mirror of
https://git.proxmox.com/git/mirror_iproute2
synced 2025-10-23 23:40:54 +00:00

Added support for filtering based on port ranges. UAPI changes have been accepted into net-next. Example: 1. Match on a port range: ------------------------- $ tc filter add dev enp4s0 protocol ip parent ffff:\ prio 1 flower ip_proto tcp dst_port 20-30 skip_hw\ action drop $ tc -s filter show dev enp4s0 parent ffff: filter protocol ip pref 1 flower chain 0 filter protocol ip pref 1 flower chain 0 handle 0x1 eth_type ipv4 ip_proto tcp dst_port 20-30 skip_hw not_in_hw action order 1: gact action drop random type none pass val 0 index 1 ref 1 bind 1 installed 85 sec used 3 sec Action statistics: Sent 460 bytes 10 pkt (dropped 10, overlimits 0 requeues 0) backlog 0b 0p requeues 0 2. Match on IP address and port range: -------------------------------------- $ tc filter add dev enp4s0 protocol ip parent ffff:\ prio 1 flower dst_ip 192.168.1.1 ip_proto tcp dst_port 100-200\ skip_hw action drop $ tc -s filter show dev enp4s0 parent ffff: filter protocol ip pref 1 flower chain 0 handle 0x2 eth_type ipv4 ip_proto tcp dst_ip 192.168.1.1 dst_port 100-200 skip_hw not_in_hw action order 1: gact action drop random type none pass val 0 index 2 ref 1 bind 1 installed 58 sec used 2 sec Action statistics: Sent 920 bytes 20 pkt (dropped 20, overlimits 0 requeues 0) backlog 0b 0p requeues 0 v6: Modified to change json output format as object for sport/dport. "dst_port":{ "start":2000, "end":6000 }, "src_port":{ "start":50, "end":60 } v5: Simplified some code and used 'sscanf' for parsing. Removed space in output format. v4: Added man updates explaining filtering based on port ranges. Removed 'range' keyword. v3: Modified flower_port_range_attr_type calls. v2: Addressed Jiri's comment to sync output format with input Signed-off-by: Amritha Nambiar <amritha.nambiar@intel.com> Signed-off-by: David Ahern <dsahern@gmail.com>
350 lines
10 KiB
Groff
350 lines
10 KiB
Groff
.TH "Flower filter in tc" 8 "22 Oct 2015" "iproute2" "Linux"
|
|
|
|
.SH NAME
|
|
flower \- flow based traffic control filter
|
|
.SH SYNOPSIS
|
|
.in +8
|
|
.ti -8
|
|
.BR tc " " filter " ... " flower " [ "
|
|
.IR MATCH_LIST " ] [ "
|
|
.B action
|
|
.IR ACTION_SPEC " ] [ "
|
|
.B classid
|
|
.IR CLASSID " ] [ "
|
|
.B hw_tc
|
|
.IR TCID " ]"
|
|
|
|
|
|
.ti -8
|
|
.IR MATCH_LIST " := [ " MATCH_LIST " ] " MATCH
|
|
|
|
.ti -8
|
|
.IR MATCH " := { "
|
|
.B indev
|
|
.IR ifname " | "
|
|
.BR verbose
|
|
.RI " | "
|
|
.BR skip_sw " | " skip_hw
|
|
.RI " | { "
|
|
.BR dst_mac " | " src_mac " } "
|
|
.IR MASKED_LLADDR " | "
|
|
.B vlan_id
|
|
.IR VID " | "
|
|
.B vlan_prio
|
|
.IR PRIORITY " | "
|
|
.BR vlan_ethtype " { " ipv4 " | " ipv6 " | "
|
|
.IR ETH_TYPE " } | "
|
|
.B cvlan_id
|
|
.IR VID " | "
|
|
.B cvlan_prio
|
|
.IR PRIORITY " | "
|
|
.BR cvlan_ethtype " { " ipv4 " | " ipv6 " | "
|
|
.IR ETH_TYPE " } | "
|
|
.B mpls_label
|
|
.IR LABEL " | "
|
|
.B mpls_tc
|
|
.IR TC " | "
|
|
.B mpls_bos
|
|
.IR BOS " | "
|
|
.B mpls_ttl
|
|
.IR TTL " | "
|
|
.BR ip_proto " { " tcp " | " udp " | " sctp " | " icmp " | " icmpv6 " | "
|
|
.IR IP_PROTO " } | "
|
|
.B ip_tos
|
|
.IR MASKED_IP_TOS " | "
|
|
.B ip_ttl
|
|
.IR MASKED_IP_TTL " | { "
|
|
.BR dst_ip " | " src_ip " } "
|
|
.IR PREFIX " | { "
|
|
.BR dst_port " | " src_port " } { "
|
|
.IR port_number " | "
|
|
