ACLs

Table of Contents

1. TC flower
   1. Supported Keys
   2. Supported Actions
   3. Example Usage
2. Further Resources

TC flower

It is possible to offload TC flower rules with limited set of keys and actions to netdevs which represent mlxsw ports.

Before configuring match rules on enp3s0np1, one must first create the queueing disciplines (qdiscs) to which the flower classifier will be attached.

Note: Offloading is not yet supported for soft-netdevs (e.g., bridge, bond, vlan) or the management port.

Note: Offloading is for now only supported for netdevs which are bridged or have IPv4 address assigned.

In order to prepare for addition of ingress flower rules, add the ingress qdisc to enp3s0np1, run:

$ tc qdisc add dev enp3s0np1 handle ffff: ingress

And for egress, run:

$ tc qdisc add dev enp3s0np1 handle 1: root prio

Supported Keys

• protocol (ethertype)
• src_mac
• dst_mac
• src_ip (both IPv4 and IPv6)
• dst_ip (both IPv4 and IPv6)
• ip_proto ("tcp" and "udp")
• src_port
• dst_port

Supported Actions

• action drop
• mirred egress redirect (forward)

Example Usage

$ tc filter add dev enp3s0np1 parent ffff: protocol ipv6 pref 2 flower skip_sw src_ip fe01::1 action drop

This adds a rule with priority 2 matching every IPv6 packet with source address fe01::1. Selected action is drop. Note the skip_sw keyword that instructs TC to skip the insertion of the rule to the kernel's datapath, only in HW. If this keyword is omitted, the rule will be inserted in both kernel and HW.

To list of inserted rules, run:

$ tc filter show dev enp3s0np1 root

More Examples

$ tc filter add dev enp3s0np1 parent ffff: protocol ip pref 20 flower skip_sw dst_mac f4:52:14:10:df:92 action mirred egress redirect dev enp3s0np19
$ tc filter add dev enp3s0np1 parent ffff: protocol ipv6 pref 10 flower skip_sw dst_ip fe01::3 ip_proto tcp dst_port 3333 action drop

Further Resources

1. man tc
2. man tc-flower
3. QoS in Linux with TC and Filters by Phil Sutter (part of iproute documentation)