412 lines
8.5 KiB
HTML
412 lines
8.5 KiB
HTML
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<HTML><HEAD><TITLE>Man page of Flow filter in tc</TITLE>
|
|
</HEAD><BODY>
|
|
<H1>Flow filter in tc</H1>
|
|
Section: Linux (8)<BR>Updated: 20 Oct 2015<BR><A HREF="#index">Index</A>
|
|
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
|
|
|
|
<P>
|
|
<A NAME="lbAB"> </A>
|
|
<H2>NAME</H2>
|
|
|
|
flow - flow based traffic control filter
|
|
<A NAME="lbAC"> </A>
|
|
<H2>SYNOPSIS</H2>
|
|
|
|
<DL COMPACT>
|
|
<DT id="1">Mapping mode:<DD>
|
|
<P>
|
|
<DL COMPACT><DT id="2"><DD>
|
|
|
|
<BR>
|
|
|
|
<B>tc</B> <B>filter</B> ... <B>flow map key </B>
|
|
|
|
<I>KEY</I> [ <I>OPS</I> ] [ <I>OPTIONS</I> ]
|
|
|
|
</DL>
|
|
|
|
<DT id="3">Hashing mode:<DD>
|
|
<P>
|
|
<DL COMPACT><DT id="4"><DD>
|
|
|
|
<BR>
|
|
|
|
<B>tc</B> <B>filter</B> ... <B>flow hash keys </B>
|
|
|
|
<I>KEY_LIST</I> [
|
|
|
|
<B>perturb</B>
|
|
|
|
<I>secs</I> ] [ <I>OPTIONS</I> ]
|
|
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<BR>
|
|
|
|
<I>OPS</I> := [ <I>OPS</I> ] <I>OP</I>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>OPTIONS</I> := [
|
|
|
|
<B>divisor</B>
|
|
|
|
<I>NUM</I> ] [
|
|
|
|
<B>baseclass</B>
|
|
|
|
<I>ID</I> ] [
|
|
|
|
<B>match</B>
|
|
|
|
<I>EMATCH_TREE</I> ] [
|
|
|
|
<B>action</B>
|
|
|
|
<I>ACTION_SPEC</I> ]
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>KEY_LIST</I> := [ <I>KEY_LIST</I> ] <I>KEY</I>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>OP</I> := {
|
|
|
|
<B>or</B> | <B>and</B> | <B>xor</B> | <B>rshift</B> | <B>addend</B> }
|
|
|
|
<I>NUM</I>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>ID</I> := <I>X</I>:<I>Y</I>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<I>KEY</I> := {
|
|
|
|
<B>src</B> | <B>dst</B> | <B>proto</B> | <B>proto-src</B> | <B>proto-dst</B> | <B>iif</B> |
|
|
|
|
<B>priority</B> | <B>mark</B> | <B>nfct</B> | <B>nfct-src</B> | <B>nfct-dst</B> |
|
|
|
|
<B>nfct-proto-src</B> | <B>nfct-proto-dst</B> | <B>rt-classid</B> | <B>sk-uid</B> |
|
|
|
|
<B>sk-gid</B> | <B>vlan-tag</B> | <B>rxhash</B> }
|
|
|
|
</DL>
|
|
<A NAME="lbAD"> </A>
|
|
<H2>DESCRIPTION</H2>
|
|
|
|
The
|
|
<B>flow</B>
|
|
|
|
classifier is meant to extend the
|
|
<B>SFQ</B>
|
|
|
|
hashing capabilities without hard-coding new hash functions. It also allows
|
|
deterministic mappings of keys to classes.
|
|
<A NAME="lbAE"> </A>
|
|
<H2>OPTIONS</H2>
|
|
|
|
<DL COMPACT>
|
|
<DT id="5"><B>action</B><I> ACTION_SPEC</I>
|
|
|
|
<DD>
|
|
Apply an action from the generic actions framework on matching packets.
|
|
<DT id="6"><B>baseclass</B><I> ID</I>
|
|
|
|
<DD>
|
|
An offset for the resulting class ID.
|
|
<I>ID</I>
|
|
|
|
may be
|
|
<B>root</B>, <B>none</B>
|
|
|
|
or a hexadecimal class ID in the form [<I>X</I><B>:</B>]<I>Y</I>. <I>X</I> must
|
|
match qdisc's/class's major handle (if omitted, the correct value is chosen
|
|
automatically). If the whole <B>baseclass</B> is omitted, <I>Y</I> defaults
|
|
to 1.
|
|
<DT id="7"><B>divisor</B><I> NUM</I>
|
|
|
|
<DD>
|
|
Number of buckets to use for sorting into. Keys are calculated modulo
|
|
<I>NUM</I>.
