1Flower filter in tc(8) Linux Flower filter in tc(8)
2
3
4
6 flower - flow based traffic control filter
7
9 tc filter ... flower [ MATCH_LIST ] [ action ACTION_SPEC ] [ classid
10 CLASSID ] [ hw_tc TCID ]
11
12
13 MATCH_LIST := [ MATCH_LIST ] MATCH
14
15 MATCH := { indev ifname | verbose | skip_sw | skip_hw | { dst_mac |
16 src_mac } MASKED_LLADDR | vlan_id VID | vlan_prio PRIORITY |
17 vlan_ethtype { ipv4 | ipv6 | ETH_TYPE } | cvlan_id VID |
18 cvlan_prio PRIORITY | cvlan_ethtype { ipv4 | ipv6 | ETH_TYPE }
19 | mpls LSE_LIST | mpls_label LABEL | mpls_tc TC | mpls_bos BOS
20 | mpls_ttl TTL | ip_proto { tcp | udp | sctp | icmp | icmpv6 |
21 IP_PROTO } | ip_tos MASKED_IP_TOS | ip_ttl MASKED_IP_TTL | {
22 dst_ip | src_ip } PREFIX | { dst_port | src_port } {
23 MASKED_NUMBER | min_port_number-max_port_number } | tcp_flags
24 MASKED_TCP_FLAGS | type MASKED_TYPE | code MASKED_CODE | {
25 arp_tip | arp_sip } IPV4_PREFIX | arp_op { request | reply | OP
26 } | { arp_tha | arp_sha } MASKED_LLADDR | enc_key_id KEY-ID | {
27 enc_dst_ip | enc_src_ip } { ipv4_address | ipv6_address } |
28 enc_dst_port port_number | enc_tos TOS | enc_ttl TTL | { gen‐
29 eve_opts | vxlan_opts | erspan_opts } OPTIONS | ip_flags
30 IP_FLAGS }
31
32 LSE_LIST := [ LSE_LIST ] LSE
33
34 LSE := lse depth DEPTH { label LABEL | tc TC | bos BOS | ttl TTL }
35
36
38 The flower filter matches flows to the set of keys specified and as‐
39 signs an arbitrarily chosen class ID to packets belonging to them. Ad‐
40 ditionally (or alternatively) an action from the generic action frame‐
41 work may be called.
42
44 action ACTION_SPEC
45 Apply an action from the generic actions framework on matching
46 packets.
47
48 classid CLASSID
49 Specify a class to pass matching packets on to. CLASSID is in
50 the form X:Y, while X and Y are interpreted as numbers in hexa‐
51 decimal format.
52
53 hw_tc TCID
54 Specify a hardware traffic class to pass matching packets on to.
55 TCID is in the range 0 through 15.
56
57 indev ifname
58 Match on incoming interface name. Obviously this makes sense
59 only for forwarded flows. ifname is the name of an interface
60 which must exist at the time of tc invocation.
61
62 verbose
63 Enable verbose logging, including offloading errors when not us‐
64 ing skip_sw flag.
65
66 skip_sw
67 Do not process filter by software. If hardware has no offload
68 support for this filter, or TC offload is not enabled for the
69 interface, operation will fail.
70
71 skip_hw
72 Do not process filter by hardware.
73
74 dst_mac MASKED_LLADDR
75 src_mac MASKED_LLADDR
76 Match on source or destination MAC address. A mask may be op‐
77 tionally provided to limit the bits of the address which are
78 matched. A mask is provided by following the address with a
79 slash and then the mask. It may be provided in LLADDR format, in
80 which case it is a bitwise mask, or as a number of high bits to
81 match. If the mask is missing then a match on all bits is as‐
82 sumed.
83
84 vlan_id VID
85 Match on vlan tag id. VID is an unsigned 12bit value in decimal
86 format.
87
88 vlan_prio PRIORITY
89 Match on vlan tag priority. PRIORITY is an unsigned 3bit value
90 in decimal format.
91
92 vlan_ethtype VLAN_ETH_TYPE
93 Match on layer three protocol. VLAN_ETH_TYPE may be either
94 ipv4, ipv6 or an unsigned 16bit value in hexadecimal format. To
95 match on QinQ packet, it must be 802.1Q or 802.1AD.
96
97 cvlan_id VID
98 Match on QinQ inner vlan tag id. VID is an unsigned 12bit value
99 in decimal format.
100
101 cvlan_prio PRIORITY
102 Match on QinQ inner vlan tag priority. PRIORITY is an unsigned
103 3bit value in decimal format.
104
105 cvlan_ethtype VLAN_ETH_TYPE
106 Match on QinQ layer three protocol. VLAN_ETH_TYPE may be either
107 ipv4, ipv6 or an unsigned 16bit value in hexadecimal format.
108
109
110 mpls LSE_LIST
111 Match on the MPLS label stack. LSE_LIST is a list of Label
112 Stack Entries, each introduced by the lse keyword. This option
113 can't be used together with the standalone mpls_label, mpls_tc,
114 mpls_bos and mpls_ttl options.
