man/man8/tc-flower.8

   1 .TH "Flower filter in tc" 8 "22 Oct 2015" "iproute2" "Linux"
   2
   3 .SH NAME
   4 flower \- flow based traffic control filter
   5 .SH SYNOPSIS
   6 .in +8
   7 .ti -8
   8 .BR tc " " filter " ... " flower " [ "
   9 .IR MATCH_LIST " ] [ "
  10 .B action
  11 .IR ACTION_SPEC " ] [ "
  12 .B classid
  13 .IR CLASSID " ]"
  14
  15 .ti -8
  16 .IR MATCH_LIST " := [ " MATCH_LIST " ] " MATCH
  17
  18 .ti -8
  19 .IR MATCH " := { "
  20 .B indev
  21 .IR ifname " | "
  22 .BR skip_sw " | " skip_hw
  23 .RI " | { "
  24 .BR dst_mac " | " src_mac " } "
  25 .IR MASKED_LLADDR " | "
  26 .B vlan_id
  27 .IR VID " | "
  28 .B vlan_prio
  29 .IR PRIORITY " | "
  30 .BR vlan_ethtype " { " ipv4 " | " ipv6 " | "
  31 .IR ETH_TYPE " } | "
  32 .B mpls_label
  33 .IR LABEL " | "
  34 .B mpls_tc
  35 .IR TC " | "
  36 .B mpls_bos
  37 .IR BOS " | "
  38 .B mpls_ttl
  39 .IR TTL " | "
  40 .BR ip_proto " { " tcp " | " udp " | " sctp " | " icmp " | " icmpv6 " | "
  41 .IR IP_PROTO " } | "
  42 .B ip_tos
  43 .IR MASKED_IP_TOS " | "
  44 .B ip_ttl
  45 .IR MASKED_IP_TTL " | { "
  46 .BR dst_ip " | " src_ip " } "
  47 .IR PREFIX " | { "
  48 .BR dst_port " | " src_port " } "
  49 .IR port_number " } | "
  50 .B tcp_flags
  51 .IR MASKED_TCP_FLAGS " | "
  52 .B type
  53 .IR MASKED_TYPE " | "
  54 .B code
  55 .IR MASKED_CODE " | { "
  56 .BR arp_tip " | " arp_sip " } "
  57 .IR IPV4_PREFIX " | "
  58 .BR arp_op " { " request " | " reply " | "
  59 .IR OP " } | { "
  60 .BR arp_tha " | " arp_sha " } "
  61 .IR MASKED_LLADDR " | "
  62 .B enc_key_id
  63 .IR KEY-ID " | {"
  64 .BR enc_dst_ip " | " enc_src_ip " } { "
  65 .IR ipv4_address " | " ipv6_address " } | "
  66 .B enc_dst_port
  67 .IR port_number " | "
  68 .BR ip_flags
  69 .IR IP_FLAGS
  70 .SH DESCRIPTION
  71 The
  72 .B flower
  73 filter matches flows to the set of keys specified and assigns an arbitrarily
  74 chosen class ID to packets belonging to them. Additionally (or alternatively) an
  75 action from the generic action framework may be called.
  76 .SH OPTIONS
  77 .TP
  78 .BI action " ACTION_SPEC"
  79 Apply an action from the generic actions framework on matching packets.
  80 .TP
  81 .BI classid " CLASSID"
  82 Specify a class to pass matching packets on to.
  83 .I CLASSID
  84 is in the form
  85 .BR X : Y ", while " X " and " Y
  86 are interpreted as numbers in hexadecimal format.
  87 .TP
  88 .BI indev " ifname"
  89 Match on incoming interface name. Obviously this makes sense only for forwarded
  90 flows.
  91 .I ifname
  92 is the name of an interface which must exist at the time of
  93 .B tc
  94 invocation.
  95 .TP
  96 .BI skip_sw
  97 Do not process filter by software. If hardware has no offload support for this
  98 filter, or TC offload is not enabled for the interface, operation will fail.
