha MASKED_LLADDR
232       arp_tha MASKED_LLADDR
233              Match  on  ARP or RARP sender or target MAC address.  A mask may
234              be optionally provided to limit the bits of  the  address  which
235              are  matched. A mask is provided by following the address with a
236              slash and then the mask. It may be provided in LLADDR format, in
237              which  case it is a bitwise mask, or as a number of high bits to
238              match. If the mask is missing then a match on all  bits  is  as‐
239              sumed.
240
241       enc_key_id NUMBER
242       enc_dst_ip PREFIX
243       enc_src_ip PREFIX
244       enc_dst_port NUMBER
245       enc_tos NUMBER
246       enc_ttl NUMBER
247
248
249       ct_state CT_STATE
250       ct_zone CT_MASKED_ZONE
251       ct_mark CT_MASKED_MARK
252       ct_label CT_MASKED_LABEL
253              Matches on connection tracking info
254
255              CT_STATE
256                     Match  the  connection  state,  and can be combination of
257                     [{+|-}flag] flags, where flag can be one of
258
259                     trk - Tracked connection.
260
261                     new - New connection.
262
263                     est - Established connection.
264
265                     Example: +trk+est
266
267              CT_MASKED_ZONE
268                     Match the connection zone, and can be masked.
269
270              CT_MASKED_MARK
271                     32bit match on the connection mark, and can be masked.
272
273              CT_MASKED_LABEL
274                     128bit match on the connection label, and can be masked.
275
276       geneve_opts OPTIONS
277       vxlan_opts OPTIONS
278       erspan_opts OPTIONS
279              Match on IP tunnel metadata. Key id NUMBER is a  32  bit  tunnel
280              key id (e.g. VNI for VXLAN tunnel).  PREFIX must be a valid IPv4
281              or IPv6 address optionally followed by a slash  and  the  prefix
282              length.  If the prefix is missing, tc assumes a full-length host
283              match.  Dst port NUMBER is a 16 bit UDP dst port. Tos NUMBER  is
284              an  8  bit tos (dscp+ecn) value, ttl NUMBER is an 8 bit time-to-
285              live value. geneve_opts OPTIONS must be a valid list  of  comma-
286              separated geneve options where each option consists of a key op‐
287              tionally followed by a slash  and  corresponding  mask.  If  the
288              masks  is  missing,  tc assumes a full-length match. The options
289              can        be        described        in        the         form
290              CLASS:TYPE:DATA/CLASS_MASK:TYPE_MASK:DATA_MASK,  where  CLASS is
291              represented as a 16bit hexadecimal value, TYPE as an 8bit  hexa‐
292              decimal  value  and DATA as a variable length hexadecimal value.
293              vxlan_opts OPTIONS doesn't support multiple options, and it con‐
294              sists  of  a  key followed by a slash and corresponding mask. If
295              the mask is missing, tc assumes a full-length match. The  option
296              can  be  described in the form GBP/GBP_MASK, where GBP is repre‐
297              sented as a 32bit number.  erspan_opts OPTIONS  doesn't  support
298              multiple  options,  and it consists of a key followed by a slash
299              and corresponding mask. If the mask is  missing,  tc  assumes  a
300              full-length  match. The option can be described in the form VER‐
301              SION:INDEX:DIR:HWID/VERSION:INDEX_MASK:DIR_MASK:HWID_MASK, where
302              VERSION  is represented as a 8bit number, INDEX as an 32bit num‐
303              ber, DIR and HWID as a 8bit number. Multiple options is not sup‐
304              ported.  Note  INDEX/INDEX_MASK  is  used when VERSION is 1, and
305              DIR/DIR_MASK and HWID/HWID_MASK are used when VERSION is 2.
306
307       ip_flags IP_FLAGS
308              IP_FLAGS may be either frag, nofrag,  firstfrag  or  nofirstfrag
309              where frag and nofrag could be used to match on fragmented pack‐
310              ets or not, respectively. firstfrag and nofirstfrag can be  used
311              to  further distinguish fragmented packet. firstfrag can be used
312              to indicate the first fragmented packet. nofirstfrag can be used
313              to  indicates  subsequent  fragmented  packets or non-fragmented
314              packets.
315

NOTES

317       As stated above where applicable, matches of a certain layer implicitly
318       depend on the matches of the next lower layer. Precisely, layer one and
319       two matches (indev,  dst_mac and src_mac) have no dependency, MPLS  and
320       layer  three  matches  (mpls,  mpls_label, mpls_tc, mpls_bos, mpls_ttl,
321       ip_proto, dst_ip, src_ip, arp_tip, arp_sip,  arp_op,  arp_tha,  arp_sha
322       and  ip_flags)  depend  on the protocol option of tc filter, layer four
323       port matches (dst_port and src_port) depend on ip_proto  being  set  to
324       tcp,  udp  or  sctp, and finally ICMP matches (code and type) depend on
325       ip_proto being set to icmp or icmpv6.
326
327       There can be only used one mask per one prio. If user needs to  specify
328       different mask, he has to use different prio.
329

SEE ALSO

331       tc(8), tc-flow(8)
332
333
334
335iproute2                          22 Oct 2015           Flower filter in tc(8)
Impressum