1Flower filter in tc(8) Linux Flower filter in tc(8)
2
6 flower - flow based traffic control filter
7
9 tc filter ... flower [ MATCH_LIST ] [ action ACTION_SPEC ] [ classid
10 CLASSID ] [ hw_tc TCID ]
11 MATCH_LIST := [ MATCH_LIST ] MATCH
14 MATCH := { indev ifname | verbose | skip_sw | skip_hw | { dst_mac |
16 src_mac } MASKED_LLADDR | vlan_id VID | vlan_prio PRIORITY |
17 vlan_ethtype { ipv4 | ipv6 | ETH_TYPE } | cvlan_id VID |
18 cvlan_prio PRIORITY | cvlan_ethtype { ipv4 | ipv6 | ETH_TYPE }
19 | mpls LSE_LIST | mpls_label LABEL | mpls_tc TC | mpls_bos BOS
20 | mpls_ttl TTL | ip_proto { tcp | udp | sctp | icmp | icmpv6 |
21 IP_PROTO } | ip_tos MASKED_IP_TOS | ip_ttl MASKED_IP_TTL | {
22 dst_ip | src_ip } PREFIX | { dst_port | src_port } {
23 MASKED_NUMBER | min_port_number-max_port_number } | tcp_flags
24 MASKED_TCP_FLAGS | type MASKED_TYPE | code MASKED_CODE | {
25 arp_tip | arp_sip } IPV4_PREFIX | arp_op { request | reply | OP
26 } | { arp_tha | arp_sha } MASKED_LLADDR | enc_key_id KEY-ID | {
27 enc_dst_ip | enc_src_ip } { ipv4_address | ipv6_address } |
28 enc_dst_port port_number | enc_tos TOS | enc_ttl TTL | { gen‐
29 eve_opts | vxlan_opts | erspan_opts | gtp_opts } OPTIONS |
30 ip_flags IP_FLAGS }
31 LSE_LIST := [ LSE_LIST ] LSE
33 LSE := lse depth DEPTH { label LABEL | tc TC | bos BOS | ttl TTL }
35
38 The flower filter matches flows to the set of keys specified and as‐
39 signs an arbitrarily chosen class ID to packets belonging to them. Ad‐
40 ditionally (or alternatively) an action from the generic action frame‐
41 work may be called.
42
44 action ACTION_SPEC
45 Apply an action from the generic actions framework on matching
46 packets.
47 classid CLASSID
49 Specify a class to pass matching packets on to. CLASSID is in
50 the form X:Y, while X and Y are interpreted as numbers in hexa‐
51 decimal format.
52 hw_tc TCID
54 Specify a hardware traffic class to pass matching packets on to.
55 TCID is in the range 0 through 15.
56 indev ifname
58 Match on incoming interface name. Obviously this makes sense
59 only for forwarded flows. ifname is the name of an interface
60 which must exist at the time of tc invocation.
61 verbose
63 Enable verbose logging, including offloading errors when not us‐
64 ing skip_sw flag.
65 skip_sw
67 Do not process filter by software. If hardware has no offload
68 support for this filter, or TC offload is not enabled for the
69 interface, operation will fail.
70 skip_hw
72 Do not process filter by hardware.
73 dst_mac MASKED_LLADDR
75 src_mac MASKED_LLADDR
76 Match on source or destination MAC address. A mask may be op‐
77 tionally provided to limit the bits of the address which are
78 matched. A mask is provided by following the address with a
79 slash and then the mask. It may be provided in LLADDR format, in
80 which case it is a bitwise mask, or as a number of high bits to
81 match. If the mask is missing then a match on all bits is as‐
82 sumed.
83 vlan_id VID
85 Match on vlan tag id. VID is an unsigned 12bit value in decimal
86 format.
87 vlan_prio PRIORITY
89 Match on vlan tag priority. PRIORITY is an unsigned 3bit value
90 in decimal format.
91 vlan_ethtype VLAN_ETH_TYPE
93 Match on layer three protocol. VLAN_ETH_TYPE may be either
94 ipv4, ipv6 or an unsigned 16bit value in hexadecimal format. To
95 match on QinQ packet, it must be 802.1Q or 802.1AD.
96 cvlan_id VID
98 Match on QinQ inner vlan tag id. VID is an unsigned 12bit value
99 in decimal format.
100 cvlan_prio PRIORITY
102 Match on QinQ inner vlan tag priority. PRIORITY is an unsigned
103 3bit value in decimal format.
104 cvlan_ethtype VLAN_ETH_TYPE
106 Match on QinQ layer three protocol. VLAN_ETH_TYPE may be either
107 ipv4, ipv6 or an unsigned 16bit value in hexadecimal format.
108 mpls LSE_LIST
111 Match on the MPLS label stack. LSE_LIST is a list of Label
112 Stack Entries, each introduced by the lse keyword. This option
113 can't be used together with the standalone mpls_label, mpls_tc,
114 mpls_bos and mpls_ttl options.
115 lse LSE_OPTIONS
117 Match on an MPLS Label Stack Entry. LSE_OPTIONS is a
118 list of options that describe the properties of the LSE
119 to match.