  99 .TP
 100 .BI skip_hw
 101 Do not process filter by hardware.
 102 .TP
 103 .BI dst_mac " MASKED_LLADDR"
 104 .TQ
 105 .BI src_mac " MASKED_LLADDR"
 106 Match on source or destination MAC address.  A mask may be optionally
 107 provided to limit the bits of the address which are matched. A mask is
 108 provided by following the address with a slash and then the mask. It may be
 109 provided in LLADDR format, in which case it is a bitwise mask, or as a
 110 number of high bits to match. If the mask is missing then a match on all
 111 bits is assumed.
 112 .TP
 113 .BI vlan_id " VID"
 114 Match on vlan tag id.
 115 .I VID
 116 is an unsigned 12bit value in decimal format.
 117 .TP
 118 .BI vlan_prio " PRIORITY"
 119 Match on vlan tag priority.
 120 .I PRIORITY
 121 is an unsigned 3bit value in decimal format.
 122 .TP
 123 .BI vlan_ethtype " VLAN_ETH_TYPE"
 124 Match on layer three protocol.
 125 .I VLAN_ETH_TYPE
 126 may be either
 127 .BR ipv4 ", " ipv6
 128 or an unsigned 16bit value in hexadecimal format.
 129 .TP
 130 .BI mpls_label " LABEL"
 131 Match the label id in the outermost MPLS label stack entry.
 132 .I LABEL
 133 is an unsigned 20 bit value in decimal format.
 134 .TP
 135 .BI mpls_tc " TC"
 136 Match on the MPLS TC field, which is typically used for packet priority,
 137 in the outermost MPLS label stack entry.
 138 .I TC
 139 is an unsigned 3 bit value in decimal format.
 140 .TP
 141 .BI mpls_bos " BOS"
 142 Match on the MPLS Bottom Of Stack field in the outermost MPLS label stack
 143 entry.
 144 .I BOS
 145 is a 1 bit value in decimal format.
 146 .TP
 147 .BI mpls_ttl " TTL"
 148 Match on the MPLS Time To Live field in the outermost MPLS label stack
 149 entry.
 150 .I TTL
 151 is an unsigned 8 bit value in decimal format.
 152 .TP
 153 .BI ip_proto " IP_PROTO"
 154 Match on layer four protocol.
 155 .I IP_PROTO
 156 may be
 157 .BR tcp ", " udp ", " sctp ", " icmp ", " icmpv6
 158 or an unsigned 8bit value in hexadecimal format.
 159 .TP
 160 .BI ip_tos " MASKED_IP_TOS"
 161 Match on ipv4 TOS or ipv6 traffic-class - eight bits in hexadecimal format.
 162 A mask may be optionally provided to limit the bits which are matched. A mask
 163 is provided by following the value with a slash and then the mask. If the mask
 164 is missing then a match on all bits is assumed.
 165 .TP
 166 .BI ip_ttl " MASKED_IP_TTL"
 167 Match on ipv4 TTL or ipv6 hop-limit  - eight bits value in decimal or hexadecimal format.
 168 A mask may be optionally provided to limit the bits which are matched. Same
 169 logic is used for the mask as with matching on ip_tos.
 170 .TP
 171 .BI dst_ip " PREFIX"
 172 .TQ
 173 .BI src_ip " PREFIX"
 174 Match on source or destination IP address.
 175 .I PREFIX
 176 must be a valid IPv4 or IPv6 address, depending on the \fBprotocol\fR
 177 option to tc filter, optionally followed by a slash and the prefix length.
 178 If the prefix is missing, \fBtc\fR assumes a full-length host match.
 179 .TP
 180 .BI dst_port " NUMBER"
 181 .TQ
 182 .BI src_port " NUMBER"
 183 Match on layer 4 protocol source or destination port number. Only available for
 184 .BR ip_proto " values " udp ", " tcp  " and " sctp
 185 which have to be specified in beforehand.
 186 .TP
 187 .BI tcp_flags " MASKED_TCP_FLAGS"
 188 Match on TCP flags represented as 12bit bitfield in in hexadecimal format.
 189 A mask may be optionally provided to limit the bits which are matched. A mask
 190 is provided by following the value with a slash and then the mask. If the mask
 191 is missing then a match on all bits is assumed.
