mirror_iproute2/man/man8/tc-flow.8

.TH "Flow filter in tc" 8 "20 Oct 2015" "iproute2" "Linux"

.SH NAME
flow \- flow based traffic control filter
.SH SYNOPSIS
.TP
Mapping mode:

.RS
.in +8
.ti -8
.BR tc " " filter " ... " "flow map key "
.IR KEY " [ " OPS " ] [ " OPTIONS " ] "
.RE
.TP
Hashing mode:

.RS
.in +8
.ti -8
.BR tc " " filter " ... " "flow hash keys "
.IR KEY_LIST " [ "
.B perturb
.IR secs " ] [ " OPTIONS " ] "
.RE

.in +8
.ti -8
.IR OPS " := [ " OPS " ] " OP

.ti -8
.IR OPTIONS " := [ "
.B divisor
.IR NUM " ] [ "
.B baseclass
.IR ID " ] [ "
.B match
.IR EMATCH_TREE " ] [ "
.B action
.IR ACTION_SPEC " ]"

.ti -8
.IR KEY_LIST " := [ " KEY_LIST " ] " KEY

.ti -8
.IR OP " := { "
.BR or " | " and " | " xor " | " rshift " | " addend " } "
.I NUM

.ti -8
.IR ID " := " X : Y

.ti -8
.IR KEY " := { "
.BR src " | " dst " | " proto " | " proto-src " | " proto-dst " | " iif " | "
.BR priority " | " mark " | " nfct " | " nfct-src " | " nfct-dst " | "
.BR nfct-proto-src " | " nfct-proto-dst " | " rt-classid " | " sk-uid " | "
.BR sk-gid " | " vlan-tag " | " rxhash " }"
.SH DESCRIPTION
The
.B flow
classifier is meant to extend the
.B SFQ
hashing capabilities without hard-coding new hash functions. It also allows
deterministic mappings of keys to classes.
.SH OPTIONS
.TP
.BI action " ACTION_SPEC"
Apply an action from the generic actions framework on matching packets.
.TP
.BI baseclass " ID"
An offset for the resulting class ID.
.I ID
may be
.BR root ", " none
or a hexadecimal class ID in the form [\fIX\fB:\fR]\fIY\fR. \fIX\fR must
match qdisc's/class's major handle (if omitted, the correct value is chosen
automatically). If the whole \fBbaseclass\fR is omitted, \fIY\fR defaults
to 1.
.TP
.BI divisor " NUM"
Number of buckets to use for sorting into. Keys are calculated modulo
.IR NUM .
.TP
.BI "hash keys " KEY-LIST
Perform a
.B jhash2
operation over the keys in
.IR KEY-LIST ,
the result (modulo the
.B divisor
if given) is taken as class ID, optionally offset by the value of
.BR baseclass .
It is possible to specify an interval (in seconds) after which
.BR jhash2 's
entropy source is recreated using the
.B perturb
parameter.
.TP
.BI "map key " KEY
Packet data identified by
.I KEY
is translated into class IDs to push the packet into. The value may be mangled by
.I OPS
before using it for the mapping. They are applied in the order listed here:
.RS
.TP 4
.BI and " NUM"
Perform bitwise
.B AND
operation with numeric value
.IR NUM .
.TP
.BI or " NUM"
Perform bitwise
.B OR
operation with numeric value
.IR NUM .
.TP
.BI xor " NUM"
Perform bitwise
.B XOR
operation with numeric value
.IR NUM .
.TP
.BI rshift " NUM"
Shift the value of
.I KEY
to the right by
.I NUM
bits.
.TP
.BI addend " NUM"
Add
.I NUM
to the value of
.IR KEY .

.RE
.RS
For the
.BR or ", " and ", " xor " and " rshift
operations,
.I NUM
is assumed to be an unsigned, 32bit integer value. For the
.B addend
operation,
.I NUM
may be much more complex: It may be prefixed by a minus ('-') sign to cause
subtraction instead of addition and for keys of
.BR src ", " dst ", " nfct-src " and " nfct-dst
it may be given in IP address notation. See below for an illustrating example.
.RE
.TP
.BI match " EMATCH_TREE"
Match packets using the extended match infrastructure. See
.BR tc-ematch (8)
for a detailed description of the allowed syntax in
.IR EMATCH_TREE .
.SH KEYS
In mapping mode, a single key is used (after optional permutation) to build a
class ID. The resulting ID is deducible in most cases. In hashing more, a number
of keys may be specified which are then hashed and the output used as class ID.
This ID is not deducible in beforehand, and may even change over time for a
given flow if a
.B perturb
interval has been given.

The range of class IDs can be limited by the
.B divisor
option, which is used for a modulus.
.TP
.BR src ", " dst
Use source or destination address as key. In case of IPv4 and TIPC, this is the
actual address value. For IPv6, the 128bit address is folded into a 32bit value
by XOR'ing the four 32bit words. In all other cases, the kernel-internal socket
address is used (after folding into 32bits on 64bit systems).
.TP
.B proto
Use the layer four protocol number as key.
.TP
.B proto-src
Use the layer four source port as key. If not available, the kernel-internal
socket address is used instead.
.TP
.B proto-dst
Use the layer four destination port as key. If not available, the associated
kernel-internal dst_entry address is used after XOR'ing with the packet's
layer three protocol number.
.TP
.B iif
Use the incoming interface index as key.
.TP
.B priority
Use the packet's priority as key. Usually this is the IP header's DSCP/ECN
value.
.TP
.B mark
Use the netfilter
.B fwmark
as key.
.TP
.B nfct
Use the associated conntrack entry address as key.
.TP
.BR nfct-src ", " nfct-dst ", " nfct-proto-src ", " nfct-proto-dst
These are conntrack-aware variants of
.BR src ", " dst ", " proto-src " and " proto-dst .
In case of NAT, these are basically the packet header's values before NAT was
applied.
.TP
.B rt-classid
Use the packet's destination routing table entry's realm as key.
.TP
.B sk-uid
.TQ
.B sk-gid
For locally generated packets, use the user or group ID the originating socket
belongs to as key.
.TP
.B vlan-tag
Use the packet's vlan ID as key.
.TP
.B rxhash
Use the flow hash as key.

.SH EXAMPLES
.TP
Classic SFQ hash:

.EX
tc filter add ... flow hash \\
	keys src,dst,proto,proto-src,proto-dst divisor 1024
.EE
.TP
Classic SFQ hash, but using information from conntrack to work properly in combination with NAT:

.EX
tc filter add ... flow hash \\
	keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst \\
	divisor 1024
.EE
.TP
Map destination IPs of 192.168.0.0/24 to classids 1-256:

.EX
tc filter add ... flow map \\
	key dst addend -192.168.0.0 divisor 256
.EE
.TP
Alternative to the above:

.EX
tc filter add ... flow map \\
	key dst and 0xff
.EE
.TP
The same, but in reverse order:

.EX
tc filter add ... flow map \\
	key dst and 0xff xor 0xff
.EE
.SH SEE ALSO
.BR tc (8),
.BR tc-ematch (8),
.BR tc-sfq (8)