proxmox-mirrors/mirror_iproute2
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_iproute2 synced 2025-10-31 12:21:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
79ea01927c
mirror_iproute2/man/man8/tc-flower.8
David Ahern e50290e687 Merge branch 'master' into next 
Signed-off-by: David Ahern <dsahern@gmail.com>
2020-05-27 02:08:27 +00:00

417 lines
12 KiB
Groff
Raw Blame History

.TH "Flower filter in tc" 8 "22 Oct 2015" "iproute2" "Linux"
"Usage: ct clear\n"
" ct commit [force] [zone ZONE] [mark MASKED_MARK] [label MASKED_LABEL] [nat NAT_SPEC] [OFFLOAD_POLICY]\n"
" ct [nat] [zone ZONE] [OFFLOAD_POLICY]\n"
"Where: ZONE is the conntrack zone table number\n"
" NAT_SPEC is {src|dst} addr addr1[-addr2] [port port1[-port2]]\n"
" OFFLOAD_POLICY is [policy_pkts PACKETS] [policy_timeout TIMEOUT]\n"
.SH NAME
flower \- flow based traffic control filter
.SH SYNOPSIS
.in +8
.ti -8
.BR tc " " filter " ... " flower " [ "
.IR MATCH_LIST " ] [ "
.B action
.IR ACTION_SPEC " ] [ "
.B classid
.IR CLASSID " ] [ "
.B hw_tc
.IR TCID " ]"
.ti -8
.IR MATCH_LIST " := [ " MATCH_LIST " ] " MATCH
.ti -8
.IR MATCH " := { "
.B indev
.IR ifname " | "
.BR verbose
.RI " | "
.BR skip_sw " | " skip_hw
.RI " | { "
.BR dst_mac " | " src_mac " } "
.IR MASKED_LLADDR " | "
.B vlan_id
.IR VID " | "
.B vlan_prio
.IR PRIORITY " | "
.BR vlan_ethtype " { " ipv4 " | " ipv6 " | "
.IR ETH_TYPE " } | "
.B cvlan_id
.IR VID " | "
.B cvlan_prio
.IR PRIORITY " | "
.BR cvlan_ethtype " { " ipv4 " | " ipv6 " | "
.IR ETH_TYPE " } | "
.B mpls_label
.IR LABEL " | "
.B mpls_tc
.IR TC " | "
.B mpls_bos
.IR BOS " | "
.B mpls_ttl
.IR TTL " | "
.BR ip_proto " { " tcp " | " udp " | " sctp " | " icmp " | " icmpv6 " | "
.IR IP_PROTO " } | "
.B ip_tos
.IR MASKED_IP_TOS " | "
.B ip_ttl
.IR MASKED_IP_TTL " | { "
.BR dst_ip " | " src_ip " } "
.IR PREFIX " | { "
.BR dst_port " | " src_port " } { "
.IR MASKED_NUMBER " | "
.IR min_port_number-max_port_number " } | "
.B tcp_flags
.IR MASKED_TCP_FLAGS " | "
.B type
.IR MASKED_TYPE " | "
.B code
.IR MASKED_CODE " | { "
.BR arp_tip " | " arp_sip " } "
.IR IPV4_PREFIX " | "
.BR arp_op " { " request " | " reply " | "
.IR OP " } | { "
.BR arp_tha " | " arp_sha " } "
.IR MASKED_LLADDR " | "
.B enc_key_id
.IR KEY-ID " | {"
.BR enc_dst_ip " | " enc_src_ip " } { "
.IR ipv4_address " | " ipv6_address " } | "
.B enc_dst_port
.IR port_number " | "
.B enc_tos
.IR TOS " | "
.B enc_ttl
.IR TTL " | "
{
.B geneve_opts
|
.B vxlan_opts
|
.B erspan_opts
}
.IR OPTIONS " | "
.BR ip_flags
.IR IP_FLAGS
.SH DESCRIPTION
The
.B flower
filter matches flows to the set of keys specified and assigns an arbitrarily
chosen class ID to packets belonging to them. Additionally (or alternatively) an
action from the generic action framework may be called.
