# phpman > man > tc-flower(8) Flower filter in [tc(8)](https://www.chedong.com/phpMan.php/man/tc/8/markdown) Linux Flower filter in [tc(8)](https://www.chedong.com/phpMan.php/man/tc/8/markdown) ## NAME flower - flow based traffic control filter ## SYNOPSIS **tc** **filter** ... **flower** [ _MATCH_LIST_ ] [ **action** _ACTION_SPEC_ ] [ **classid** _CLASSID_ ] [ **hw**___**tc** _TCID_ ] _MATCH_LIST_ := [ _MATCH_LIST_ ] _MATCH_ _MATCH_ := { **indev** _ifname_ | **verbose** | **skip**___**sw** | **skip**___**hw** | { **dst**___**mac** | **src**___**mac** } _MASKED_LLADDR_ | **vlan**___**id** _VID_ | **vlan**___**prio** _PRIORITY_ | **vlan**___**ethtype** { **ipv4** | **ipv6** | _ETH_TYPE_ } | **cvlan**___**id** _VID_ | **cvlan**___**prio** _PRIORITY_ | **cvlan**___**ethtype** { **ipv4** | **ipv6** | _ETH_TYPE_ } | **mpls** _LSE_LIST_ | **mpls**___**label** _LABEL_ | **mpls**___**tc** _TC_ | **mpls**___**bos** _BOS_ | **mpls**___**ttl** _TTL_ | **ip**___**proto** { **tcp** | **udp** | **sctp** | **icmp** | **icmpv6** | _IP_PROTO_ } | **ip**___**tos** _MASKED_IP_TOS_ | **ip**___**ttl** _MASKED_IP_TTL_ | { **dst**___**ip** | **src**___**ip** } _PREFIX_ | { **dst**___**port** | **src**___**port** } { _MASKED_NUMBER_ | _min_port_number-max_port_number_ } | **tcp**___**flags** _MASKED_TCP_FLAGS_ | **type** _MASKED_TYPE_ | **code** _MASKED_CODE_ | { **arp**___**tip** | **arp**___**sip** } _IPV4_PREFIX_ | **arp**___**op** { **request** | **reply** | _OP_ } | { **arp**___**tha** | **arp**___**sha** } _MASKED_LLADDR_ | **enc**___**key**___**id** _KEY-ID_ | { **enc**___**dst**___**ip** | **enc**___**src**___**ip** } { _ipv4_address_ | _ipv6_address_ } | **enc**___**dst**___**port** _port_number_ | **enc**___**tos** _TOS_ | **enc**___**ttl** _TTL_ | { **geneve**___**opts** | **vxlan**___**opts** | **erspan**___**opts** } _OPTIONS_ | **ip**___**flags** _IP_FLAGS_ } _LSE_LIST_ := [ _LSE_LIST_ ] _LSE_ _LSE_ := **lse** **depth** _DEPTH_ { **label** _LABEL_ | **tc** _TC_ | **bos** _BOS_ | **ttl** _TTL_ } ## DESCRIPTION The **flower** filter matches flows to the set of keys specified and assigns an arbitrarily cho‐ sen class ID to packets belonging to them. Additionally (or alternatively) an action from the generic action framework may be called. ## OPTIONS **action** _ACTION_SPEC_ Apply an action from the generic actions framework on matching packets. **classid** _CLASSID_ Specify a class to pass matching packets on to. _CLASSID_ is in the form **X**:**Y**, while **X** and **Y** are interpreted as numbers in hexadecimal format. **hw**___**tc** _TCID_ Specify a hardware traffic class to pass matching packets on to. TCID is in the range 0 through 15. **indev** _ifname_ Match on incoming interface name. Obviously this makes sense only for forwarded flows. _ifname_ is the name of an interface which must exist at the time of **tc** invocation. ### verbose Enable verbose logging, including offloading errors when not using **skip**___**sw** flag. **skip**___**sw** Do not process filter by software. If hardware has no offload support for this filter, or TC offload is not enabled for the interface, operation will fail. **skip**___**hw** Do not process filter by hardware. **dst**___**mac** _MASKED_LLADDR_ **src**___**mac** _MASKED_LLADDR_ Match on source or destination MAC address. A mask may be optionally provided to limit the bits of the address which are matched. A mask is provided by following the address with a slash and then the mask. It may be provided in LLADDR format, in which case it is a bitwise mask, or as a number of high bits