man-pages/man8/tc-flower.8.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of Flower filter in tc</TITLE>
</HEAD><BODY>
<H1>Flower filter in tc</H1>
Section: Linux (8)<BR>Updated: 22 Oct 2015<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>

<P>
<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>

flower - flow based traffic control filter
<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>


<BR>

<B>tc</B> <B>filter</B> ... <B>flower</B> [ 

<I>MATCH_LIST</I> ] [ 

<B>action</B>

<I>ACTION_SPEC</I> ] [ 

<B>classid</B>

<I>CLASSID</I> ] [ 

<B>hw_tc</B>

<I>TCID</I> ]

<P>
<P>
<BR>

<I>MATCH_LIST</I> := [ <I>MATCH_LIST</I> ] <I>MATCH</I>

<P>
<BR>

<I>MATCH</I> := { 

<B>indev</B>

<I>ifname</I> | 

<B>verbose</B>

 | 

<B>skip_sw</B> | <B>skip_hw</B>

 | { 

<B>dst_mac</B> | <B>src_mac</B> } 

<I>MASKED_LLADDR</I> | 

<B>vlan_id</B>

<I>VID</I> | 

<B>vlan_prio</B>

<I>PRIORITY</I> | 

<B>vlan_ethtype</B> { <B>ipv4</B> | <B>ipv6</B> | 

<I>ETH_TYPE</I> } | 

<B>cvlan_id</B>

<I>VID</I> | 

<B>cvlan_prio</B>

<I>PRIORITY</I> | 

<B>cvlan_ethtype</B> { <B>ipv4</B> | <B>ipv6</B> | 

<I>ETH_TYPE</I> } | 

<B>mpls_label</B>

<I>LABEL</I> | 

<B>mpls_tc</B>

<I>TC</I> | 

<B>mpls_bos</B>

<I>BOS</I> | 

<B>mpls_ttl</B>

<I>TTL</I> | 

<B>ip_proto</B> { <B>tcp</B> | <B>udp</B> | <B>sctp</B> | <B>icmp</B> | <B>icmpv6</B> | 

<I>IP_PROTO</I> } | 

<B>ip_tos</B>

<I>MASKED_IP_TOS</I> | 

<B>ip_ttl</B>

<I>MASKED_IP_TTL</I> | { 

<B>dst_ip</B> | <B>src_ip</B> } 

<I>PREFIX</I> | { 

<B>dst_port</B> | <B>src_port</B> } { 

<I>MASKED_NUMBER</I> | 

<I>min_port_number-max_port_number</I> } | 

<B>tcp_flags</B>

<I>MASKED_TCP_FLAGS</I> | 

<B>type</B>

<I>MASKED_TYPE</I> | 

<B>code</B>

<I>MASKED_CODE</I> | { 

<B>arp_tip</B> | <B>arp_sip</B> } 

<I>IPV4_PREFIX</I> | 

<B>arp_op</B> { <B>request</B> | <B>reply</B> | 

<I>OP</I> } | { 

<B>arp_tha</B> | <B>arp_sha</B> } 

<I>MASKED_LLADDR</I> | 

<B>enc_key_id</B>

<I>KEY-ID</I> | {

<B>enc_dst_ip</B> | <B>enc_src_ip</B> } { 

<I>ipv4_address</I> | <I>ipv6_address</I> } | 

<B>enc_dst_port</B>

<I>port_number</I> | 

<B>enc_tos</B>

<I>TOS</I> | 

<B>enc_ttl</B>

<I>TTL</I> | 

<B>geneve_opts</B>

<I>OPTIONS</I> | 

<B>ip_flags</B>

<I>IP_FLAGS</I>

<A NAME="lbAD">&nbsp;</A>
<H2>DESCRIPTION</H2>

The
<B>flower</B>

filter matches flows to the set of keys specified and assigns an arbitrarily
chosen class ID to packets belonging to them. Additionally (or alternatively) an
action from the generic action framework may be called.
<A NAME="lbAE">&nbsp;</A>
<H2>OPTIONS</H2>

<DL COMPACT>
<DT id="1"><B>action</B><I> ACTION_SPEC</I>

<DD>
Apply an action from the generic actions framework on matching packets.
<DT id="2"><B>classid</B><I> CLASSID</I>

<DD>
Specify a class to pass matching packets on to.
<I>CLASSID</I>

is in the form
<B>X</B>:<B>Y</B>, while <B>X</B> and <B>Y</B>

are interpreted as numbers in hexadecimal format.
<DT id="3"><B>hw_tc</B><I> TCID</I>