.IR min_port_number-max_port_number " } | "
|
|
.B tcp_flags
|
|
.IR MASKED_TCP_FLAGS " | "
|
|
.B type
|
|
.IR MASKED_TYPE " | "
|
|
.B code
|
|
.IR MASKED_CODE " | { "
|
|
.BR arp_tip " | " arp_sip " } "
|
|
.IR IPV4_PREFIX " | "
|
|
.BR arp_op " { " request " | " reply " | "
|
|
.IR OP " } | { "
|
|
.BR arp_tha " | " arp_sha " } "
|
|
.IR MASKED_LLADDR " | "
|
|
.B enc_key_id
|
|
.IR KEY-ID " | {"
|
|
.BR enc_dst_ip " | " enc_src_ip " } { "
|
|
.IR ipv4_address " | " ipv6_address " } | "
|
|
.B enc_dst_port
|
|
.IR port_number " | "
|
|
.B enc_tos
|
|
.IR TOS " | "
|
|
.B enc_ttl
|
|
.IR TTL " | "
|
|
.B geneve_opts
|
|
.IR OPTIONS " | "
|
|
.BR ip_flags
|
|
.IR IP_FLAGS
|
|
.SH DESCRIPTION
|
|
The
|
|
.B flower
|
|
filter matches flows to the set of keys specified and assigns an arbitrarily
|
|
chosen class ID to packets belonging to them. Additionally (or alternatively) an
|
|
action from the generic action framework may be called.
|
|
.SH OPTIONS
|
|
.TP
|
|
.BI action " ACTION_SPEC"
|
|
Apply an action from the generic actions framework on matching packets.
|
|
.TP
|
|
.BI classid " CLASSID"
|
|
Specify a class to pass matching packets on to.
|
|
.I CLASSID
|
|
is in the form
|
|
.BR X : Y ", while " X " and " Y
|
|
are interpreted as numbers in hexadecimal format.
|
|
.TP
|
|
.BI hw_tc " TCID"
|
|
Specify a hardware traffic class to pass matching packets on to. TCID is in the
|
|
range 0 through 15.
|
|
.TP
|
|
.BI indev " ifname"
|
|
Match on incoming interface name. Obviously this makes sense only for forwarded
|
|
flows.
|
|
.I ifname
|
|
is the name of an interface which must exist at the time of
|
|
.B tc
|
|
invocation.
|
|
.TP
|
|
.BI verbose
|
|
Enable verbose logging, including offloading errors when not using
|
|
.B skip_sw
|
|
flag.
|
|
.TP
|
|
.BI skip_sw
|
|
Do not process filter by software. If hardware has no offload support for this
|
|
filter, or TC offload is not enabled for the interface, operation will fail.
|
|
.TP
|
|
.BI skip_hw
|
|
Do not process filter by hardware.
|
|
.TP
|
|
.BI dst_mac " MASKED_LLADDR"
|
|
.TQ
|
|
.BI src_mac " MASKED_LLADDR"
|
|
Match on source or destination MAC address. A mask may be optionally
|
|
provided to limit the bits of the address which are matched. A mask is
|
|
provided by following the address with a slash and then the mask. It may be
|
|
provided in LLADDR format, in which case it is a bitwise mask, or as a
|
|
number of high bits to match. If the mask is missing then a match on all
|
|
bits is assumed.
|
|
.TP
|
|
.BI vlan_id " VID"
|
|
Match on vlan tag id.
|
|
.I VID
|
|
is an unsigned 12bit value in decimal format.
|
|
.TP
|
|
.BI vlan_prio " PRIORITY"
|
|
Match on vlan tag priority.
|
|
.I PRIORITY
|
|
is an unsigned 3bit value in decimal format.
|
|
.TP
|
|
.BI vlan_ethtype " VLAN_ETH_TYPE"
|
|
Match on layer three protocol.
|
|
.I VLAN_ETH_TYPE
|
|
may be either
|
|
.BR ipv4 ", " ipv6
|
|
or an unsigned 16bit value in hexadecimal format. To match on QinQ packet, it must be 802.1Q or 802.1AD.
|
|
.TP
|
|
.BI cvlan_id " VID"
|
|
Match on QinQ inner vlan tag id.
|
|
.I VID
|
|
is an unsigned 12bit value in decimal format.
|
|
.TP
|
|
.BI cvlan_prio " PRIORITY"
|
|
Match on QinQ inner vlan tag priority.
|
|
.I PRIORITY
|
|
is an unsigned 3bit value in decimal format.
|
|
.TP
|
|
.BI cvlan_ethtype " VLAN_ETH_TYPE"
|
|
Match on QinQ layer three protocol.