to match. If the mask is miss‐ ing then a match on all bits is assumed. **vlan**___**id** _VID_ Match on vlan tag id. _VID_ is an unsigned 12bit value in decimal format. **vlan**___**prio** _PRIORITY_ Match on vlan tag priority. _PRIORITY_ is an unsigned 3bit value in decimal format. **vlan**___**ethtype** _VLAN_ETH_TYPE_ Match on layer three protocol. _VLAN_ETH_TYPE_ may be either **ipv4**, **ipv6** or an unsigned 16bit value in hexadecimal format. To match on QinQ packet, it must be 802.1Q or 802.1AD. **cvlan**___**id** _VID_ Match on QinQ inner vlan tag id. _VID_ is an unsigned 12bit value in decimal format. **cvlan**___**prio** _PRIORITY_ Match on QinQ inner vlan tag priority. _PRIORITY_ is an unsigned 3bit value in decimal format. **cvlan**___**ethtype** _VLAN_ETH_TYPE_ Match on QinQ layer three protocol. _VLAN_ETH_TYPE_ may be either **ipv4**, **ipv6** or an un‐ signed 16bit value in hexadecimal format. **mpls** _LSE_LIST_ Match on the MPLS label stack. _LSE_LIST_ is a list of Label Stack Entries, each intro‐ duced by the **lse** keyword. This option can't be used together with the standalone **mpls**___**label**, **mpls**___**tc**, **mpls**___**bos** and **mpls**___**ttl** options. **lse** _LSE_OPTIONS_ Match on an MPLS Label Stack Entry. _LSE_OPTIONS_ is a list of options that de‐ scribe the properties of the LSE to match. **depth** _DEPTH_ The depth of the Label Stack Entry to consider. Depth starts at 1 (the outermost Label Stack Entry). The maximum usable depth may be limited by the kernel. This option is mandatory. _DEPTH_ is an unsigned 8 bit value in decimal format. **label** _LABEL_ Match on the MPLS Label field at the specified **depth**. _LABEL_ is an un‐ signed 20 bit value in decimal format. **tc** _TC_ Match on the MPLS Traffic Class field at the specified **depth**. _TC_ is an unsigned 3 bit value in decimal format. **bos** _BOS_ Match on the MPLS Bottom Of Stack field at the specified **depth**. _BOS_ is a 1 bit value in decimal format. **ttl** _TTL_ Match on the MPLS Time To Live field at the specified **depth**. _TTL_ is an unsigned 8 bit value in decimal format. **mpls**___**label** _LABEL_ Match the label id in the outermost MPLS label stack entry. _LABEL_ is an unsigned 20 bit value in decimal format. **mpls**___**tc** _TC_ Match on the MPLS TC field, which is typically used for packet priority, in the outer‐ most MPLS label stack entry. _TC_ is an unsigned 3 bit value in decimal format. **mpls**___**bos** _BOS_ Match on the MPLS Bottom Of Stack field in the outermost MPLS label stack entry. _BOS_ is a 1 bit value in decimal format. **mpls**___**ttl** _TTL_ Match on the MPLS Time To Live field in the outermost MPLS label stack entry. _TTL_ is an unsigned 8 bit value in decimal format. **ip**___**proto** _IP_PROTO_ Match on layer four protocol. _IP_PROTO_ may be **tcp**, **udp**, **sctp**, **icmp**, **icmpv6** or an un‐ signed 8bit value in hexadecimal format. **ip**___**tos** _MASKED_IP_TOS_ Match on ipv4 TOS or ipv6 traffic-class - eight bits in hexadecimal format. A mask may be optionally provided to limit the bits which are matched. A mask is provided by following the value with a slash and then the mask. If the mask is missing then a match on all bits is assumed. **ip**___**ttl** _MASKED_IP_TTL_ Match on ipv4 TTL or ipv6 hop-limit - eight bits value in decimal or hexadecimal for‐ mat. A mask may be optionally provided to limit the bits which are matched. Same logic is used for the mask as with matching on ip_tos. **dst**___**ip** _PREFIX_ **src**___**ip** _PREFIX_ Match on source