<DD>
Specify a hardware traffic class to pass matching packets on to. TCID is in the
range 0 through 15.
<DT id="4"><B>indev</B><I> ifname</I>

<DD>
Match on incoming interface name. Obviously this makes sense only for forwarded
flows.
<I>ifname</I>

is the name of an interface which must exist at the time of
<B>tc</B>

invocation.
<DT id="5"><B>verbose</B>

<DD>
Enable verbose logging, including offloading errors when not using
<B>skip_sw</B>

flag.
<DT id="6"><B>skip_sw</B>

<DD>
Do not process filter by software. If hardware has no offload support for this
filter, or TC offload is not enabled for the interface, operation will fail.
<DT id="7"><B>skip_hw</B>

<DD>
Do not process filter by hardware.
<DT id="8"><B>dst_mac</B><I> MASKED_LLADDR</I>

<DD>

<B>src_mac</B><I> MASKED_LLADDR</I>

Match on source or destination MAC address.  A mask may be optionally
provided to limit the bits of the address which are matched. A mask is
provided by following the address with a slash and then the mask. It may be
provided in LLADDR format, in which case it is a bitwise mask, or as a
number of high bits to match. If the mask is missing then a match on all
bits is assumed.
<DT id="9"><B>vlan_id</B><I> VID</I>

<DD>
Match on vlan tag id.
<I>VID</I>

is an unsigned 12bit value in decimal format.
<DT id="10"><B>vlan_prio</B><I> PRIORITY</I>

<DD>
Match on vlan tag priority.
<I>PRIORITY</I>

is an unsigned 3bit value in decimal format.
<DT id="11"><B>vlan_ethtype</B><I> VLAN_ETH_TYPE</I>

<DD>
Match on layer three protocol.
<I>VLAN_ETH_TYPE</I>

may be either
<B>ipv4</B>, <B>ipv6</B>

or an unsigned 16bit value in hexadecimal format. To match on QinQ packet, it must be 802.1Q or 802.1AD.
<DT id="12"><B>cvlan_id</B><I> VID</I>

<DD>
Match on QinQ inner vlan tag id.
<I>VID</I>

is an unsigned 12bit value in decimal format.
<DT id="13"><B>cvlan_prio</B><I> PRIORITY</I>

<DD>
Match on QinQ inner vlan tag priority.
<I>PRIORITY</I>

is an unsigned 3bit value in decimal format.
<DT id="14"><B>cvlan_ethtype</B><I> VLAN_ETH_TYPE</I>

<DD>
Match on QinQ layer three protocol.
<I>VLAN_ETH_TYPE</I>

may be either
<B>ipv4</B>, <B>ipv6</B>

or an unsigned 16bit value in hexadecimal format.
<DT id="15"><B>mpls_label</B><I> LABEL</I>

<DD>
Match the label id in the outermost MPLS label stack entry.
<I>LABEL</I>

is an unsigned 20 bit value in decimal format.
<DT id="16"><B>mpls_tc</B><I> TC</I>

<DD>
Match on the MPLS TC field, which is typically used for packet priority,
in the outermost MPLS label stack entry.
<I>TC</I>

is an unsigned 3 bit value in decimal format.
<DT id="17"><B>mpls_bos</B><I> BOS</I>

<DD>
Match on the MPLS Bottom Of Stack field in the outermost MPLS label stack
entry.
<I>BOS</I>

is a 1 bit value in decimal format.
<DT id="18"><B>mpls_ttl</B><I> TTL</I>

<DD>
Match on the MPLS Time To Live field in the outermost MPLS label stack
entry.
<I>TTL</I>

is an unsigned 8 bit value in decimal format.
<DT id="19"><B>ip_proto</B><I> IP_PROTO</I>

<DD>
Match on layer four protocol.
<I>IP_PROTO</I>

may be
<B>tcp</B>, <B>udp</B>, <B>sctp</B>, <B>icmp</B>, <B>icmpv6</B>

or an unsigned 8bit value in hexadecimal format.
<DT id="20"><B>ip_tos</B><I> MASKED_IP_TOS</I>

<DD>
Match on ipv4 TOS or ipv6 traffic-class - eight bits in hexadecimal format.
A mask may be optionally provided to limit the bits which are matched. A mask
is provided by following the value with a slash and then the mask. If the mask
is missing then a match on all bits is assumed.
<DT id="21"><B>ip_ttl</B><I> MASKED_IP_TTL</I>