|
|
.I VLAN_ETH_TYPE
|
|
may be either
|
|
.BR ipv4 ", " ipv6
|
|
or an unsigned 16bit value in hexadecimal format.
|
|
.TP
|
|
.BI mpls_label " LABEL"
|
|
Match the label id in the outermost MPLS label stack entry.
|
|
.I LABEL
|
|
is an unsigned 20 bit value in decimal format.
|
|
.TP
|
|
.BI mpls_tc " TC"
|
|
Match on the MPLS TC field, which is typically used for packet priority,
|
|
in the outermost MPLS label stack entry.
|
|
.I TC
|
|
is an unsigned 3 bit value in decimal format.
|
|
.TP
|
|
.BI mpls_bos " BOS"
|
|
Match on the MPLS Bottom Of Stack field in the outermost MPLS label stack
|
|
entry.
|
|
.I BOS
|
|
is a 1 bit value in decimal format.
|
|
.TP
|
|
.BI mpls_ttl " TTL"
|
|
Match on the MPLS Time To Live field in the outermost MPLS label stack
|
|
entry.
|
|
.I TTL
|
|
is an unsigned 8 bit value in decimal format.
|
|
.TP
|
|
.BI ip_proto " IP_PROTO"
|
|
Match on layer four protocol.
|
|
.I IP_PROTO
|
|
may be
|
|
.BR tcp ", " udp ", " sctp ", " icmp ", " icmpv6
|
|
or an unsigned 8bit value in hexadecimal format.
|
|
.TP
|
|
.BI ip_tos " MASKED_IP_TOS"
|
|
Match on ipv4 TOS or ipv6 traffic-class - eight bits in hexadecimal format.
|
|
A mask may be optionally provided to limit the bits which are matched. A mask
|
|
is provided by following the value with a slash and then the mask. If the mask
|
|
is missing then a match on all bits is assumed.
|
|
.TP
|
|
.BI ip_ttl " MASKED_IP_TTL"
|
|
Match on ipv4 TTL or ipv6 hop-limit - eight bits value in decimal or hexadecimal format.
|
|
A mask may be optionally provided to limit the bits which are matched. Same
|
|
logic is used for the mask as with matching on ip_tos.
|
|
.TP
|
|
.BI dst_ip " PREFIX"
|
|
.TQ
|
|
.BI src_ip " PREFIX"
|
|
Match on source or destination IP address.
|
|
.I PREFIX
|
|
must be a valid IPv4 or IPv6 address, depending on the \fBprotocol\fR
|
|
option to tc filter, optionally followed by a slash and the prefix length.
|
|
If the prefix is missing, \fBtc\fR assumes a full-length host match.
|
|
.TP
|
|
.IR \fBdst_port " { " NUMBER " | " " MIN_VALUE-MAX_VALUE " }
|
|
.TQ
|
|
.IR \fBsrc_port " { " NUMBER " | " " MIN_VALUE-MAX_VALUE " }
|
|
Match on layer 4 protocol source or destination port number. Alternatively, the
|
|
mininum and maximum values can be specified to match on a range of layer 4
|
|
protocol source or destination port numbers. Only available for
|
|
.BR ip_proto " values " udp ", " tcp " and " sctp
|
|
which have to be specified in beforehand.
|
|
.TP
|
|
.BI tcp_flags " MASKED_TCP_FLAGS"
|
|
Match on TCP flags represented as 12bit bitfield in in hexadecimal format.
|
|
A mask may be optionally provided to limit the bits which are matched. A mask
|
|
is provided by following the value with a slash and then the mask. If the mask
|
|
is missing then a match on all bits is assumed.
|
|
.TP
|
|
.BI type " MASKED_TYPE"
|
|
.TQ
|
|
.BI code " MASKED_CODE"
|
|
Match on ICMP type or code. A mask may be optionally provided to limit the
|
|
bits of the address which are matched. A mask is provided by following the
|
|
address with a slash and then the mask. The mask must be as a number which
|
|
represents a bitwise mask If the mask is missing then a match on all bits
|
|
is assumed. Only available for
|
|
.BR ip_proto " values " icmp " and " icmpv6
|
|
which have to be specified in beforehand.
|
|
.TP
|
|
.BI arp_tip " IPV4_PREFIX"
|
|
.TQ
|
|
.BI arp_sip " IPV4_PREFIX"
|
|
Match on ARP or RARP sender or target IP address.
|
|
.I IPV4_PREFIX
|
|
must be a valid IPv4 address optionally followed by a slash and the prefix
|
|
length. If the prefix is missing, \fBtc\fR assumes a full-length host
|
|
match.
|
|
.TP
|
|
.BI arp_op " ARP_OP"
|
|
Match on ARP or RARP operation.