or destination IP address. _PREFIX_ must be a valid IPv4 or IPv6 ad‐ dress, depending on the **protocol** option to tc filter, optionally followed by a slash and the prefix length. If the prefix is missing, **tc** assumes a full-length host match. **dst**___**port** { _MASKED_NUMBER_ | _MIN_VALUE-MAX_VALUE_ } **src**___**port** { _MASKED_NUMBER_ | _MIN_VALUE-MAX_VALUE_ } Match on layer 4 protocol source or destination port number, with an optional mask. Alternatively, the minimum and maximum values can be specified to match on a range of layer 4 protocol source or destination port numbers. Only available for **ip**___**proto** val‐ ues **udp**, **tcp** and **sctp** which have to be specified in beforehand. **tcp**___**flags** _MASKED_TCP_FLAGS_ Match on TCP flags represented as 12bit bitfield in in hexadecimal format. A mask may be optionally provided to limit the bits which are matched. A mask is provided by fol‐ lowing the value with a slash and then the mask. If the mask is missing then a match on all bits is assumed. **type** _MASKED_TYPE_ **code** _MASKED_CODE_ Match on ICMP type or code. A mask may be optionally provided to limit the bits of the address which are matched. A mask is provided by following the address with a slash and then the mask. The mask must be as a number which represents a bitwise mask If the mask is missing then a match on all bits is assumed. Only available for **ip**___**proto** val‐ ues **icmp** and **icmpv6** which have to be specified in beforehand. **arp**___**tip** _IPV4_PREFIX_ **arp**___**sip** _IPV4_PREFIX_ Match on ARP or RARP sender or target IP address. _IPV4_PREFIX_ must be a valid IPv4 address optionally followed by a slash and the prefix length. If the prefix is miss‐ ing, **tc** assumes a full-length host match. **arp**___**op** _ARP_OP_ Match on ARP or RARP operation. _ARP_OP_ may be **request**, **reply** or an integer value 0, 1 or 2. A mask may be optionally provided to limit the bits of the operation which are matched. A mask is provided by following the address with a slash and then the mask. It may be provided as an unsigned 8 bit value representing a bitwise mask. If the mask is missing then a match on all bits is assumed. **arp**___**sha** _MASKED_LLADDR_ **arp**___**tha** _MASKED_LLADDR_ Match on ARP or RARP sender or target MAC address. A mask may be optionally provided to limit the bits of the address which are matched. A mask is provided by following the address with a slash and then the mask. It may be provided in LLADDR format, in which case it is a bitwise mask, or as a number of high bits to match. If the mask is missing then a match on all bits is assumed. **enc**___**key**___**id** _NUMBER_ **enc**___**dst**___**ip** _PREFIX_ **enc**___**src**___**ip** _PREFIX_ **enc**___**dst**___**port** _NUMBER_ **enc**___**tos** _NUMBER_ **enc**___**ttl** _NUMBER_ **ct**___**state** _CT_STATE_ **ct**___**zone** _CT_MASKED_ZONE_ **ct**___**mark** _CT_MASKED_MARK_ **ct**___**label** _CT_MASKED_LABEL_ Matches on connection tracking info _CT_STATE_ Match the connection state, and can be combination of [{+|-}flag] flags, where flag can be one of trk - Tracked connection. new - New connection. est - Established connection. rpl - The packet is in the reply direction, meaning that it is in the opposite direction from the packet that initiated the connection. inv - The state is invalid. The packet couldn't be associated to a connection. rel - The packet is related to an existing connection. Example: +trk+est _CT_MASKED_ZONE_ Match the connection zone, and can be