120 depth DEPTH
122 The depth of the Label Stack Entry to consider.
123 Depth starts at 1 (the outermost Label Stack En‐
124 try). The maximum usable depth may be limited by
125 the kernel. This option is mandatory. DEPTH is an
126 unsigned 8 bit value in decimal format.
127 label LABEL
129 Match on the MPLS Label field at the specified
130 depth. LABEL is an unsigned 20 bit value in deci‐
131 mal format.
132 tc TC Match on the MPLS Traffic Class field at the spec‐
134 ified depth. TC is an unsigned 3 bit value in
135 decimal format.
136 bos BOS
138 Match on the MPLS Bottom Of Stack field at the
139 specified depth. BOS is a 1 bit value in decimal
140 format.
141 ttl TTL
143 Match on the MPLS Time To Live field at the speci‐
144 fied depth. TTL is an unsigned 8 bit value in
145 decimal format.
146 mpls_label LABEL
149 Match the label id in the outermost MPLS label stack entry. LA‐
150 BEL is an unsigned 20 bit value in decimal format.
151 mpls_tc TC
153 Match on the MPLS TC field, which is typically used for packet
154 priority, in the outermost MPLS label stack entry. TC is an un‐
155 signed 3 bit value in decimal format.
156 mpls_bos BOS
158 Match on the MPLS Bottom Of Stack field in the outermost MPLS
159 label stack entry. BOS is a 1 bit value in decimal format.
160 mpls_ttl TTL
162 Match on the MPLS Time To Live field in the outermost MPLS label
163 stack entry. TTL is an unsigned 8 bit value in decimal format.
164 ip_proto IP_PROTO
166 Match on layer four protocol. IP_PROTO may be tcp, udp, sctp,
167 icmp, icmpv6 or an unsigned 8bit value in hexadecimal format.
168 ip_tos MASKED_IP_TOS
170 Match on ipv4 TOS or ipv6 traffic-class - eight bits in hexadec‐
171 imal format. A mask may be optionally provided to limit the
172 bits which are matched. A mask is provided by following the
173 value with a slash and then the mask. If the mask is missing
174 then a match on all bits is assumed.
175 ip_ttl MASKED_IP_TTL
177 Match on ipv4 TTL or ipv6 hop-limit - eight bits value in deci‐
178 mal or hexadecimal format. A mask may be optionally provided to
179 limit the bits which are matched. Same logic is used for the
180 mask as with matching on ip_tos.
181 dst_ip PREFIX
183 src_ip PREFIX
184 Match on source or destination IP address. PREFIX must be a
185 valid IPv4 or IPv6 address, depending on the protocol option to
186 tc filter, optionally followed by a slash and the prefix length.
187 If the prefix is missing, tc assumes a full-length host match.
188 dst_port { MASKED_NUMBER | MIN_VALUE-MAX_VALUE }
190 src_port { MASKED_NUMBER | MIN_VALUE-MAX_VALUE }
191 Match on layer 4 protocol source or destination port number,
192 with an optional mask. Alternatively, the minimum and maximum
193 values can be specified to match on a range of layer 4 protocol
194 source or destination port numbers. Only available for ip_proto
195 values udp, tcp and sctp which have to be specified in before‐
196 hand.
197 tcp_flags MASKED_TCP_FLAGS
199 Match on TCP flags represented as 12bit bitfield in in hexadeci‐
200 mal format. A mask may be optionally provided to limit the bits
201 which are matched. A mask is provided by following the value
202 with a slash and then the mask. If the mask is missing then a
203 match on all bits is assumed.
204 type MASKED_TYPE
206 code MASKED_CODE
207 Match on ICMP type or code. A mask may be optionally provided to
208 limit the bits of the address which are matched. A mask is pro‐
209 vided by following the address with a slash and then the mask.
210 The mask must be as a number which represents a bitwise mask If
211 the mask is missing then a match on all bits is assumed. Only
212 available for ip_proto values icmp and icmpv6 which have to be
213 specified in beforehand.
214 arp_tip IPV4_PREFIX
216 arp_sip IPV4_PREFIX
217 Match on ARP or RARP sender or target IP address. IPV4_PREFIX
218 must be a valid IPv4 address optionally followed by a slash and
219 the prefix length. If the prefix is missing, tc assumes a full-
220 length host match.
221 arp_op ARP_OP
223 Match on ARP or RARP operation. ARP_OP may be request, reply or
224 an integer value 0, 1 or 2. A mask may be optionally provided
225 to limit the bits of the operation which are matched. A mask is
226 provided by following the address with a slash and then the
227 mask. It may be provided as an unsigned 8 bit value representing
228 a bitwise mask. If the mask is missing then a match on all bits
229 is assumed.
230 arp_sha MASKED_LLADDR
232 arp_tha MASKED_LLADDR
233 Match on ARP or RARP sender or target MAC address. A mask may
234 be optionally provided to limit the bits of the address which
235 are matched. A mask is provided by following the address with a
236 slash and then the mask. It may be provided in LLADDR format, in
237 which case it is a bitwise mask, or as a number of high bits to
238 match. If the mask is missing then a match on all bits is as‐
239 sumed.
