proxmox-mirrors/mirror_iproute2
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_iproute2 synced 2025-10-05 16:49:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
c2078f8dc4
mirror_iproute2/man/man8/tc-flower.8
Simon Horman c2078f8dc4 tc: flower: Allow *_mac options to accept a mask 
* The argument to src_mac and dst_mac may now take an optional mask
  to limit the scope of matching.
* This address is is documented as a LLADDR in keeping with ip-link(8).
* The formats accepted match those already output when dumping flower
  filters from the kernel.

Example of use of LLADDR with and without a mask:

tc qdisc add dev eth0 ingress
tc filter add dev eth0 protocol ip parent ffff: flower indev eth0 \
	src_mac 52:54:01:00:00:00/ff:ff:00:00:00:01 action drop
tc filter add dev eth0 protocol ip parent ffff: flower indev eth0 \
	src_mac 52:54:00:00:00:00/23 action drop
tc filter add dev eth0 protocol ip parent ffff: flower indev eth0 \
	src_mac 52:54:00:00:00:00 action drop

Signed-off-by: Simon Horman <simon.horman@netronome.com>
2016-12-21 16:07:53 -08:00

172 lines
4.7 KiB
Groff
Raw Blame History

.TH "Flower filter in tc" 8 "22 Oct 2015" "iproute2" "Linux"
.SH NAME
flower \- flow based traffic control filter
.SH SYNOPSIS
.in +8
.ti -8
.BR tc " " filter " ... " flower " [ "
.IR MATCH_LIST " ] [ "
.B action
.IR ACTION_SPEC " ] [ "
.B classid
.IR CLASSID " ]"
.ti -8
.IR MATCH_LIST " := [ " MATCH_LIST " ] " MATCH
.ti -8
.IR MATCH " := { "
.B indev
.IR ifname " | "
.BR skip_sw " | " skip_hw
.R " | { "
.BR dst_mac " | " src_mac " } "
.IR MASKED_LLADDR " | "
.B vlan_id
.IR VID " | "
.B vlan_prio
.IR PRIORITY " | "
.BR vlan_ethtype " { " ipv4 " | " ipv6 " | "
.IR ETH_TYPE " } | "
.BR ip_proto " { " tcp " | " udp " | " sctp " | " icmp " | " icmpv6 " | "
.IR IP_PROTO " } | { "
.BR dst_ip " | " src_ip " } "
.IR PREFIX " | { "
.BR dst_port " | " src_port " } "
.IR port_number " } | "
.B enc_key_id
.IR KEY-ID " | {"
.BR enc_dst_ip " | " enc_src_ip " } { "
.IR ipv4_address " | " ipv6_address " } | "
.B enc_dst_port
.IR UDP-PORT " | "
.SH DESCRIPTION
The
.B flower
filter matches flows to the set of keys specified and assigns an arbitrarily
chosen class ID to packets belonging to them. Additionally (or alternatively) an
action from the generic action framework may be called.
.SH OPTIONS
.TP
.BI action " ACTION_SPEC"
Apply an action from the generic actions framework on matching packets.
.TP
.BI classid " CLASSID"
Specify a class to pass matching packets on to.
.I CLASSID
is in the form
.BR X : Y ", while " X " and " Y
are interpreted as numbers in hexadecimal format.
.TP
.BI indev " ifname"
Match on incoming interface name. Obviously this makes sense only for forwarded
flows.
.I ifname
is the name of an interface which must exist at the time of
.B tc
invocation.
.TP
.BI skip_sw
Do not process filter by software. If hardware has no offload support for this
filter, or TC offload is not enabled for the interface, operation will fail.
.TP
.BI skip_hw
Do not process filter by hardware.
.TP
.BI dst_mac " MASKED_LLADDR"
.TQ
.BI src_mac " MASKED_LLADDR"
Match on source or destination MAC address. A mask may be optionally
provided to limit the bits of the address which are matched. A mask is
provided by following the address with a slash and then the mask. It may be
provided in LLADDR format, in which case it is a bitwise mask, or as a
number of high bits to match. If the mask is missing then a match on all
bits is assumed.
.TP
.BI vlan_id " VID"
Match on vlan tag id.
.I VID
is an unsigned 12bit value in decimal format.
.TP
.BI vlan_prio " PRIORITY"
Match on vlan tag priority.
.I PRIORITY
is an unsigned 3bit value in decimal format.
.TP
.BI vlan_ethtype " VLAN_ETH_TYPE"
Match on layer three protocol.
.I VLAN_ETH_TYPE
may be either
.BR ipv4 ", " ipv6
or an unsigned 16bit value in hexadecimal format.
.TP
.BI ip_proto " IP_PROTO"
Match on layer four protocol.
.I IP_PROTO
may be
.BR tcp ", " udp ", " sctp ", " icmp ", " icmpv6
or an unsigned 8bit value in hexadecimal format.
.TP
.BI dst_ip " PREFIX"
.TQ
.BI src_ip " PREFIX"
Match on source or destination IP address.
.I PREFIX
must be a valid IPv4 or IPv6 address, depending on the \fBprotocol\fR
option to tc filter, optionally followed by a slash and the prefix length.
If the prefix is missing, \fBtc\fR assumes a full-length host match.
.TP
.BI dst_port " NUMBER"
.TQ
.BI src_port " NUMBER"
Match on layer 4 protocol source or destination port number. Only available for
.BR ip_proto " values " udp ", " tcp " and " sctp
which have to be specified in beforehand.
.TP
.BI type " NUMBER"
.TQ
.BI code " NUMBER"
Match on ICMP type or code. Only available for
.BR ip_proto " values " icmp " and " icmpv6
which have to be specified in beforehand.
.TP
.BI enc_key_id " NUMBER"
.TQ
.BI enc_dst_ip " PREFIX"
.TQ
.BI enc_src_ip " PREFIX"
Match on IP tunnel metadata. Key id
.I NUMBER
is a 32 bit tunnel key id (e.g. VNI for VXLAN tunnel).
.I PREFIX
must be a valid IPv4 or IPv6 address optionally followed by a slash and the
prefix length. If the prefix is missing, \fBtc\fR assumes a full-length
host match. Dst port
.I NUMBER
is a 16 bit UDP dst port.
.SH NOTES
As stated above where applicable, matches of a certain layer implicitly depend
on the matches of the next lower layer. Precisely, layer one and two matches
(\fBindev\fR, \fBdst_mac\fR and \fBsrc_mac\fR)
have no dependency, layer three matches
(\fBip_proto\fR, \fBdst_ip\fR and \fBsrc_ip\fR)
depend on the
.B protocol
option of tc filter, layer four port matches
(\fBdst_port\fR and \fBsrc_port\fR)
depend on
.B ip_proto
being set to
.BR tcp ", " udp " or " sctp,
and finally ICMP matches (\fBcode\fR and \fBtype\fR) depend on
.B ip_proto
being set to
.BR icmp " or " icmpv6.
.P
There can be only used one mask per one prio. If user needs to specify different
mask, he has to use different prio.
.SH SEE ALSO
.BR tc (8),
.BR tc-flow (8)
Reference in New Issue View Git Blame Copy Permalink