Flower filter in tc(8) Linux Flower filter in tc(8)NAME
flower - flow based traffic control filter
SYNOPSIS
tc filter ... flower [ MATCH_LIST ] [ action ACTION_SPEC ] [ classid
CLASSID ]
MATCH_LIST := [ MATCH_LIST ] MATCH
MATCH := { indev ifname | skip_sw | skip_hw | { dst_mac | src_mac }
MASKED_LLADDR | vlan_id VID | vlan_prio PRIORITY | vlan_ethtype
{ ipv4 | ipv6 | ETH_TYPE } | ip_proto { tcp | udp | sctp | icmp
| icmpv6 | IP_PROTO } | ip_tos MASKED_IP_TOS | ip_ttl
MASKED_IP_TTL | { dst_ip | src_ip } PREFIX | { dst_port |
src_port } port_number } | tcp_flags MASKED_TCP_FLAGS | type
MASKED_TYPE | code MASKED_CODE | { arp_tip | arp_sip }
IPV4_PREFIX | arp_op { request | reply | OP } | { arp_tha |
arp_sha } MASKED_LLADDR | enc_key_id KEY-ID | { enc_dst_ip |
enc_src_ip } { ipv4_address | ipv6_address } | enc_dst_port
port_number | ip_flags IP_FLAGS
DESCRIPTION
The flower filter matches flows to the set of keys specified and
assigns an arbitrarily chosen class ID to packets belonging to them.
Additionally (or alternatively) an action from the generic action
framework may be called.
OPTIONS
action ACTION_SPEC
Apply an action from the generic actions framework on matching
packets.
classid CLASSID
Specify a class to pass matching packets on to. CLASSID is in
the form X:Y, while X and Y are interpreted as numbers in hexa‐
decimal format.
indev ifname
Match on incoming interface name. Obviously this makes sense
only for forwarded flows. ifname is the name of an interface
which must exist at the time of tc invocation.
skip_sw
Do not process filter by software. If hardware has no offload
support for this filter, or TC offload is not enabled for the
interface, operation will fail.
skip_hw
Do not process filter by hardware.
dst_mac MASKED_LLADDR
src_mac MASKED_LLADDR
Match on source or destination MAC address. A mask may be
optionally provided to limit the bits of the address which are
matched. A mask is provided by following the address with a
slash and then the mask. It may be provided in LLADDR format, in
which case it is a bitwise mask, or as a number of high bits to
match. If the mask is missing then a match on all bits is
assumed.
vlan_id VID
Match on vlan tag id. VID is an unsigned 12bit value in decimal
format.
vlan_prio PRIORITY
Match on vlan tag priority. PRIORITY is an unsigned 3bit value
in decimal format.
vlan_ethtype VLAN_ETH_TYPE
Match on layer three protocol. VLAN_ETH_TYPE may be either
ipv4, ipv6 or an unsigned 16bit value in hexadecimal format.
ip_proto IP_PROTO
Match on layer four protocol. IP_PROTO may be tcp, udp, sctp,
icmp, icmpv6 or an unsigned 8bit value in hexadecimal format.
ip_tos MASKED_IP_TOS
Match on ipv4 TOS or ipv6 traffic-class - eight bits in hexadec‐
imal format. A mask may be optionally provided to limit the
bits which are matched. A mask is provided by following the
value with a slash and then the mask. If the mask is missing
then a match on all bits is assumed.
ip_ttl MASKED_IP_TTL
Match on ipv4 TTL or ipv6 hop-limit - eight bits value in deci‐
mal or hexadecimal format. A mask may be optionally provided to
limit the bits which are matched. Same logic is used for the
mask as with matching on ip_tos.
dst_ip PREFIX
src_ip PREFIX
Match on source or destination IP address. PREFIX must be a
valid IPv4 or IPv6 address, depending on the protocol option to
tc filter, optionally followed by a slash and the prefix length.
If the prefix is missing, tc assumes a full-length host match.
dst_port NUMBER
src_port NUMBER
Match on layer 4 protocol source or destination port number.
Only available for ip_proto values udp, tcp and sctp which have
to be specified in beforehand.
tcp_flags MASKED_TCP_FLAGS
Match on TCP flags represented as 12bit bitfield in in hexadeci‐
mal format. A mask may be optionally provided to limit the bits
which are matched. A mask is provided by following the value
with a slash and then the mask. If the mask is missing then a
match on all bits is assumed.
type MASKED_TYPE
code MASKED_CODE
Match on ICMP type or code. A mask may be optionally provided to
limit the bits of the address which are matched. A mask is pro‐
vided by following the address with a slash and then the mask.
The mask must be as a number which represents a bitwise mask If
the mask is missing then a match on all bits is assumed. Only
available for ip_proto values icmp and icmpv6 which have to be
specified in beforehand.
arp_tip IPV4_PREFIX
arp_sip IPV4_PREFIX
Match on ARP or RARP sender or target IP address. IPV4_PREFIX
must be a valid IPv4 address optionally followed by a slash and
the prefix length. If the prefix is missing, tc assumes a full-
length host match.
arp_op ARP_OP
Match on ARP or RARP operation. ARP_OP may be request, reply or
an integer value 0, 1 or 2. A mask may be optionally provided
to limit the bits of the operation which are matched. A mask is
provided by following the address with a slash and then the
mask. It may be provided as an unsigned 8 bit value representing
a bitwise mask. If the mask is missing then a match on all bits
is assumed.
arp_sha MASKED_LLADDR
arp_tha MASKED_LLADDR
Match on ARP or RARP sender or target MAC address. A mask may
be optionally provided to limit the bits of the address which
are matched. A mask is provided by following the address with a
slash and then the mask. It may be provided in LLADDR format, in
which case it is a bitwise mask, or as a number of high bits to
match. If the mask is missing then a match on all bits is
assumed.
enc_key_id NUMBER
enc_dst_ip PREFIX
enc_src_ip PREFIX
enc_dst_port NUMBER
Match on IP tunnel metadata. Key id NUMBER is a 32 bit tunnel
key id (e.g. VNI for VXLAN tunnel). PREFIX must be a valid IPv4
or IPv6 address optionally followed by a slash and the prefix
length. If the prefix is missing, tc assumes a full-length host
match. Dst port NUMBER is a 16 bit UDP dst port.
ip_flags IP_FLAGS
IP_FLAGS may be either frag or nofrag to match on fragmented
packets or not respectively.
NOTES
As stated above where applicable, matches of a certain layer implicitly
depend on the matches of the next lower layer. Precisely, layer one and
two matches (indev, dst_mac and src_mac) have no dependency, layer
three matches (ip_proto, dst_ip, src_ip, arp_tip, arp_sip, arp_op,
arp_tha, arp_sha and ip_flags) depend on the protocol option of tc fil‐
ter, layer four port matches (dst_port and src_port) depend on ip_proto
being set to tcp, udp or sctp, and finally ICMP matches (code and type)
depend on ip_proto being set to icmp or icmpv6.
There can be only used one mask per one prio. If user needs to specify
different mask, he has to use different prio.
SEE ALSOtc(8), tc-flow(8)iproute2 22 Oct 2015 Flower filter in tc(8)