115
116 lse LSE_OPTIONS
117 Match on an MPLS Label Stack Entry. LSE_OPTIONS is a
118 list of options that describe the properties of the LSE
119 to match.
120
121 depth DEPTH
122 The depth of the Label Stack Entry to consider.
123 Depth starts at 1 (the outermost Label Stack En‐
124 try). The maximum usable depth may be limited by
125 the kernel. This option is mandatory. DEPTH is an
126 unsigned 8 bit value in decimal format.
127
128 label LABEL
129 Match on the MPLS Label field at the specified
130 depth. LABEL is an unsigned 20 bit value in deci‐
131 mal format.
132
133 tc TC Match on the MPLS Traffic Class field at the spec‐
134 ified depth. TC is an unsigned 3 bit value in
135 decimal format.
136
137 bos BOS
138 Match on the MPLS Bottom Of Stack field at the
139 specified depth. BOS is a 1 bit value in decimal
140 format.
141
142 ttl TTL
143 Match on the MPLS Time To Live field at the speci‐
144 fied depth. TTL is an unsigned 8 bit value in
145 decimal format.
146
147
148 mpls_label LABEL
149 Match the label id in the outermost MPLS label stack entry. LA‐
150 BEL is an unsigned 20 bit value in decimal format.
151
152 mpls_tc TC
153 Match on the MPLS TC field, which is typically used for packet
154 priority, in the outermost MPLS label stack entry. TC is an un‐
155 signed 3 bit value in decimal format.
156
157 mpls_bos BOS
158 Match on the MPLS Bottom Of Stack field in the outermost MPLS
159 label stack entry. BOS is a 1 bit value in decimal format.
160
161 mpls_ttl TTL
162 Match on the MPLS Time To Live field in the outermost MPLS label
163 stack entry. TTL is an unsigned 8 bit value in decimal format.
164
165 ip_proto IP_PROTO
166 Match on layer four protocol. IP_PROTO may be tcp, udp, sctp,
167 icmp, icmpv6 or an unsigned 8bit value in hexadecimal format.
168
169 ip_tos MASKED_IP_TOS
170 Match on ipv4 TOS or ipv6 traffic-class - eight bits in hexadec‐
171 imal format. A mask may be optionally provided to limit the
172 bits which are matched. A mask is provided by following the
173 value with a slash and then the mask. If the mask is missing
174 then a match on all bits is assumed.
175
176 ip_ttl MASKED_IP_TTL
177 Match on ipv4 TTL or ipv6 hop-limit - eight bits value in deci‐
178 mal or hexadecimal format. A mask may be optionally provided to
179 limit the bits which are matched. Same logic is used for the
180 mask as with matching on ip_tos.
181
182 dst_ip PREFIX
183 src_ip PREFIX
184 Match on source or destination IP address. PREFIX must be a
185 valid IPv4 or IPv6 address, depending on the protocol option to
186 tc filter, optionally followed by a slash and the prefix length.
187 If the prefix is missing, tc assumes a full-length host match.
188
189 dst_port { MASKED_NUMBER | MIN_VALUE-MAX_VALUE }
190 src_port { MASKED_NUMBER | MIN_VALUE-MAX_VALUE }
191 Match on layer 4 protocol source or destination port number,
192 with an optional mask. Alternatively, the minimum and maximum
193 values can be specified to match on a range of layer 4 protocol
194 source or destination port numbers. Only available for ip_proto
195 values udp, tcp and sctp which have to be specified in before‐
196 hand.
197
198 tcp_flags MASKED_TCP_FLAGS
199 Match on TCP flags represented as 12bit bitfield in in hexadeci‐
200 mal format. A mask may be optionally provided to limit the bits
201 which are matched. A mask is provided by following the value
202 with a slash and then the mask. If the mask is missing then a
203 match on all bits is assumed.
204
205 type MASKED_TYPE
206 code MASKED_CODE
207 Match on ICMP type or code. A mask may be optionally provided to
208 limit the bits of the address which are matched. A mask is pro‐
209 vided by following the address with a slash and then the mask.
210 The mask must be as a number which represents a bitwise mask If
211 the mask is missing then a match on all bits is assumed. Only
212 available for ip_proto values icmp and icmpv6 which have to be
213 specified in beforehand.
214
215 arp_tip IPV4_PREFIX
216 arp_sip IPV4_PREFIX
217 Match on ARP or RARP sender or target IP address. IPV4_PREFIX
218 must be a valid IPv4 address optionally followed by a slash and
219 the prefix length. If the prefix is missing, tc assumes a full-
220 length host match.
221
222 arp_op ARP_OP
223 Match on ARP or RARP operation. ARP_OP may be request, reply or
224 an integer value 0, 1 or 2. A mask may be optionally provided
225 to limit the bits of the operation which are matched. A mask is
226 provided by following the address with a slash and then the
227 mask. It may be provided as an unsigned 8 bit value representing
228 a bitwise mask. If the mask is missing then a match on all bits
229 is assumed.
