{ "content": [ { "type": "text", "text": "# tc-flower (man)\n\n## NAME\n\nflower - flow based traffic control filter\n\n## SYNOPSIS\n\ntc filter ... flower [ MATCHLIST ] [ action ACTIONSPEC ] [ classid CLASSID ] [ hwtc TCID ]\nMATCHLIST := [ MATCHLIST ] MATCH\nMATCH := { indev ifname | verbose | skipsw | skiphw | { dstmac | srcmac } MASKEDLLADDR\n| vlanid VID | vlanprio PRIORITY | vlanethtype { ipv4 | ipv6 | ETHTYPE } |\ncvlanid VID | cvlanprio PRIORITY | cvlanethtype { ipv4 | ipv6 | ETHTYPE } | mpls\nLSELIST | mplslabel LABEL | mplstc TC | mplsbos BOS | mplsttl TTL | ipproto {\ntcp | udp | sctp | icmp | icmpv6 | IPPROTO } | iptos MASKEDIPTOS | ipttl\nMASKEDIPTTL | { dstip | srcip } PREFIX | { dstport | srcport } { MASKEDNUMBER\n| minportnumber-maxportnumber } | tcpflags MASKEDTCPFLAGS | type MASKEDTYPE |\ncode MASKEDCODE | { arptip | arpsip } IPV4PREFIX | arpop { request | reply | OP\n} | { arptha | arpsha } MASKEDLLADDR | enckeyid KEY-ID | { encdstip |\nencsrcip } { ipv4address | ipv6address } | encdstport portnumber | enctos TOS\n| encttl TTL | { geneveopts | vxlanopts | erspanopts } OPTIONS | ipflags\nIPFLAGS }\nLSELIST := [ LSELIST ] LSE\nLSE := lse depth DEPTH { label LABEL | tc TC | bos BOS | ttl TTL }\n\n## DESCRIPTION\n\nThe flower filter matches flows to the set of keys specified and assigns an arbitrarily cho‐\nsen class ID to packets belonging to them. Additionally (or alternatively) an action from the\ngeneric action framework may be called.\n\n## Sections\n\n- **NAME**\n- **SYNOPSIS**\n- **DESCRIPTION**\n- **OPTIONS** (1 subsections)\n- **NOTES**\n- **SEE ALSO**\n\nUse structuredContent.sections for detailed options, examples, and full documentation.\n" } ], "structuredContent": { "command": "tc-flower", "section": "", "mode": "man", "summary": "flower - flow based traffic control filter", "synopsis": "tc filter ... flower [ MATCHLIST ] [ action ACTIONSPEC ] [ classid CLASSID ] [ hwtc TCID ]\nMATCHLIST := [ MATCHLIST ] MATCH\nMATCH := { indev ifname | verbose | skipsw | skiphw | { dstmac | srcmac } MASKEDLLADDR\n| vlanid VID | vlanprio PRIORITY | vlanethtype { ipv4 | ipv6 | ETHTYPE } |\ncvlanid VID | cvlanprio PRIORITY | cvlanethtype { ipv4 | ipv6 | ETHTYPE } | mpls\nLSELIST | mplslabel LABEL | mplstc TC | mplsbos BOS | mplsttl TTL | ipproto {\ntcp | udp | sctp | icmp | icmpv6 | IPPROTO } | iptos MASKEDIPTOS | ipttl\nMASKEDIPTTL | { dstip | srcip } PREFIX | { dstport | srcport } { MASKEDNUMBER\n| minportnumber-maxportnumber } | tcpflags MASKEDTCPFLAGS | type MASKEDTYPE |\ncode MASKEDCODE | { arptip | arpsip } IPV4PREFIX | arpop { request | reply | OP\n} | { arptha | arpsha } MASKEDLLADDR | enckeyid KEY-ID | { encdstip |\nencsrcip } { ipv4address | ipv6address } | encdstport portnumber | enctos TOS\n| encttl TTL | { geneveopts | vxlanopts | erspanopts } OPTIONS | ipflags\nIPFLAGS }\nLSELIST := [ LSELIST ] LSE\nLSE := lse depth DEPTH { label LABEL | tc TC | bos BOS | ttl TTL }", "tldr_summary": null, "tldr_examples": [], "tldr_source": null, "flags": [], "examples": [], "see_also": [ { "name": "tc", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/tc/8/json" }, { "name": "tc-flow", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/tc-flow/8/json" }, { "name": "tc", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/tc/8/json" } ], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "SYNOPSIS", "lines": 23, "subsections": [] }, { "name": "DESCRIPTION", "lines": 4, "subsections": [] }, { "name": "OPTIONS", "lines": 15, "subsections": [ { "name": "verbose", "lines": 223 } ] }, { "name": "NOTES", "lines": 11, "subsections": [] }, { "name": "SEE ALSO", "lines": 5, "subsections": [] } ], "sections": { "NAME": { "content": "flower - flow based traffic control filter\n", "subsections": [] }, "SYNOPSIS": { "content": "tc filter ... flower [ MATCHLIST ] [ action ACTIONSPEC ] [ classid CLASSID ] [ hwtc TCID ]\n\n\nMATCHLIST := [ MATCHLIST ] MATCH\n\nMATCH := { indev ifname | verbose | skipsw | skiphw | { dstmac | srcmac } MASKEDLLADDR\n| vlanid VID | vlanprio PRIORITY | vlanethtype { ipv4 | ipv6 | ETHTYPE } |\ncvlanid VID | cvlanprio PRIORITY | cvlanethtype { ipv4 | ipv6 | ETHTYPE } | mpls\nLSELIST | mplslabel LABEL | mplstc TC | mplsbos BOS | mplsttl TTL | ipproto {\ntcp | udp | sctp | icmp | icmpv6 | IPPROTO } | iptos MASKEDIPTOS | ipttl\nMASKEDIPTTL | { dstip | srcip } PREFIX | { dstport | srcport } { MASKEDNUMBER\n| minportnumber-maxportnumber } | tcpflags MASKEDTCPFLAGS | type MASKEDTYPE |\ncode MASKEDCODE | { arptip | arpsip } IPV4PREFIX | arpop { request | reply | OP\n} | { arptha | arpsha } MASKEDLLADDR | enckeyid KEY-ID | { encdstip |\nencsrcip } { ipv4address | ipv6address } | encdstport portnumber | enctos TOS\n| encttl TTL | { geneveopts | vxlanopts | erspanopts } OPTIONS | ipflags\nIPFLAGS }\n\nLSELIST := [ LSELIST ] LSE\n\nLSE := lse depth DEPTH { label LABEL | tc TC | bos BOS | ttl TTL }\n\n", "subsections": [] }, "DESCRIPTION": { "content": "The flower filter matches flows to the set of keys specified and assigns an arbitrarily cho‐\nsen class ID to packets belonging to them. Additionally (or alternatively) an action from the\ngeneric action framework may be called.\n", "subsections": [] }, "OPTIONS": { "content": "action ACTIONSPEC\nApply an action from the generic actions framework on matching packets.\n\nclassid CLASSID\nSpecify a class to pass matching packets on to. CLASSID is in the form X:Y, while X\nand Y are interpreted as numbers in hexadecimal format.\n\nhwtc TCID\nSpecify a hardware traffic class to pass matching packets on to. TCID is in the range\n0 through 15.\n\nindev ifname\nMatch on incoming interface name. Obviously this makes sense only for forwarded flows.\nifname is the name of an interface which must exist at the time of tc invocation.\n", "subsections": [ { "name": "verbose", "content": "Enable verbose logging, including offloading errors when not using skipsw flag.\n\nskipsw\nDo not process filter by software. If hardware has no offload support for this filter,\nor TC offload is not enabled for the interface, operation will fail.\n\nskiphw\nDo not process filter by hardware.\n\ndstmac MASKEDLLADDR\nsrcmac MASKEDLLADDR\nMatch on source or destination MAC address. A mask may be optionally provided to\nlimit the bits of the address which are matched. A mask is provided by following the\naddress with a slash and then the mask. It may be provided in LLADDR format, in which\ncase it is a bitwise mask, or as a number of high bits to match. If the mask is miss‐\ning then a match on all bits is assumed.\n\nvlanid VID\nMatch on vlan tag id. VID is an unsigned 12bit value in decimal format.\n\nvlanprio PRIORITY\nMatch on vlan tag priority. PRIORITY is an unsigned 3bit value in decimal format.\n\nvlanethtype VLANETHTYPE\nMatch on layer three protocol. VLANETHTYPE may be either ipv4, ipv6 or an unsigned\n16bit value in hexadecimal format. To match on QinQ packet, it must be 802.1Q or\n802.1AD.\n\ncvlanid VID\nMatch on QinQ inner vlan tag id. VID is an unsigned 12bit value in decimal format.\n\ncvlanprio PRIORITY\nMatch on QinQ inner vlan tag priority. PRIORITY is an unsigned 3bit value in decimal\nformat.\n\ncvlanethtype VLANETHTYPE\nMatch on QinQ layer three protocol. VLANETHTYPE may be either ipv4, ipv6 or an un‐\nsigned 16bit value in hexadecimal format.\n\n\nmpls LSELIST\nMatch on the MPLS label stack. LSELIST is a list of Label Stack Entries, each intro‐\nduced by the lse keyword. This option can't be used together with the standalone\nmplslabel, mplstc, mplsbos and mplsttl options.\n\nlse LSEOPTIONS\nMatch on an MPLS Label Stack Entry. LSEOPTIONS is a list of options that de‐\nscribe the properties of the LSE to match.\n\ndepth DEPTH\nThe depth of the Label Stack Entry to consider. Depth starts at 1 (the\noutermost Label Stack Entry). The maximum usable depth may be limited by\nthe kernel. This option is mandatory. DEPTH is an unsigned 8 bit value\nin decimal format.\n\nlabel LABEL\nMatch on the MPLS Label field at the specified depth. LABEL is an un‐\nsigned 20 bit value in decimal format.