<DD>
Match on ipv4 TTL or ipv6 hop-limit  - eight bits value in decimal or hexadecimal format.
A mask may be optionally provided to limit the bits which are matched. Same
logic is used for the mask as with matching on ip_tos.
<DT id="22"><B>dst_ip</B><I> PREFIX</I>

<DD>

<B>src_ip</B><I> PREFIX</I>

Match on source or destination IP address.
<I>PREFIX</I>

must be a valid IPv4 or IPv6 address, depending on the <B>protocol</B>
option to tc filter, optionally followed by a slash and the prefix length.
If the prefix is missing, <B>tc</B> assumes a full-length host match.
<DT id="23"><I></I><B>dst_port</B> { <I>MASKED_NUMBER</I> | <I> MIN_VALUE-MAX_VALUE </I>}

<DD>

<I></I><B>src_port</B> { <I>MASKED_NUMBER</I> | <I> MIN_VALUE-MAX_VALUE </I>}

Match on layer 4 protocol source or destination port number, with an
optional mask. Alternatively, the mininum and maximum values can be
specified to match on a range of layer 4 protocol source or destination
port numbers. Only available for
<B>ip_proto</B> values <B>udp</B>, <B>tcp</B> and <B>sctp</B>

which have to be specified in beforehand.
<DT id="24"><B>tcp_flags</B><I> MASKED_TCP_FLAGS</I>

<DD>
Match on TCP flags represented as 12bit bitfield in in hexadecimal format.
A mask may be optionally provided to limit the bits which are matched. A mask
is provided by following the value with a slash and then the mask. If the mask
is missing then a match on all bits is assumed.
<DT id="25"><B>type</B><I> MASKED_TYPE</I>

<DD>

<B>code</B><I> MASKED_CODE</I>

Match on ICMP type or code. A mask may be optionally provided to limit the
bits of the address which are matched. A mask is provided by following the
address with a slash and then the mask. The mask must be as a number which
represents a bitwise mask If the mask is missing then a match on all bits
is assumed.  Only available for
<B>ip_proto</B> values <B>icmp</B> and <B>icmpv6</B>

which have to be specified in beforehand.
<DT id="26"><B>arp_tip</B><I> IPV4_PREFIX</I>

<DD>

<B>arp_sip</B><I> IPV4_PREFIX</I>

Match on ARP or RARP sender or target IP address.
<I>IPV4_PREFIX</I>

must be a valid IPv4 address optionally followed by a slash and the prefix
length. If the prefix is missing, <B>tc</B> assumes a full-length host
match.
<DT id="27"><B>arp_op</B><I> ARP_OP</I>

<DD>
Match on ARP or RARP operation.
<I>ARP_OP</I>

may be
<B>request</B>, <B>reply</B>

or an integer value 0, 1 or 2.  A mask may be optionally provided to limit
the bits of the operation which are matched. A mask is provided by
following the address with a slash and then the mask. It may be provided as
an unsigned 8 bit value representing a bitwise mask. If the mask is missing
then a match on all bits is assumed.
<DT id="28"><B>arp_sha</B><I> MASKED_LLADDR</I>

<DD>

<B>arp_tha</B><I> MASKED_LLADDR</I>

Match on ARP or RARP sender or target MAC address.  A mask may be optionally
provided to limit the bits of the address which are matched. A mask is
provided by following the address with a slash and then the mask. It may be
provided in LLADDR format, in which case it is a bitwise mask, or as a
number of high bits to match. If the mask is missing then a match on all
bits is assumed.
<DT id="29"><B>enc_key_id</B><I> NUMBER</I>

<DD>

<B>enc_dst_ip</B><I> PREFIX</I>


<B>enc_src_ip</B><I> PREFIX</I>


<B>enc_dst_port</B><I> NUMBER</I>


<B>enc_tos</B><I> NUMBER</I>


<B>enc_ttl</B><I> NUMBER</I>



<DT id="30"><B>ct_state</B><I> CT_STATE</I>

<DD>

<B>ct_zone</B><I> CT_MASKED_ZONE</I>


<B>ct_mark</B><I> CT_MASKED_MARK</I>


<B>ct_label</B><I> CT_MASKED_LABEL</I>

Matches on connection tracking info
<DL COMPACT><DT id="31"><DD>
<DL COMPACT>
<DT id="32"><I>CT_STATE</I>