|
|
|
|
<DT id="8"><B>hash keys </B><I>KEY-LIST</I>
|
|
|
|
<DD>
|
|
Perform a
|
|
<B>jhash2</B>
|
|
|
|
operation over the keys in
|
|
<I>KEY-LIST</I>,
|
|
|
|
the result (modulo the
|
|
<B>divisor</B>
|
|
|
|
if given) is taken as class ID, optionally offset by the value of
|
|
<B>baseclass</B>.
|
|
|
|
It is possible to specify an interval (in seconds) after which
|
|
<B>jhash2</B>'s
|
|
|
|
entropy source is recreated using the
|
|
<B>perturb</B>
|
|
|
|
parameter.
|
|
<DT id="9"><B>map key </B><I>KEY</I>
|
|
|
|
<DD>
|
|
Packet data identified by
|
|
<I>KEY</I>
|
|
|
|
is translated into class IDs to push the packet into. The value may be mangled by
|
|
<I>OPS</I>
|
|
|
|
before using it for the mapping. They are applied in the order listed here:
|
|
<DL COMPACT><DT id="10"><DD>
|
|
<DL COMPACT>
|
|
<DT id="11"><B>and</B><I> NUM</I>
|
|
|
|
<DD>
|
|
Perform bitwise
|
|
<B>AND</B>
|
|
|
|
operation with numeric value
|
|
<I>NUM</I>.
|
|
|
|
<DT id="12"><B>or</B><I> NUM</I>
|
|
|
|
<DD>
|
|
Perform bitwise
|
|
<B>OR</B>
|
|
|
|
operation with numeric value
|
|
<I>NUM</I>.
|
|
|
|
<DT id="13"><B>xor</B><I> NUM</I>
|
|
|
|
<DD>
|
|
Perform bitwise
|
|
<B>XOR</B>
|
|
|
|
operation with numeric value
|
|
<I>NUM</I>.
|
|
|
|
<DT id="14"><B>rshift</B><I> NUM</I>
|
|
|
|
<DD>
|
|
Shift the value of
|
|
<I>KEY</I>
|
|
|
|
to the right by
|
|
<I>NUM</I>
|
|
|
|
bits.
|
|
<DT id="15"><B>addend</B><I> NUM</I>
|
|
|
|
<DD>
|
|
Add
|
|
<I>NUM</I>
|
|
|
|
to the value of
|
|
<I>KEY</I>.
|
|
|
|
<P>
|
|
</DL>
|
|
</DL>
|
|
|
|
<DL COMPACT><DT id="16"><DD>
|
|
For the
|
|
<B>or</B>, <B>and</B>, <B>xor</B> and <B>rshift</B>
|
|
|
|
operations,
|
|
<I>NUM</I>
|
|
|
|
is assumed to be an unsigned, 32bit integer value. For the
|
|
<B>addend</B>
|
|
|
|
operation,
|
|
<I>NUM</I>
|
|
|
|
may be much more complex: It may be prefixed by a minus ('-') sign to cause
|
|
subtraction instead of addition and for keys of
|
|
<B>src</B>, <B>dst</B>, <B>nfct-src</B> and <B>nfct-dst</B>
|
|
|
|
it may be given in IP address notation. See below for an illustrating example.
|
|
</DL>
|
|
|
|
<DT id="17"><B>match</B><I> EMATCH_TREE</I>
|
|
|
|
<DD>
|
|
Match packets using the extended match infrastructure. See
|
|
<B><A HREF="/cgi-bin/man/man2html?8+tc-ematch">tc-ematch</A></B>(8)
|
|
|
|
for a detailed description of the allowed syntax in
|
|
<I>EMATCH_TREE</I>.
|
|
|
|
</DL>
|
|
<A NAME="lbAF"> </A>
|
|
<H2>KEYS</H2>
|
|
|
|
In mapping mode, a single key is used (after optional permutation) to build a
|
|
class ID. The resulting ID is deducible in most cases. In hashing more, a number
|
|
of keys may be specified which are then hashed and the output used as class ID.
|
|
This ID is not deducible in beforehand, and may even change over time for a
|
|
given flow if a
|
|
<B>perturb</B>
|
|
|
|
interval has been given.
|
|
<P>
|
|
The range of class IDs can be limited by the
|
|
<B>divisor</B>
|
|
|
|
option, which is used for a modulus.
|
|
<DL COMPACT>
|
|
<DT id="18"><B>src</B>, <B>dst</B>
|
|
|
|
<DD>
|
|
Use source or destination address as key. In case of IPv4 and TIPC, this is the
|
|
actual address value. For IPv6, the 128bit address is folded into a 32bit value
|
|
by XOR'ing the four 32bit words. In all other cases, the kernel-internal socket
|
|
address is used (after folding into 32bits on 64bit systems).
|
|
<DT id="19"><B>proto</B>
|
|
|
|
<DD>
|
|
Use the layer four protocol number as key.
|
|
<DT id="20"><B>proto-src</B>
|
|
|
|
<DD>
|
|
Use the layer four source port as key. If not available, the kernel-internal
|
|
socket address is used instead.