.SH OPTIONS
.TP
.BI action " ACTION_SPEC"
Apply an action from the generic actions framework on matching packets.
.TP
.BI classid " CLASSID"
Specify a class to pass matching packets on to.
.I CLASSID
is in the form
.BR X : Y ", while " X " and " Y
are interpreted as numbers in hexadecimal format.
.TP
.BI hw_tc " TCID"
Specify a hardware traffic class to pass matching packets on to. TCID is in the
range 0 through 15.
.TP
.BI indev " ifname"
Match on incoming interface name. Obviously this makes sense only for forwarded
flows.
.I ifname
is the name of an interface which must exist at the time of
.B tc
invocation.
.TP
.BI verbose
Enable verbose logging, including offloading errors when not using
.B skip_sw
flag.
.TP
.BI skip_sw
Do not process filter by software. If hardware has no offload support for this
filter, or TC offload is not enabled for the interface, operation will fail.
.TP
.BI skip_hw
Do not process filter by hardware.
.TP
.BI dst_mac " MASKED_LLADDR"
.TQ
.BI src_mac " MASKED_LLADDR"
Match on source or destination MAC address. A mask may be optionally
provided to limit the bits of the address which are matched. A mask is
provided by following the address with a slash and then the mask. It may be
provided in LLADDR format, in which case it is a bitwise mask, or as a
number of high bits to match. If the mask is missing then a match on all
bits is assumed.
.TP
.BI vlan_id " VID"
Match on vlan tag id.
.I VID
is an unsigned 12bit value in decimal format.
.TP
.BI vlan_prio " PRIORITY"
Match on vlan tag priority.
.I PRIORITY
is an unsigned 3bit value in decimal format.
.TP
.BI vlan_ethtype " VLAN_ETH_TYPE"
Match on layer three protocol.
.I VLAN_ETH_TYPE
may be either
.BR ipv4 ", " ipv6
or an unsigned 16bit value in hexadecimal format. To match on QinQ packet, it must be 802.1Q or 802.1AD.
.TP
.BI cvlan_id " VID"
Match on QinQ inner vlan tag id.
.I VID
is an unsigned 12bit value in decimal format.
.TP
.BI cvlan_prio " PRIORITY"
Match on QinQ inner vlan tag priority.
.I PRIORITY
is an unsigned 3bit value in decimal format.
.TP
.BI cvlan_ethtype " VLAN_ETH_TYPE"
Match on QinQ layer three protocol.
.I VLAN_ETH_TYPE
may be either
.BR ipv4 ", " ipv6
or an unsigned 16bit value in hexadecimal format.
.TP
.BI mpls_label " LABEL"
Match the label id in the outermost MPLS label stack entry.
.I LABEL
is an unsigned 20 bit value in decimal format.
.TP
.BI mpls_tc " TC"
Match on the MPLS TC field, which is typically used for packet priority,
in the outermost MPLS label stack entry.
.I TC
is an unsigned 3 bit value in decimal format.
.TP
.BI mpls_bos " BOS"
Match on the MPLS Bottom Of Stack field in the outermost MPLS label stack
entry.
.I BOS
is a 1 bit value in decimal format.
.TP
.BI mpls_ttl " TTL"
Match on the MPLS Time To Live field in the outermost MPLS label stack
entry.
.I TTL
is an unsigned 8 bit value in decimal format.
.TP
.BI ip_proto " IP_PROTO"
Match on layer four protocol.
.I IP_PROTO
may be
.BR tcp ", " udp ", " sctp ", " icmp ", " icmpv6
or an unsigned 8bit value in hexadecimal format.
.TP
.BI ip_tos " MASKED_IP_TOS"
Match on ipv4 TOS or ipv6 traffic-class - eight bits in hexadecimal format.
A mask may be optionally provided to limit the bits which are matched. A mask
is provided by following the value with a slash and then the mask. If the mask
is missing then a match on all bits is assumed.
.TP
.BI ip_ttl " MASKED_IP_TTL"
Match on ipv4 TTL or ipv6 hop-limit - eight bits value in decimal or hexadecimal format.
