1 .TH "Flower filter in tc" 8 "22 Oct 2015" "iproute2" "Linux"
4 flower \- flow based traffic control filter
8 .BR tc " " filter " ... " flower " [ "
11 .IR ACTION_SPEC " ] [ "
16 .IR MATCH_LIST " := [ " MATCH_LIST " ] " MATCH
22 .BR skip_sw " | " skip_hw
24 .BR dst_mac " | " src_mac " } "
25 .IR MASKED_LLADDR " | "
30 .BR vlan_ethtype " { " ipv4 " | " ipv6 " | "
40 .BR ip_proto " { " tcp " | " udp " | " sctp " | " icmp " | " icmpv6 " | "
43 .IR MASKED_IP_TOS " | "
45 .IR MASKED_IP_TTL " | { "
46 .BR dst_ip " | " src_ip " } "
48 .BR dst_port " | " src_port " } "
49 .IR port_number " } | "
51 .IR MASKED_TCP_FLAGS " | "
55 .IR MASKED_CODE " | { "
56 .BR arp_tip " | " arp_sip " } "
58 .BR arp_op " { " request " | " reply " | "
60 .BR arp_tha " | " arp_sha " } "
61 .IR MASKED_LLADDR " | "
64 .BR enc_dst_ip " | " enc_src_ip " } { "
65 .IR ipv4_address " | " ipv6_address " } | "
73 filter matches flows to the set of keys specified and assigns an arbitrarily
74 chosen class ID to packets belonging to them. Additionally (or alternatively) an
75 action from the generic action framework may be called.
78 .BI action " ACTION_SPEC"
79 Apply an action from the generic actions framework on matching packets.
81 .BI classid " CLASSID"
82 Specify a class to pass matching packets on to.
85 .BR X : Y ", while " X " and " Y
86 are interpreted as numbers in hexadecimal format.
89 Match on incoming interface name. Obviously this makes sense only for forwarded
92 is the name of an interface which must exist at the time of
97 Do not process filter by software. If hardware has no offload support for this
98 filter, or TC offload is not enabled for the interface, operation will fail.
101 Do not process filter by hardware.
103 .BI dst_mac " MASKED_LLADDR"
105 .BI src_mac " MASKED_LLADDR"
106 Match on source or destination MAC address. A mask may be optionally
107 provided to limit the bits of the address which are matched. A mask is
108 provided by following the address with a slash and then the mask. It may be
109 provided in LLADDR format, in which case it is a bitwise mask, or as a
110 number of high bits to match. If the mask is missing then a match on all
114 Match on vlan tag id.
116 is an unsigned 12bit value in decimal format.
118 .BI vlan_prio " PRIORITY"
119 Match on vlan tag priority.
121 is an unsigned 3bit value in decimal format.
123 .BI vlan_ethtype " VLAN_ETH_TYPE"
124 Match on layer three protocol.
128 or an unsigned 16bit value in hexadecimal format.
130 .BI mpls_label " LABEL"
131 Match the label id in the outermost MPLS label stack entry.
133 is an unsigned 20 bit value in decimal format.
136 Match on the MPLS TC field, which is typically used for packet priority,
137 in the outermost MPLS label stack entry.
139 is an unsigned 3 bit value in decimal format.
142 Match on the MPLS Bottom Of Stack field in the outermost MPLS label stack
145 is a 1 bit value in decimal format.
148 Match on the MPLS Time To Live field in the outermost MPLS label stack
151 is an unsigned 8 bit value in decimal format.
153 .BI ip_proto " IP_PROTO"
154 Match on layer four protocol.
157 .BR tcp ", " udp ", " sctp ", " icmp ", " icmpv6
158 or an unsigned 8bit value in hexadecimal format.
160 .BI ip_tos " MASKED_IP_TOS"
161 Match on ipv4 TOS or ipv6 traffic-class - eight bits in hexadecimal format.
162 A mask may be optionally provided to limit the bits which are matched. A mask
163 is provided by following the value with a slash and then the mask. If the mask
164 is missing then a match on all bits is assumed.
166 .BI ip_ttl " MASKED_IP_TTL"
167 Match on ipv4 TTL or ipv6 hop-limit - eight bits value in decimal or hexadecimal format.
168 A mask may be optionally provided to limit the bits which are matched. Same
169 logic is used for the mask as with matching on ip_tos.