|
|
<DT id="21"><B>proto-dst</B>
|
|
|
|
<DD>
|
|
Use the layer four destination port as key. If not available, the associated
|
|
kernel-internal dst_entry address is used after XOR'ing with the packet's
|
|
layer three protocol number.
|
|
<DT id="22"><B>iif</B>
|
|
|
|
<DD>
|
|
Use the incoming interface index as key.
|
|
<DT id="23"><B>priority</B>
|
|
|
|
<DD>
|
|
Use the packet's priority as key. Usually this is the IP header's DSCP/ECN
|
|
value.
|
|
<DT id="24"><B>mark</B>
|
|
|
|
<DD>
|
|
Use the netfilter
|
|
<B>fwmark</B>
|
|
|
|
as key.
|
|
<DT id="25"><B>nfct</B>
|
|
|
|
<DD>
|
|
Use the associated conntrack entry address as key.
|
|
<DT id="26"><B>nfct-src</B>, <B>nfct-dst</B>, <B>nfct-proto-src</B>, <B>nfct-proto-dst</B>
|
|
|
|
<DD>
|
|
These are conntrack-aware variants of
|
|
<B>src</B>, <B>dst</B>, <B>proto-src</B> and <B>proto-dst</B>.
|
|
|
|
In case of NAT, these are basically the packet header's values before NAT was
|
|
applied.
|
|
<DT id="27"><B>rt-classid</B>
|
|
|
|
<DD>
|
|
Use the packet's destination routing table entry's realm as key.
|
|
<DT id="28"><B>sk-uid</B>
|
|
|
|
<DD>
|
|
|
|
<B>sk-gid</B>
|
|
|
|
For locally generated packets, use the user or group ID the originating socket
|
|
belongs to as key.
|
|
<DT id="29"><B>vlan-tag</B>
|
|
|
|
<DD>
|
|
Use the packet's vlan ID as key.
|
|
<DT id="30"><B>rxhash</B>
|
|
|
|
<DD>
|
|
Use the flow hash as key.
|
|
<P>
|
|
</DL>
|
|
<A NAME="lbAG"> </A>
|
|
<H2>EXAMPLES</H2>
|
|
|
|
<DL COMPACT>
|
|
<DT id="31">Classic SFQ hash:<DD>
|
|
<P>
|
|
|
|
tc filter add ... flow hash \
|
|
<TT> </TT>keys src,dst,proto,proto-src,proto-dst divisor 1024<BR>
|
|
|
|
<DT id="32">Classic SFQ hash, but using information from conntrack to work properly in combination with NAT:<DD>
|
|
<P>
|
|
|
|
tc filter add ... flow hash \
|
|
<TT> </TT>keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst \<BR>
|
|
<TT> </TT>divisor 1024<BR>
|
|
|
|
<DT id="33">Map destination IPs of 192.168.0.0/24 to classids 1-256:<DD>
|
|
<P>
|
|
|
|
tc filter add ... flow map \
|
|
<TT> </TT>key dst addend -192.168.0.0 divisor 256<BR>
|
|
|
|
<DT id="34">Alternative to the above:<DD>
|
|
<P>
|
|
|
|
tc filter add ... flow map \
|
|
<TT> </TT>key dst and 0xff<BR>
|
|
|
|
<DT id="35">The same, but in reverse order:<DD>
|
|
<P>
|
|
|
|
tc filter add ... flow map \
|
|
<TT> </TT>key dst and 0xff xor 0xff<BR>
|
|
|
|
</DL>
|
|
<A NAME="lbAH"> </A>
|
|
<H2>SEE ALSO</H2>
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?8+tc">tc</A></B>(8),
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?8+tc-ematch">tc-ematch</A></B>(8),
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?8+tc-sfq">tc-sfq</A></B>(8)
|
|
|
|
<P>
|
|
|
|
<HR>
|
|
<A NAME="index"> </A><H2>Index</H2>
|
|
<DL>
|
|
<DT id="36"><A HREF="#lbAB">NAME</A><DD>
|
|
<DT id="37"><A HREF="#lbAC">SYNOPSIS</A><DD>
|
|
<DT id="38"><A HREF="#lbAD">DESCRIPTION</A><DD>
|
|
<DT id="39"><A HREF="#lbAE">OPTIONS</A><DD>
|
|
<DT id="40"><A HREF="#lbAF">KEYS</A><DD>
|
|
<DT id="41"><A HREF="#lbAG">EXAMPLES</A><DD>
|
|
<DT id="42"><A HREF="#lbAH">SEE ALSO</A><DD>
|
|
</DL>
|
|
<HR>
|
|
This document was created by
|
|
<A HREF="/cgi-bin/man/man2html">man2html</A>,
|
|
using the manual pages.<BR>
|
|
Time: 00:06:17 GMT, March 31, 2021
|
|
</BODY>
|
|
</HTML>
|