TC flower¶
About TC flower filters¶
When compared with Ethtool ntuples filters ntuples, TC filters are applied higher in the Linux stack. Socket buffers have been assigned and provide a number of offsets that can help matching packets, which results in a number of additional filtering options that can be supported.
Some of them are supported by libkefir, in order to quickly generate rules from TC flower expressions.
Example¶
The following rule can be used to filter out incoming IPv4 HTTP packets:
# tc flower protocol ip flower ip_proto tcp dst_port 80 action drop
The same line, starting after tc flower
, can be passed to the library to
create a new rule. In our example, it would be the following string:
protocol ip flower ip_proto tcp dst_port 80 action drop
So a call to the kefir_rule_load_l()
, used to build rules from a string
containing the whole expression, would look like this:
if (kefir_rule_load_l(filter,
KEFIR_RULE_TYPE_TC_FLOWER,
"protocol ip flower ip_proto tcp dst_port 80 action drop",
0)) {
printf("Error: %s\n", kefir_strerror());
return -1;
}
Other example rules displaying the various supported options can be found in the tests for TC flower-based filters. For details on the syntax and the semantics of the different keywords in TC flower expressions, please refer to the tc-flower manual page.
Current support¶
Supported keywords:
dst_mac MASKED_LLADDR
src_mac MASKED_LLADDR
vlan_id VID
vlan_prio PRIORITY
vlan_ethtype VLAN_ETH_TYPE
cvlan_id VID
cvlan_prio PRIORITY
cvlan_ethtype VLAN_ETH_TYPE
ip_proto IP_PROTO
ip_tos MASKED_IP_TOS
ip_ttl MASKED_IP_TTL
dst_ip PREFIX
src_ip PREFIX
dst_port NUMBER
src_port NUMBER
action ACTION_SPEC
Unsupported keywords:
mpls_label LABEL
mpls_tc TC
mpls_bos BOS
mpls_ttl TTL
dst_port MIN_VALUE-MAX_VALUE
src_port MIN_VALUE-MAX_VALUE
tcp_flags MASKED_TCP_FLAGS
type MASKED_TYPE
code MASKED_CODE
arp_tip IPV4_PREFIX
arp_sip IPV4_PREFIX
arp_op ARP_OP
arp_sha MASKED_LLADDR
arp_tha MASKED_LLADDR
enc_key_id NUMBER
enc_dst_ip PREFIX
enc_src_ip PREFIX
enc_dst_port NUMBER
enc_tos NUMBER
enc_ttl NUMBER
geneve_opts OPTIONS
ip_flags IP_FLAGS
Non-relevant keywords:
classid CLASSID
hw_tc TCID
indev ifname
verbose
skip_sw
skip_hw