174 Match on source or destination IP address.
176 must be a valid IPv4 or IPv6 address, depending on the \fBprotocol\fR
177 option to tc filter, optionally followed by a slash and the prefix length.
178 If the prefix is missing, \fBtc\fR assumes a full-length host match.
180 .BI dst_port " NUMBER"
182 .BI src_port " NUMBER"
183 Match on layer 4 protocol source or destination port number. Only available for
184 .BR ip_proto " values " udp ", " tcp " and " sctp
185 which have to be specified in beforehand.
187 .BI tcp_flags " MASKED_TCP_FLAGS"
188 Match on TCP flags represented as 12bit bitfield in in hexadecimal format.
189 A mask may be optionally provided to limit the bits which are matched. A mask
190 is provided by following the value with a slash and then the mask. If the mask
191 is missing then a match on all bits is assumed.
193 .BI type " MASKED_TYPE"
195 .BI code " MASKED_CODE"
196 Match on ICMP type or code. A mask may be optionally provided to limit the
197 bits of the address which are matched. A mask is provided by following the
198 address with a slash and then the mask. The mask must be as a number which
199 represents a bitwise mask If the mask is missing then a match on all bits
200 is assumed. Only available for
201 .BR ip_proto " values " icmp " and " icmpv6
202 which have to be specified in beforehand.
204 .BI arp_tip " IPV4_PREFIX"
206 .BI arp_sip " IPV4_PREFIX"
207 Match on ARP or RARP sender or target IP address.
209 must be a valid IPv4 address optionally followed by a slash and the prefix
210 length. If the prefix is missing, \fBtc\fR assumes a full-length host
214 Match on ARP or RARP operation.
217 .BR request ", " reply
218 or an integer value 0, 1 or 2. A mask may be optionally provided to limit
219 the bits of the operation which are matched. A mask is provided by
220 following the address with a slash and then the mask. It may be provided as
221 an unsigned 8 bit value representing a bitwise mask. If the mask is missing
222 then a match on all bits is assumed.
224 .BI arp_sha " MASKED_LLADDR"
226 .BI arp_tha " MASKED_LLADDR"
227 Match on ARP or RARP sender or target MAC address. A mask may be optionally
228 provided to limit the bits of the address which are matched. A mask is
229 provided by following the address with a slash and then the mask. It may be
230 provided in LLADDR format, in which case it is a bitwise mask, or as a
231 number of high bits to match. If the mask is missing then a match on all
234 .BI enc_key_id " NUMBER"
236 .BI enc_dst_ip " PREFIX"
238 .BI enc_src_ip " PREFIX"
240 .BI enc_dst_port " NUMBER"
241 Match on IP tunnel metadata. Key id
243 is a 32 bit tunnel key id (e.g. VNI for VXLAN tunnel).
245 must be a valid IPv4 or IPv6 address optionally followed by a slash and the
246 prefix length. If the prefix is missing, \fBtc\fR assumes a full-length
249 is a 16 bit UDP dst port.
251 .BI ip_flags " IP_FLAGS"
254 .BR frag " or " nofrag
255 to match on fragmented packets or not respectively.
257 As stated above where applicable, matches of a certain layer implicitly depend
258 on the matches of the next lower layer. Precisely, layer one and two matches
259 (\fBindev\fR, \fBdst_mac\fR and \fBsrc_mac\fR)
261 MPLS and layer three matches
262 (\fBmpls_label\fR, \fBmpls_tc\fR, \fBmpls_bos\fR, \fBmpls_ttl\fR,
263 \fBip_proto\fR, \fBdst_ip\fR, \fBsrc_ip\fR, \fBarp_tip\fR, \fBarp_sip\fR,
264 \fBarp_op\fR, \fBarp_tha\fR, \fBarp_sha\fR and \fBip_flags\fR)
267 option of tc filter, layer four port matches
268 (\fBdst_port\fR and \fBsrc_port\fR)
272 .BR tcp ", " udp " or " sctp,
273 and finally ICMP matches (\fBcode\fR and \fBtype\fR) depend on
276 .BR icmp " or " icmpv6.
278 There can be only used one mask per one prio. If user needs to specify different
279 mask, he has to use different prio.