230
231 arp_sha MASKED_LLADDR
232 arp_tha MASKED_LLADDR
233 Match on ARP or RARP sender or target MAC address. A mask may
234 be optionally provided to limit the bits of the address which
235 are matched. A mask is provided by following the address with a
236 slash and then the mask. It may be provided in LLADDR format, in
237 which case it is a bitwise mask, or as a number of high bits to
238 match. If the mask is missing then a match on all bits is as‐
239 sumed.
240
241 enc_key_id NUMBER
242 enc_dst_ip PREFIX
243 enc_src_ip PREFIX
244 enc_dst_port NUMBER
245 enc_tos NUMBER
246 enc_ttl NUMBER
247
248
249 ct_state CT_STATE
250 ct_zone CT_MASKED_ZONE
251 ct_mark CT_MASKED_MARK
252 ct_label CT_MASKED_LABEL
253 Matches on connection tracking info
254
255 CT_STATE
256 Match the connection state, and can be combination of
257 [{+|-}flag] flags, where flag can be one of
258
259 trk - Tracked connection.
260
261 new - New connection.
262
263 est - Established connection.
264
265 Example: +trk+est
266
267 CT_MASKED_ZONE
268 Match the connection zone, and can be masked.
269
270 CT_MASKED_MARK
271 32bit match on the connection mark, and can be masked.
272
273 CT_MASKED_LABEL
274 128bit match on the connection label, and can be masked.
275
276 geneve_opts OPTIONS
277 vxlan_opts OPTIONS
278 erspan_opts OPTIONS
279 Match on IP tunnel metadata. Key id NUMBER is a 32 bit tunnel
280 key id (e.g. VNI for VXLAN tunnel). PREFIX must be a valid IPv4
281 or IPv6 address optionally followed by a slash and the prefix
282 length. If the prefix is missing, tc assumes a full-length host
283 match. Dst port NUMBER is a 16 bit UDP dst port. Tos NUMBER is
284 an 8 bit tos (dscp+ecn) value, ttl NUMBER is an 8 bit time-to-
285 live value. geneve_opts OPTIONS must be a valid list of comma-
286 separated geneve options where each option consists of a key op‐
287 tionally followed by a slash and corresponding mask. If the
288 masks is missing, tc assumes a full-length match. The options
289 can be described in the form
290 CLASS:TYPE:DATA/CLASS_MASK:TYPE_MASK:DATA_MASK, where CLASS is
291 represented as a 16bit hexadecimal value, TYPE as an 8bit hexa‐
292 decimal value and DATA as a variable length hexadecimal value.
293 vxlan_opts OPTIONS doesn't support multiple options, and it con‐
294 sists of a key followed by a slash and corresponding mask. If
295 the mask is missing, tc assumes a full-length match. The option
296 can be described in the form GBP/GBP_MASK, where GBP is repre‐
297 sented as a 32bit number. erspan_opts OPTIONS doesn't support
298 multiple options, and it consists of a key followed by a slash
299 and corresponding mask. If the mask is missing, tc assumes a
300 full-length match. The option can be described in the form VER‐
301 SION:INDEX:DIR:HWID/VERSION:INDEX_MASK:DIR_MASK:HWID_MASK, where
302 VERSION is represented as a 8bit number, INDEX as an 32bit num‐
303 ber, DIR and HWID as a 8bit number. Multiple options is not sup‐
304 ported. Note INDEX/INDEX_MASK is used when VERSION is 1, and
305 DIR/DIR_MASK and HWID/HWID_MASK are used when VERSION is 2.
306
307 ip_flags IP_FLAGS
308 IP_FLAGS may be either frag, nofrag, firstfrag or nofirstfrag
309 where frag and nofrag could be used to match on fragmented pack‐
310 ets or not, respectively. firstfrag and nofirstfrag can be used
311 to further distinguish fragmented packet. firstfrag can be used
312 to indicate the first fragmented packet. nofirstfrag can be used
313 to indicates subsequent fragmented packets or non-fragmented
314 packets.
315
317 As stated above where applicable, matches of a certain layer implicitly
318 depend on the matches of the next lower layer. Precisely, layer one and
319 two matches (indev, dst_mac and src_mac) have no dependency, MPLS and
320 layer three matches (mpls, mpls_label, mpls_tc, mpls_bos, mpls_ttl,
321 ip_proto, dst_ip, src_ip, arp_tip, arp_sip, arp_op, arp_tha, arp_sha
322 and ip_flags) depend on the protocol option of tc filter, layer four
323 port matches (dst_port and src_port) depend on ip_proto being set to
324 tcp, udp or sctp, and finally ICMP matches (code and type) depend on
325 ip_proto being set to icmp or icmpv6.
326
327 There can be only used one mask per one prio. If user needs to specify
328 different mask, he has to use different prio.
329
331 tc(8), tc-flow(8)
332
333
334
335iproute2 22 Oct 2015 Flower filter in tc(8)