A mask may be optionally provided to limit the bits which are matched. Same
logic is used for the mask as with matching on ip_tos.
.TP
.BI dst_ip " PREFIX"
.TQ
.BI src_ip " PREFIX"
Match on source or destination IP address.
.I PREFIX
must be a valid IPv4 or IPv6 address, depending on the \fBprotocol\fR
option to tc filter, optionally followed by a slash and the prefix length.
If the prefix is missing, \fBtc\fR assumes a full-length host match.
.TP
.IR \fBdst_port " { " MASKED_NUMBER " | " " MIN_VALUE-MAX_VALUE " }
.TQ
.IR \fBsrc_port " { " MASKED_NUMBER " | " " MIN_VALUE-MAX_VALUE " }
Match on layer 4 protocol source or destination port number, with an
optional mask. Alternatively, the mininum and maximum values can be
specified to match on a range of layer 4 protocol source or destination
port numbers. Only available for
.BR ip_proto " values " udp ", " tcp " and " sctp
which have to be specified in beforehand.
.TP
.BI tcp_flags " MASKED_TCP_FLAGS"
Match on TCP flags represented as 12bit bitfield in in hexadecimal format.
A mask may be optionally provided to limit the bits which are matched. A mask
is provided by following the value with a slash and then the mask. If the mask
is missing then a match on all bits is assumed.
.TP
.BI type " MASKED_TYPE"
.TQ
.BI code " MASKED_CODE"
Match on ICMP type or code. A mask may be optionally provided to limit the
bits of the address which are matched. A mask is provided by following the
address with a slash and then the mask. The mask must be as a number which
represents a bitwise mask If the mask is missing then a match on all bits
is assumed. Only available for
.BR ip_proto " values " icmp " and " icmpv6
which have to be specified in beforehand.
.TP
.BI arp_tip " IPV4_PREFIX"
.TQ
.BI arp_sip " IPV4_PREFIX"
Match on ARP or RARP sender or target IP address.
.I IPV4_PREFIX
must be a valid IPv4 address optionally followed by a slash and the prefix
length. If the prefix is missing, \fBtc\fR assumes a full-length host
match.
.TP
.BI arp_op " ARP_OP"
Match on ARP or RARP operation.
.I ARP_OP
may be
.BR request ", " reply
or an integer value 0, 1 or 2. A mask may be optionally provided to limit
the bits of the operation which are matched. A mask is provided by
following the address with a slash and then the mask. It may be provided as
an unsigned 8 bit value representing a bitwise mask. If the mask is missing
then a match on all bits is assumed.
.TP
.BI arp_sha " MASKED_LLADDR"
.TQ
.BI arp_tha " MASKED_LLADDR"
Match on ARP or RARP sender or target MAC address. A mask may be optionally
provided to limit the bits of the address which are matched. A mask is
provided by following the address with a slash and then the mask. It may be
provided in LLADDR format, in which case it is a bitwise mask, or as a
number of high bits to match. If the mask is missing then a match on all
bits is assumed.
.TP
.BI enc_key_id " NUMBER"
.TQ
.BI enc_dst_ip " PREFIX"
.TQ
.BI enc_src_ip " PREFIX"
.TQ
.BI enc_dst_port " NUMBER"
.TQ
.BI enc_tos " NUMBER"
.TQ
.BI enc_ttl " NUMBER"
.TQ
.BR
.TP
.BI ct_state " CT_STATE"
.TQ
.BI ct_zone " CT_MASKED_ZONE"
.TQ
.BI ct_mark " CT_MASKED_MARK"
.TQ
.BI ct_label " CT_MASKED_LABEL"
Matches on connection tracking info
.RS
.TP
.I CT_STATE
Match the connection state, and can ne combination of [{+|-}flag] flags, where flag can be one of
.RS
.TP
trk - Tracked connection.
.TP
new - New connection.
.TP
est - Established connection.
.TP
Example: +trk+est
.RE
.TP
.I CT_MASKED_ZONE
Match the connection zone, and can be masked.