|
|
.I ARP_OP
|
|
may be
|
|
.BR request ", " reply
|
|
or an integer value 0, 1 or 2. A mask may be optionally provided to limit
|
|
the bits of the operation which are matched. A mask is provided by
|
|
following the address with a slash and then the mask. It may be provided as
|
|
an unsigned 8 bit value representing a bitwise mask. If the mask is missing
|
|
then a match on all bits is assumed.
|
|
.TP
|
|
.BI arp_sha " MASKED_LLADDR"
|
|
.TQ
|
|
.BI arp_tha " MASKED_LLADDR"
|
|
Match on ARP or RARP sender or target MAC address. A mask may be optionally
|
|
provided to limit the bits of the address which are matched. A mask is
|
|
provided by following the address with a slash and then the mask. It may be
|
|
provided in LLADDR format, in which case it is a bitwise mask, or as a
|
|
number of high bits to match. If the mask is missing then a match on all
|
|
bits is assumed.
|
|
.TP
|
|
.BI enc_key_id " NUMBER"
|
|
.TQ
|
|
.BI enc_dst_ip " PREFIX"
|
|
.TQ
|
|
.BI enc_src_ip " PREFIX"
|
|
.TQ
|
|
.BI enc_dst_port " NUMBER"
|
|
.TQ
|
|
.BI enc_tos " NUMBER"
|
|
.TQ
|
|
.BI enc_ttl " NUMBER"
|
|
.TQ
|
|
.BI geneve_opts " OPTIONS"
|
|
Match on IP tunnel metadata. Key id
|
|
.I NUMBER
|
|
is a 32 bit tunnel key id (e.g. VNI for VXLAN tunnel).
|
|
.I PREFIX
|
|
must be a valid IPv4 or IPv6 address optionally followed by a slash and the
|
|
prefix length. If the prefix is missing, \fBtc\fR assumes a full-length
|
|
host match. Dst port
|
|
.I NUMBER
|
|
is a 16 bit UDP dst port. Tos
|
|
.I NUMBER
|
|
is an 8 bit tos (dscp+ecn) value, ttl
|
|
.I NUMBER
|
|
is an 8 bit time-to-live value. geneve_opts
|
|
.I OPTIONS
|
|
must be a valid list of comma-separated geneve options where each option
|
|
consists of a key optionally followed by a slash and corresponding mask. If
|
|
the masks is missing, \fBtc\fR assumes a full-length match. The options can
|
|
be described in the form CLASS:TYPE:DATA/CLASS_MASK:TYPE_MASK:DATA_MASK,
|
|
where CLASS is represented as a 16bit hexadecimal value, TYPE as an 8bit
|
|
hexadecimal value and DATA as a variable length hexadecimal value.
|
|
.TP
|
|
.BI ip_flags " IP_FLAGS"
|
|
.I IP_FLAGS
|
|
may be either
|
|
.BR frag ", " nofrag ", " firstfrag " or " nofirstfrag
|
|
where frag and nofrag could be used to match on fragmented packets or not,
|
|
respectively. firstfrag and nofirstfrag can be used to further distinguish
|
|
fragmented packet. firstfrag can be used to indicate the first fragmented
|
|
packet. nofirstfrag can be used to indicates subsequent fragmented packets
|
|
or non-fragmented packets.
|
|
.SH NOTES
|
|
As stated above where applicable, matches of a certain layer implicitly depend
|
|
on the matches of the next lower layer. Precisely, layer one and two matches
|
|
(\fBindev\fR, \fBdst_mac\fR and \fBsrc_mac\fR)
|
|
have no dependency,
|
|
MPLS and layer three matches
|
|
(\fBmpls_label\fR, \fBmpls_tc\fR, \fBmpls_bos\fR, \fBmpls_ttl\fR,
|
|
\fBip_proto\fR, \fBdst_ip\fR, \fBsrc_ip\fR, \fBarp_tip\fR, \fBarp_sip\fR,
|
|
\fBarp_op\fR, \fBarp_tha\fR, \fBarp_sha\fR and \fBip_flags\fR)
|
|
depend on the
|
|
.B protocol
|
|
option of tc filter, layer four port matches
|
|
(\fBdst_port\fR and \fBsrc_port\fR)
|
|
depend on
|
|
.B ip_proto
|
|
being set to
|
|
.BR tcp ", " udp " or " sctp,
|
|
and finally ICMP matches (\fBcode\fR and \fBtype\fR) depend on
|
|
.B ip_proto
|
|
being set to
|
|
.BR icmp " or " icmpv6.
|
|
.P
|
|
There can be only used one mask per one prio. If user needs to specify different
|
|
mask, he has to use different prio.
|
|
.SH SEE ALSO
|
|
.BR tc (8),
|
|
.BR tc-flow (8)
|