 192 .TP
 193 .BI type " MASKED_TYPE"
 194 .TQ
 195 .BI code " MASKED_CODE"
 196 Match on ICMP type or code. A mask may be optionally provided to limit the
 197 bits of the address which are matched. A mask is provided by following the
 198 address with a slash and then the mask. The mask must be as a number which
 199 represents a bitwise mask If the mask is missing then a match on all bits
 200 is assumed.  Only available for
 201 .BR ip_proto " values " icmp  " and " icmpv6
 202 which have to be specified in beforehand.
 203 .TP
 204 .BI arp_tip " IPV4_PREFIX"
 205 .TQ
 206 .BI arp_sip " IPV4_PREFIX"
 207 Match on ARP or RARP sender or target IP address.
 208 .I IPV4_PREFIX
 209 must be a valid IPv4 address optionally followed by a slash and the prefix
 210 length. If the prefix is missing, \fBtc\fR assumes a full-length host
 211 match.
 212 .TP
 213 .BI arp_op " ARP_OP"
 214 Match on ARP or RARP operation.
 215 .I ARP_OP
 216 may be
 217 .BR request ", " reply
 218 or an integer value 0, 1 or 2.  A mask may be optionally provided to limit
 219 the bits of the operation which are matched. A mask is provided by
 220 following the address with a slash and then the mask. It may be provided as
 221 an unsigned 8 bit value representing a bitwise mask. If the mask is missing
 222 then a match on all bits is assumed.
 223 .TP
 224 .BI arp_sha " MASKED_LLADDR"
 225 .TQ
 226 .BI arp_tha " MASKED_LLADDR"
 227 Match on ARP or RARP sender or target MAC address.  A mask may be optionally
 228 provided to limit the bits of the address which are matched. A mask is
 229 provided by following the address with a slash and then the mask. It may be
 230 provided in LLADDR format, in which case it is a bitwise mask, or as a
 231 number of high bits to match. If the mask is missing then a match on all
 232 bits is assumed.
 233 .TP
 234 .BI enc_key_id " NUMBER"
 235 .TQ
 236 .BI enc_dst_ip " PREFIX"
 237 .TQ
 238 .BI enc_src_ip " PREFIX"
 239 .TQ
 240 .BI enc_dst_port " NUMBER"
 241 Match on IP tunnel metadata. Key id
 242 .I NUMBER
 243 is a 32 bit tunnel key id (e.g. VNI for VXLAN tunnel).
 244 .I PREFIX
 245 must be a valid IPv4 or IPv6 address optionally followed by a slash and the
 246 prefix length. If the prefix is missing, \fBtc\fR assumes a full-length
 247 host match.  Dst port
 248 .I NUMBER
 249 is a 16 bit UDP dst port.
 250 .TP
 251 .BI ip_flags " IP_FLAGS"
 252 .I IP_FLAGS
 253 may be either
 254 .BR frag " or " nofrag
 255 to match on fragmented packets or not respectively.
 256 .SH NOTES
 257 As stated above where applicable, matches of a certain layer implicitly depend
 258 on the matches of the next lower layer. Precisely, layer one and two matches
 259 (\fBindev\fR,  \fBdst_mac\fR and \fBsrc_mac\fR)
 260 have no dependency,
 261 MPLS and layer three matches
 262 (\fBmpls_label\fR, \fBmpls_tc\fR, \fBmpls_bos\fR, \fBmpls_ttl\fR,
 263 \fBip_proto\fR, \fBdst_ip\fR, \fBsrc_ip\fR, \fBarp_tip\fR, \fBarp_sip\fR,
 264 \fBarp_op\fR, \fBarp_tha\fR, \fBarp_sha\fR and \fBip_flags\fR)
 265 depend on the
 266 .B protocol
 267 option of tc filter, layer four port matches
 268 (\fBdst_port\fR and \fBsrc_port\fR)
 269 depend on
 270 .B ip_proto
 271 being set to
 272 .BR tcp ", " udp " or " sctp,
 273 and finally ICMP matches (\fBcode\fR and \fBtype\fR) depend on
 274 .B ip_proto
 275 being set to
 276 .BR icmp " or " icmpv6.
 277 .P
 278 There can be only used one mask per one prio. If user needs to specify different
 279 mask, he has to use different prio.
 280 .SH SEE ALSO
 281 .BR tc (8),
 282 .BR tc-flow (8)