v811_spc009/external/iproute2/man/man8/tc-flower.8

.TH "Flower filter in tc" 8 "22 Oct 2015" "iproute2" "Linux"

.SH NAME
flower \- flow based traffic control filter
.SH SYNOPSIS
.in +8
.ti -8
.BR tc " " filter " ... " flower " [ "
.IR MATCH_LIST " ] [ "
.B action
.IR ACTION_SPEC " ] [ "
.B classid
.IR CLASSID " ]"

.ti -8
.IR MATCH_LIST " := [ " MATCH_LIST " ] " MATCH

.ti -8
.IR MATCH " := { "
.B indev
.IR ifname " | "
.BR skip_sw " | " skip_hw
.RI " | { "
.BR dst_mac " | " src_mac " } "
.IR MASKED_LLADDR " | "
.B vlan_id
.IR VID " | "
.B vlan_prio
.IR PRIORITY " | "
.BR vlan_ethtype " { " ipv4 " | " ipv6 " | "
.IR ETH_TYPE " } | "
.BR ip_proto " { " tcp " | " udp " | " sctp " | " icmp " | " icmpv6 " | "
.IR IP_PROTO " } | "
.B ip_tos
.IR MASKED_IP_TOS " | "
.B ip_ttl
.IR MASKED_IP_TTL " | { "
.BR dst_ip " | " src_ip " } "
.IR PREFIX " | { "
.BR dst_port " | " src_port " } "
.IR port_number " } | "
.B tcp_flags
.IR MASKED_TCP_FLAGS " | "
.B type
.IR MASKED_TYPE " | "
.B code
.IR MASKED_CODE " | { "
.BR arp_tip " | " arp_sip " } "
.IR IPV4_PREFIX " | "
.BR arp_op " { " request " | " reply " | "
.IR OP " } | { "
.BR arp_tha " | " arp_sha " } "
.IR MASKED_LLADDR " | "
.B enc_key_id
.IR KEY-ID " | {"
.BR enc_dst_ip " | " enc_src_ip " } { "
.IR ipv4_address " | " ipv6_address " } | "
.B enc_dst_port
.IR port_number " | "
.BR ip_flags
.IR IP_FLAGS
.SH DESCRIPTION
The
.B flower
filter matches flows to the set of keys specified and assigns an arbitrarily
chosen class ID to packets belonging to them. Additionally (or alternatively) an
action from the generic action framework may be called.
.SH OPTIONS
.TP
.BI action " ACTION_SPEC"
Apply an action from the generic actions framework on matching packets.
.TP
.BI classid " CLASSID"
Specify a class to pass matching packets on to.
.I CLASSID
is in the form
.BR X : Y ", while " X " and " Y
are interpreted as numbers in hexadecimal format.
.TP
.BI indev " ifname"
Match on incoming interface name. Obviously this makes sense only for forwarded
flows.
.I ifname
is the name of an interface which must exist at the time of
.B tc
invocation.
.TP
.BI skip_sw
Do not process filter by software. If hardware has no offload support for this
filter, or TC offload is not enabled for the interface, operation will fail.
.TP
.BI skip_hw
Do not process filter by hardware.
.TP
.BI dst_mac " MASKED_LLADDR"
.TQ
.BI src_mac " MASKED_LLADDR"
Match on source or destination MAC address.  A mask may be optionally
provided to limit the bits of the address which are matched. A mask is
provided by following the address with a slash and then the mask. It may be
provided in LLADDR format, in which case it is a bitwise mask, or as a
number of high bits to match. If the mask is missing then a match on all
bits is assumed.
.TP
.BI vlan_id " VID"
Match on vlan tag id.
.I VID
is an unsigned 12bit value in decimal format.
.TP
.BI vlan_prio " PRIORITY"
Match on vlan tag priority.
.I PRIORITY
is an unsigned 3bit value in decimal format.
.TP
.BI vlan_ethtype " VLAN_ETH_TYPE"
Match on layer three protocol.
.I VLAN_ETH_TYPE
may be either
.BR ipv4 ", " ipv6
or an unsigned 16bit value in hexadecimal format.
.TP
.BI ip_proto " IP_PROTO"
Match on layer four protocol.
.I IP_PROTO
may be
.BR tcp ", " udp ", " sctp ", " icmp ", " icmpv6
or an unsigned 8bit value in hexadecimal format.
.TP
.BI ip_tos " MASKED_IP_TOS"
Match on ipv4 TOS or ipv6 traffic-class - eight bits in hexadecimal format.
A mask may be optionally provided to limit the bits which are matched. A mask
is provided by following the value with a slash and then the mask. If the mask
is missing then a match on all bits is assumed.
.TP
.BI ip_ttl " MASKED_IP_TTL"
Match on ipv4 TTL or ipv6 hop-limit  - eight bits value in decimal or hexadecimal format.
A mask may be optionally provided to limit the bits which are matched. Same
logic is used for the mask as with matching on ip_tos.