.TP
.I CT_MASKED_MARK
32bit match on the connection mark, and can be masked.
.TP
.I CT_MASKED_LABEL
128bit match on the connection label, and can be masked.
.RE
.TP
.BI geneve_opts " OPTIONS"
.TQ
.BI vxlan_opts " OPTIONS"
.TQ
.BI erspan_opts " OPTIONS"
Match on IP tunnel metadata. Key id
.I NUMBER
is a 32 bit tunnel key id (e.g. VNI for VXLAN tunnel).
.I PREFIX
must be a valid IPv4 or IPv6 address optionally followed by a slash and the
prefix length. If the prefix is missing, \fBtc\fR assumes a full-length
host match. Dst port
.I NUMBER
is a 16 bit UDP dst port. Tos
.I NUMBER
is an 8 bit tos (dscp+ecn) value, ttl
.I NUMBER
is an 8 bit time-to-live value. geneve_opts
.I OPTIONS
must be a valid list of comma-separated geneve options where each option
consists of a key optionally followed by a slash and corresponding mask. If
the masks is missing, \fBtc\fR assumes a full-length match. The options can
be described in the form CLASS:TYPE:DATA/CLASS_MASK:TYPE_MASK:DATA_MASK,
where CLASS is represented as a 16bit hexadecimal value, TYPE as an 8bit
hexadecimal value and DATA as a variable length hexadecimal value.
vxlan_opts
.I OPTIONS
doesn't support multiple options, and it consists of a key followed by a slash
and corresponding mask. If the mask is missing, \fBtc\fR assumes a full-length
match. The option can be described in the form GBP/GBP_MASK, where GBP is
represented as a 32bit number.
erspan_opts
.I OPTIONS
doesn't support multiple options, and it consists of a key followed by a slash
and corresponding mask. If the mask is missing, \fBtc\fR assumes a full-length
match. The option can be described in the form
VERSION:INDEX:DIR:HWID/VERSION:INDEX_MASK:DIR_MASK:HWID_MASK, where VERSION is
represented as a 8bit number, INDEX as an 32bit number, DIR and HWID as a 8bit
number. Multiple options is not supported. Note INDEX/INDEX_MASK is used when
VERSION is 1, and DIR/DIR_MASK and HWID/HWID_MASK are used when VERSION is 2.
.TP
.BI ip_flags " IP_FLAGS"
.I IP_FLAGS
may be either
.BR frag ", " nofrag ", " firstfrag " or " nofirstfrag
where frag and nofrag could be used to match on fragmented packets or not,
respectively. firstfrag and nofirstfrag can be used to further distinguish
fragmented packet. firstfrag can be used to indicate the first fragmented
packet. nofirstfrag can be used to indicates subsequent fragmented packets
or non-fragmented packets.
.SH NOTES
As stated above where applicable, matches of a certain layer implicitly depend
on the matches of the next lower layer. Precisely, layer one and two matches
(\fBindev\fR, \fBdst_mac\fR and \fBsrc_mac\fR)
have no dependency,
MPLS and layer three matches
(\fBmpls_label\fR, \fBmpls_tc\fR, \fBmpls_bos\fR, \fBmpls_ttl\fR,
\fBip_proto\fR, \fBdst_ip\fR, \fBsrc_ip\fR, \fBarp_tip\fR, \fBarp_sip\fR,
\fBarp_op\fR, \fBarp_tha\fR, \fBarp_sha\fR and \fBip_flags\fR)
depend on the
.B protocol
option of tc filter, layer four port matches
(\fBdst_port\fR and \fBsrc_port\fR)
depend on
.B ip_proto
being set to
.BR tcp ", " udp " or " sctp,
and finally ICMP matches (\fBcode\fR and \fBtype\fR) depend on
.B ip_proto
being set to
.BR icmp " or " icmpv6.
.P
There can be only used one mask per one prio. If user needs to specify different
mask, he has to use different prio.
.SH SEE ALSO
.BR tc (8),
.BR tc-flow (8)
Reference in New Issue View Git Blame Copy Permalink