\n\ntc TC Match on the MPLS Traffic Class field at the specified depth. TC is an\nunsigned 3 bit value in decimal format.\n\nbos BOS\nMatch on the MPLS Bottom Of Stack field at the specified depth. BOS is\na 1 bit value in decimal format.\n\nttl TTL\nMatch on the MPLS Time To Live field at the specified depth. TTL is an\nunsigned 8 bit value in decimal format.\n\n\nmplslabel LABEL\nMatch the label id in the outermost MPLS label stack entry. LABEL is an unsigned 20\nbit value in decimal format.\n\nmplstc TC\nMatch on the MPLS TC field, which is typically used for packet priority, in the outer‐\nmost MPLS label stack entry. TC is an unsigned 3 bit value in decimal format.\n\nmplsbos BOS\nMatch on the MPLS Bottom Of Stack field in the outermost MPLS label stack entry. BOS\nis a 1 bit value in decimal format.\n\nmplsttl TTL\nMatch on the MPLS Time To Live field in the outermost MPLS label stack entry. TTL is\nan unsigned 8 bit value in decimal format.\n\nipproto IPPROTO\nMatch on layer four protocol. IPPROTO may be tcp, udp, sctp, icmp, icmpv6 or an un‐\nsigned 8bit value in hexadecimal format.\n\niptos MASKEDIPTOS\nMatch on ipv4 TOS or ipv6 traffic-class - eight bits in hexadecimal format. A mask\nmay be optionally provided to limit the bits which are matched. A mask is provided by\nfollowing the value with a slash and then the mask. If the mask is missing then a\nmatch on all bits is assumed.\n\nipttl MASKEDIPTTL\nMatch on ipv4 TTL or ipv6 hop-limit - eight bits value in decimal or hexadecimal for‐\nmat. A mask may be optionally provided to limit the bits which are matched. Same\nlogic is used for the mask as with matching on iptos.\n\ndstip PREFIX\nsrcip PREFIX\nMatch on source or destination IP address. PREFIX must be a valid IPv4 or IPv6 ad‐\ndress, depending on the protocol option to tc filter, optionally followed by a slash\nand the prefix length. If the prefix is missing, tc assumes a full-length host match.\n\ndstport { MASKEDNUMBER | MINVALUE-MAXVALUE }\nsrcport { MASKEDNUMBER | MINVALUE-MAXVALUE }\nMatch on layer 4 protocol source or destination port number, with an optional mask.\nAlternatively, the minimum and maximum values can be specified to match on a range of\nlayer 4 protocol source or destination port numbers. Only available for ipproto val‐\nues udp, tcp and sctp which have to be specified in beforehand.\n\ntcpflags MASKEDTCPFLAGS\nMatch on TCP flags represented as 12bit bitfield in in hexadecimal format. A mask may\nbe optionally provided to limit the bits which are matched. A mask is provided by fol‐\nlowing the value with a slash and then the mask. If the mask is missing then a match\non all bits is assumed.\n\ntype MASKEDTYPE\ncode MASKEDCODE\nMatch on ICMP type or code. A mask may be optionally provided to limit the bits of the\naddress which are matched. A mask is provided by following the address with a slash\nand then the mask. The mask must be as a number which represents a bitwise mask If the\nmask is missing then a match on all bits is assumed. Only available for ipproto val‐\nues icmp and icmpv6 which have to be specified in beforehand.\n\narptip IPV4PREFIX\narpsip IPV4PREFIX\nMatch on ARP or RARP sender or target IP address. IPV4PREFIX must be a valid IPv4\naddress optionally followed by a slash and the prefix length. If the prefix is miss‐\ning, tc assumes a full-length host match.\n\narpop ARPOP\nMatch on ARP or RARP operation. ARPOP may be request, reply or an integer value 0, 1\nor 2. A mask may be optionally provided to limit the bits of the operation which are\nmatched. A mask is provided by following the address with a slash and then the mask.\nIt may be provided as an unsigned 8 bit value representing a bitwise mask. If the mask\nis missing then a match on all bits is assumed.\n\narpsha MASKEDLLADDR\narptha MASKEDLLADDR\nMatch on ARP or RARP sender or target MAC address. A mask may be optionally provided\nto limit the bits of the address which are matched. A mask is provided by following\nthe address with a slash and then the mask. It may be provided in LLADDR format, in\nwhich case it is a bitwise mask, or as a number of high bits to match. If the mask is\nmissing then a match on all bits is assumed.