masked. _CT_MASKED_MARK_ 32bit match on the connection mark, and can be masked. _CT_MASKED_LABEL_ 128bit match on the connection label, and can be masked. **geneve**___**opts** _OPTIONS_ **vxlan**___**opts** _OPTIONS_ **erspan**___**opts** _OPTIONS_ Match on IP tunnel metadata. Key id _NUMBER_ is a 32 bit tunnel key id (e.g. VNI for VXLAN tunnel). _PREFIX_ must be a valid IPv4 or IPv6 address optionally followed by a slash and the prefix length. If the prefix is missing, **tc** assumes a full-length host match. Dst port _NUMBER_ is a 16 bit UDP dst port. Tos _NUMBER_ is an 8 bit tos (dscp+ecn) value, ttl _NUMBER_ is an 8 bit time-to-live value. geneve_opts _OPTIONS_ must be a valid list of comma-separated geneve options where each option consists of a key optionally followed by a slash and corresponding mask. If the masks is missing, **tc** as‐ sumes a full-length match. The options can be described in the form CLASS:TYPE:DATA/CLASS_MASK:TYPE_MASK:DATA_MASK, where CLASS is represented as a 16bit hexadecimal value, TYPE as an 8bit hexadecimal value and DATA as a variable length hexadecimal value. vxlan_opts _OPTIONS_ doesn't support multiple options, and it con‐ sists of a key followed by a slash and corresponding mask. If the mask is missing, **tc** assumes a full-length match. The option can be described in the form GBP/GBP_MASK, where GBP is represented as a 32bit number. erspan_opts _OPTIONS_ doesn't support mul‐ tiple options, and it consists of a key followed by a slash and corresponding mask. If the mask is missing, **tc** assumes a full-length match. The option can be described in the form VERSION:INDEX:DIR:HWID/VERSION:INDEX_MASK:DIR_MASK:HWID_MASK, where VERSION is represented as a 8bit number, INDEX as an 32bit number, DIR and HWID as a 8bit num‐ ber. Multiple options is not supported. Note INDEX/INDEX_MASK is used when VERSION is 1, and DIR/DIR_MASK and HWID/HWID_MASK are used when VERSION is 2. **ip**___**flags** _IP_FLAGS_ _IP_FLAGS_ may be either **frag**, **nofrag**, **firstfrag** or **nofirstfrag** where frag and nofrag could be used to match on fragmented packets or not, respectively. firstfrag and nofirstfrag can be used to further distinguish fragmented packet. firstfrag can be used to indicate the first fragmented packet. nofirstfrag can be used to indicates subsequent fragmented packets or non-fragmented packets. ## NOTES As stated above where applicable, matches of a certain layer implicitly depend on the matches of the next lower layer. Precisely, layer one and two matches (**indev**, **dst**___**mac** and **src**___**mac**) have no dependency, MPLS and layer three matches (**mpls**, **mpls**___**label**, **mpls**___**tc**, **mpls**___**bos**, **mpls**___**ttl**, **ip**___**proto**, **dst**___**ip**, **src**___**ip**, **arp**___**tip**, **arp**___**sip**, **arp**___**op**, **arp**___**tha**, **arp**___**sha** and **ip**___**flags**) depend on the **protocol** option of tc filter, layer four port matches (**dst**___**port** and **src**___**port**) depend on **ip**___**proto** being set to **tcp**, **udp** or **sctp,** and finally ICMP matches (**code** and **type**) depend on **ip**___**proto** being set to **icmp** or **icmpv6.** There can be only used one mask per one prio. If user needs to specify different mask, he has to use different prio. ## SEE ALSO [**tc**(8)](https://www.chedong.com/phpMan.php/man/tc/8/markdown), [**tc-flow**(8)](https://www.chedong.com/phpMan.php/man/tc-flow/8/markdown) iproute2 22 Oct 2015 Flower filter in [tc(8)](https://www.chedong.com/phpMan.php/man/tc/8/markdown)