240 enc_key_id NUMBER
242 enc_dst_ip PREFIX
243 enc_src_ip PREFIX
244 enc_dst_port NUMBER
245 enc_tos NUMBER
246 enc_ttl NUMBER
247 ct_state CT_STATE
250 ct_zone CT_MASKED_ZONE
251 ct_mark CT_MASKED_MARK
252 ct_label CT_MASKED_LABEL
253 Matches on connection tracking info
254 CT_STATE
256 Match the connection state, and can be combination of
257 [{+|-}flag] flags, where flag can be one of
258 trk - Tracked connection.
260 new - New connection.
262 est - Established connection.
264 rpl - The packet is in the reply direction, meaning that
266 it is in the opposite direction from the packet that ini‐
267 tiated the connection.
268 inv - The state is invalid. The packet couldn't be asso‐
270 ciated to a connection.
271 rel - The packet is related to an existing connection.
273 Example: +trk+est
275 CT_MASKED_ZONE
277 Match the connection zone, and can be masked.
278 CT_MASKED_MARK
280 32bit match on the connection mark, and can be masked.
281 CT_MASKED_LABEL
283 128bit match on the connection label, and can be masked.
284 geneve_opts OPTIONS
286 vxlan_opts OPTIONS
287 erspan_opts OPTIONS
288 gtp_opts OPTIONS
289 Match on IP tunnel metadata. Key id NUMBER is a 32 bit tunnel
290 key id (e.g. VNI for VXLAN tunnel). PREFIX must be a valid IPv4
291 or IPv6 address optionally followed by a slash and the prefix
292 length. If the prefix is missing, tc assumes a full-length host
293 match. Dst port NUMBER is a 16 bit UDP dst port. Tos NUMBER is
294 an 8 bit tos (dscp+ecn) value, ttl NUMBER is an 8 bit time-to-
295 live value. geneve_opts OPTIONS must be a valid list of comma-
296 separated geneve options where each option consists of a key op‐
297 tionally followed by a slash and corresponding mask. If the
298 masks is missing, tc assumes a full-length match. The options
299 can be described in the form
300 CLASS:TYPE:DATA/CLASS_MASK:TYPE_MASK:DATA_MASK, where CLASS is
301 represented as a 16bit hexadecimal value, TYPE as an 8bit hexa‐
302 decimal value and DATA as a variable length hexadecimal value.
303 vxlan_opts OPTIONS doesn't support multiple options, and it con‐
304 sists of a key followed by a slash and corresponding mask. If
305 the mask is missing, tc assumes a full-length match. The option
306 can be described in the form GBP/GBP_MASK, where GBP is repre‐
307 sented as a 32bit number. erspan_opts OPTIONS doesn't support
308 multiple options, and it consists of a key followed by a slash
309 and corresponding mask. If the mask is missing, tc assumes a
310 full-length match. The option can be described in the form VER‐
311 SION:INDEX:DIR:HWID/VERSION:INDEX_MASK:DIR_MASK:HWID_MASK, where
312 VERSION is represented as a 8bit number, INDEX as an 32bit num‐
313 ber, DIR and HWID as a 8bit number. Multiple options is not sup‐
314 ported. Note INDEX/INDEX_MASK is used when VERSION is 1, and
315 DIR/DIR_MASK and HWID/HWID_MASK are used when VERSION is 2.
316 gtp_opts OPTIONS doesn't support multiple options, and it con‐
317 sists of a key followed by a slash and corresponding mask. If
318 the mask is missing, tc assumes a full-length match. The option
319 can be described in the form PDU_TYPE:QFI/PDU_TYPE_MASK:QFI_MASK
320 where both PDU_TYPE and QFI are represented as a 8bit hexadeci‐
321 mal values.
322 ip_flags IP_FLAGS
324 IP_FLAGS may be either frag, nofrag, firstfrag or nofirstfrag
325 where frag and nofrag could be used to match on fragmented pack‐
326 ets or not, respectively. firstfrag and nofirstfrag can be used
327 to further distinguish fragmented packet. firstfrag can be used
328 to indicate the first fragmented packet. nofirstfrag can be used
329 to indicates subsequent fragmented packets or non-fragmented
330 packets.
331
333 As stated above where applicable, matches of a certain layer implicitly
334 depend on the matches of the next lower layer. Precisely, layer one and
335 two matches (indev, dst_mac and src_mac) have no dependency, MPLS and
336 layer three matches (mpls, mpls_label, mpls_tc, mpls_bos, mpls_ttl,
337 ip_proto, dst_ip, src_ip, arp_tip, arp_sip, arp_op, arp_tha, arp_sha
338 and ip_flags) depend on the protocol option of tc filter, layer four
339 port matches (dst_port and src_port) depend on ip_proto being set to
340 tcp, udp or sctp, and finally ICMP matches (code and type) depend on
341 ip_proto being set to icmp or icmpv6.
342 There can be only used one mask per one prio. If user needs to specify
344 different mask, he has to use different prio.
345
347 tc(8), tc-flow(8)
348iproute2 22 Oct 2015 Flower filter in tc(8)