\n\nenckeyid NUMBER\nencdstip PREFIX\nencsrcip PREFIX\nencdstport NUMBER\nenctos NUMBER\nencttl NUMBER\n\n\nctstate CTSTATE\nctzone CTMASKEDZONE\nctmark CTMASKEDMARK\nctlabel CTMASKEDLABEL\nMatches on connection tracking info\n\nCTSTATE\nMatch the connection state, and can be combination of [{+|-}flag] flags, where\nflag can be one of\n\ntrk - Tracked connection.\n\nnew - New connection.\n\nest - Established connection.\n\nrpl - The packet is in the reply direction, meaning that it is in the opposite\ndirection from the packet that initiated the connection.\n\ninv - The state is invalid. The packet couldn't be associated to a connection.\n\nrel - The packet is related to an existing connection.\n\nExample: +trk+est\n\nCTMASKEDZONE\nMatch the connection zone, and can be masked.\n\nCTMASKEDMARK\n32bit match on the connection mark, and can be masked.\n\nCTMASKEDLABEL\n128bit match on the connection label, and can be masked.\n\ngeneveopts OPTIONS\nvxlanopts OPTIONS\nerspanopts OPTIONS\nMatch on IP tunnel metadata. Key id NUMBER is a 32 bit tunnel key id (e.g. VNI for\nVXLAN tunnel). PREFIX must be a valid IPv4 or IPv6 address optionally followed by a\nslash and the prefix length. If the prefix is missing, tc assumes a full-length host\nmatch. Dst port NUMBER is a 16 bit UDP dst port. Tos NUMBER is an 8 bit tos\n(dscp+ecn) value, ttl NUMBER is an 8 bit time-to-live value. geneveopts OPTIONS must\nbe a valid list of comma-separated geneve options where each option consists of a key\noptionally followed by a slash and corresponding mask. If the masks is missing, tc as‐\nsumes a full-length match. The options can be described in the form\nCLASS:TYPE:DATA/CLASSMASK:TYPEMASK:DATAMASK, where CLASS is represented as a 16bit\nhexadecimal value, TYPE as an 8bit hexadecimal value and DATA as a variable length\nhexadecimal value. vxlanopts OPTIONS doesn't support multiple options, and it con‐\nsists of a key followed by a slash and corresponding mask. If the mask is missing, tc\nassumes a full-length match. The option can be described in the form GBP/GBPMASK,\nwhere GBP is represented as a 32bit number. erspanopts OPTIONS doesn't support mul‐\ntiple options, and it consists of a key followed by a slash and corresponding mask. If\nthe mask is missing, tc assumes a full-length match. The option can be described in\nthe form VERSION:INDEX:DIR:HWID/VERSION:INDEXMASK:DIRMASK:HWIDMASK, where VERSION\nis represented as a 8bit number, INDEX as an 32bit number, DIR and HWID as a 8bit num‐\nber. Multiple options is not supported. Note INDEX/INDEXMASK is used when VERSION is\n1, and DIR/DIRMASK and HWID/HWIDMASK are used when VERSION is 2.\n\nipflags IPFLAGS\nIPFLAGS may be either frag, nofrag, firstfrag or nofirstfrag where frag and nofrag\ncould be used to match on fragmented packets or not, respectively. firstfrag and\nnofirstfrag can be used to further distinguish fragmented packet. firstfrag can be\nused to indicate the first fragmented packet. nofirstfrag can be used to indicates\nsubsequent fragmented packets or non-fragmented packets.\n" } ] }, "NOTES": { "content": "As stated above where applicable, matches of a certain layer implicitly depend on the matches\nof the next lower layer. Precisely, layer one and two matches (indev, dstmac and srcmac)\nhave no dependency, MPLS and layer three matches (mpls, mplslabel, mplstc, mplsbos,\nmplsttl, ipproto, dstip, srcip, arptip, arpsip, arpop, arptha, arpsha and ipflags)\ndepend on the protocol option of tc filter, layer four port matches (dstport and srcport)\ndepend on ipproto being set to tcp, udp or sctp, and finally ICMP matches (code and type)\ndepend on ipproto being set to icmp or icmpv6.\n\nThere can be only used one mask per one prio. If user needs to specify different mask, he has\nto use different prio.\n", "subsections": [] }, "SEE ALSO": { "content": "tc(8), tc-flow(8)\n\n\n\niproute2 22 Oct 2015 Flower filter in tc(8)", "subsections": [] } } } }