.TP
.BI dst_ip " PREFIX"
.TQ
.BI src_ip " PREFIX"
Match on source or destination IP address.
.I PREFIX
must be a valid IPv4 or IPv6 address, depending on the \fBprotocol\fR
option to tc filter, optionally followed by a slash and the prefix length.
If the prefix is missing, \fBtc\fR assumes a full-length host match.
.TP
.BI dst_port " NUMBER"
.TQ
.BI src_port " NUMBER"
Match on layer 4 protocol source or destination port number. Only available for
.BR ip_proto " values " udp ", " tcp  " and " sctp
which have to be specified in beforehand.
.TP
.BI tcp_flags " MASKED_TCP_FLAGS"
Match on TCP flags represented as 12bit bitfield in in hexadecimal format.
A mask may be optionally provided to limit the bits which are matched. A mask
is provided by following the value with a slash and then the mask. If the mask
is missing then a match on all bits is assumed.
.TP
.BI type " MASKED_TYPE"
.TQ
.BI code " MASKED_CODE"
Match on ICMP type or code. A mask may be optionally provided to limit the
bits of the address which are matched. A mask is provided by following the
address with a slash and then the mask. The mask must be as a number which
represents a bitwise mask If the mask is missing then a match on all bits
is assumed.  Only available for
.BR ip_proto " values " icmp  " and " icmpv6
which have to be specified in beforehand.
.TP
.BI arp_tip " IPV4_PREFIX"
.TQ
.BI arp_sip " IPV4_PREFIX"
Match on ARP or RARP sender or target IP address.
.I IPV4_PREFIX
must be a valid IPv4 address optionally followed by a slash and the prefix
length. If the prefix is missing, \fBtc\fR assumes a full-length host
match.
.TP
.BI arp_op " ARP_OP"
Match on ARP or RARP operation.
.I ARP_OP
may be
.BR request ", " reply
or an integer value 0, 1 or 2.  A mask may be optionally provided to limit
the bits of the operation which are matched. A mask is provided by
following the address with a slash and then the mask. It may be provided as
an unsigned 8 bit value representing a bitwise mask. If the mask is missing
then a match on all bits is assumed.
.TP
.BI arp_sha " MASKED_LLADDR"
.TQ
.BI arp_tha " MASKED_LLADDR"
Match on ARP or RARP sender or target MAC address.  A mask may be optionally
provided to limit the bits of the address which are matched. A mask is
provided by following the address with a slash and then the mask. It may be
provided in LLADDR format, in which case it is a bitwise mask, or as a
number of high bits to match. If the mask is missing then a match on all
bits is assumed.
.TP
.BI enc_key_id " NUMBER"
.TQ
.BI enc_dst_ip " PREFIX"
.TQ
.BI enc_src_ip " PREFIX"
.TQ
.BI enc_dst_port " NUMBER"
Match on IP tunnel metadata. Key id
.I NUMBER
is a 32 bit tunnel key id (e.g. VNI for VXLAN tunnel).
.I PREFIX
must be a valid IPv4 or IPv6 address optionally followed by a slash and the
prefix length. If the prefix is missing, \fBtc\fR assumes a full-length
host match.  Dst port
.I NUMBER
is a 16 bit UDP dst port.
.TP
.BI ip_flags " IP_FLAGS"
.I IP_FLAGS
may be either
.BR frag " or " nofrag
to match on fragmented packets or not respectively.
.SH NOTES
As stated above where applicable, matches of a certain layer implicitly depend
on the matches of the next lower layer. Precisely, layer one and two matches
(\fBindev\fR,  \fBdst_mac\fR and \fBsrc_mac\fR)
have no dependency, layer three matches
(\fBip_proto\fR, \fBdst_ip\fR, \fBsrc_ip\fR, \fBarp_tip\fR, \fBarp_sip\fR,
\fBarp_op\fR, \fBarp_tha\fR, \fBarp_sha\fR and \fBip_flags\fR)
depend on the
.B protocol
option of tc filter, layer four port matches
(\fBdst_port\fR and \fBsrc_port\fR)
depend on
.B ip_proto
being set to
.BR tcp ", " udp " or " sctp,
and finally ICMP matches (\fBcode\fR and \fBtype\fR) depend on
.B ip_proto
being set to
.BR icmp " or " icmpv6.
.P
There can be only used one mask per one prio. If user needs to specify different
mask, he has to use different prio.
.SH SEE ALSO
.BR tc (8),
.BR tc-flow (8)