<DD>
Match the connection state, and can ne combination of [{+|-}flag] flags, where flag can be one of
<DL COMPACT><DT id="33"><DD>
<DL COMPACT>
<DT id="34">trk - Tracked connection.<DD>
<DT id="35">new - New connection.<DD>
<DT id="36">est - Established connection.<DD>
<DT id="37">Example: +trk+est<DD>
</DL>
</DL>

<DT id="38"><I>CT_MASKED_ZONE</I>

<DD>
Match the connection zone, and can be masked.
<DT id="39"><I>CT_MASKED_MARK</I>

<DD>
32bit match on the connection mark, and can be masked.
<DT id="40"><I>CT_MASKED_LABEL</I>

<DD>
128bit match on the connection label, and can be masked.
</DL>
</DL>

<DT id="41"><B>geneve_opts</B><I> OPTIONS</I>

<DD>
Match on IP tunnel metadata. Key id
<I>NUMBER</I>

is a 32 bit tunnel key id (e.g. VNI for VXLAN tunnel).
<I>PREFIX</I>

must be a valid IPv4 or IPv6 address optionally followed by a slash and the
prefix length. If the prefix is missing, <B>tc</B> assumes a full-length
host match.  Dst port
<I>NUMBER</I>

is a 16 bit UDP dst port. Tos
<I>NUMBER</I>

is an 8 bit tos (dscp+ecn) value, ttl
<I>NUMBER</I>

is an 8 bit time-to-live value. geneve_opts
<I>OPTIONS</I>

must be a valid list of comma-separated geneve options where each option
consists of a key optionally followed by a slash and corresponding mask. If
the masks is missing, <B>tc</B> assumes a full-length match. The options can
be described in the form CLASS:TYPE:DATA/CLASS_MASK:TYPE_MASK:DATA_MASK,
where CLASS is represented as a 16bit hexadecimal value, TYPE as an 8bit
hexadecimal value and DATA as a variable length hexadecimal value.
<DT id="42"><B>ip_flags</B><I> IP_FLAGS</I>

<DD>
<I>IP_FLAGS</I>

may be either
<B>frag</B>, <B>nofrag</B>, <B>firstfrag</B> or <B>nofirstfrag</B>

where frag and nofrag could be used to match on fragmented packets or not,
respectively. firstfrag and nofirstfrag can be used to further distinguish
fragmented packet. firstfrag can be used to indicate the first fragmented
packet. nofirstfrag can be used to indicates subsequent fragmented packets
or non-fragmented packets.
</DL>
<A NAME="lbAF">&nbsp;</A>
<H2>NOTES</H2>

As stated above where applicable, matches of a certain layer implicitly depend
on the matches of the next lower layer. Precisely, layer one and two matches
(<B>indev</B>,  <B>dst_mac</B> and <B>src_mac</B>)
have no dependency,
MPLS and layer three matches
(<B>mpls_label</B>, <B>mpls_tc</B>, <B>mpls_bos</B>, <B>mpls_ttl</B>,
<B>ip_proto</B>, <B>dst_ip</B>, <B>src_ip</B>, <B>arp_tip</B>, <B>arp_sip</B>,
<B>arp_op</B>, <B>arp_tha</B>, <B>arp_sha</B> and <B>ip_flags</B>)
depend on the
<B>protocol</B>

option of tc filter, layer four port matches
(<B>dst_port</B> and <B>src_port</B>)
depend on
<B>ip_proto</B>

being set to
<B>tcp</B>, <B>udp</B> or <B>sctp,</B>

and finally ICMP matches (<B>code</B> and <B>type</B>) depend on
<B>ip_proto</B>

being set to
<B>icmp</B> or <B>icmpv6.</B>

<P>

There can be only used one mask per one prio. If user needs to specify different
mask, he has to use different prio.
<A NAME="lbAG">&nbsp;</A>
<H2>SEE ALSO</H2>

<B><A HREF="/cgi-bin/man/man2html?8+tc">tc</A></B>(8),

<B><A HREF="/cgi-bin/man/man2html?8+tc-flow">tc-flow</A></B>(8)

<P>

<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="43"><A HREF="#lbAB">NAME</A><DD>
<DT id="44"><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT id="45"><A HREF="#lbAD">DESCRIPTION</A><DD>
<DT id="46"><A HREF="#lbAE">OPTIONS</A><DD>
<DT id="47"><A HREF="#lbAF">NOTES</A><DD>
<DT id="48"><A HREF="#lbAG">SEE ALSO</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:06:17 GMT, March 31, 2021
</BODY>
</HTML>