Classification (IS0/IS1)
When a frame is received on a port it is classified into one of these Traffic Types:
| Traffic Type | Sparx5 (IS0) | LAN966x (IS1) |
|---|---|---|
IPv4 |
✔ |
✔ |
IPv6 |
✔ |
✔ |
Other |
✔ |
✔ |
All frame types are subject to the appropriate lookups according to the VCAP. See VCAP Information.
Each port is configured to generate a specific keyset (a set of key values extracted from a frame) for each combination of Traffic Type and lookup.
| A keyset is an internal value used by the hardware. A flower key is what the user specifies in the tc flower filter command. |
1. Sparx5 IS0 Classification
The valid combinations of Sparx5 IS0 lookup keyset versus Traffic Type are:
| Sparx5 IS0 keyset - Traffic Type | Size | IPv4 | IPv6 | Other |
|---|---|---|---|---|
6 |
✔ |
✔ |
✔ |
|
12 |
✔ |
✔ |
✔ |
The default IS0 lookup keyset is NORMAL_7TUPLE for IPv6 and Other, and NORMAL_5TUPLE_IP4 for IPv4 traffic.
The other IS0 lookup keys can be selected by using a tc chain template.
The MPLS and MBLS traffic types selects the NORMAL_7TUPLE keyset as they are configured to follow 'Other'.
| IS0 on Sparx5 has some additional traffic types that are currently configured to follow the 'Other' traffic type classification as they are not being used. |
2. LAN966x IS1 Classification
The valid combinations of LAN966x IS1 lookup keyset versus Traffic Type are:
| LAN966x IS1 keyset - Traffic Type | Size | IPv4 | IPv6 | Other |
|---|---|---|---|---|
4 |
✔ |
✔ |
✔ |
|
4 |
· |
✔ |
· |
|
4 |
· |
✔ |
· |
|
2 |
✔ |
✔ |
✔ |
|
2 |
✔ |
✔ |
✔ |
|
1 |
✔ |
✔ |
✔ |
The default IS1 lookup keyset is 7TUPLE. The other IS1 lookup keys can be selected by using a tc chain template.
Size denotes the size of the IS1 keyset. Using smaller keys makes it possible to have more rules in the IS1 VCAP.
Each IS1 lookup is configured by using the chain option in the tc filter commands.
The supported flower keys for each IS1 lookup keyset are described next and here is also shown examples on how to use the actions.
A more thorough description of the actions is found in the section IS0/IS1 Actions
3. IS0/IS1 Keysets
3.1. NORMAL_5TUPLE_IP4
The NORMAL_5TUPLE_IP4 keyset can be used for both IPv4 and IPv6 frames.
It can match on two simultaneous VLAN tags. It cannot match on IPv6 addresses but it is able to match on both IPv4 source and destination addresses simultaneously.
| Flower key | Value | Example | IPv4 | IPv6 | Other |
|---|---|---|---|---|---|
vlan_id |
<VID> or <VID>/<VID_MASK> |
vlan_id 1234 or vlan_id 0x100/0xff0 |
✔ |
✔ |
· |
vlan_prio |
<PCP> or <PCP>/<PCP_MASK> |
vlan_prio 3 or vlan_id 0x0/0x1 |
✔ |
✔ |
· |
vlan_ethtype |
<PROTO> |
vlan_ethtype 802.1q or vlan_ethtype ipv6 |
✔ |
✔ |
· |
cvlan_id |
<VID> or <VID>/<VID_MASK> |
cvlan_id 1234 or cvlan_id 0x100/0xff0 |
✔ |
✔ |
· |
cvlan_prio |
<PCP> or <PCP>/<PCP_MASK> |
cvlan_prio 3 or cvlan_id 0x0/0x1 |
✔ |
✔ |
· |
cvlan_ethtype |
<PROTO> |
vlan_ethtype ipv6 |
✔ |
✔ |
· |
ip_flags |
<IP_FLAG>[/<IP_FLAG>] |
ip_flags { [no]frag | [no]firstfrag } |
✔ |
· |
· |
src_ip |
<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK> |
src_ip 10.10.10.10 or src_ip 10.10.0.0/255.255.0.0 |
✔ |
· |
· |
dst_ip |
<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK> |
dst_ip 20.20.20.20, dst_ip 20.20.0.0/255.255.0.0 |
✔ |
· |
· |
ip_proto |
<IP_PROTO> |
ip_proto 0x12 or ip_proto tcp. |
✔ |
✔ |
· |
You can see some example of IPv4 filters here IS0/IS1 IPv4 filter examples
3.2. NORMAL_7TUPLE
The NORMAL_7TUPLE keyset is the most general but cannot match on IPv4 addresses, and only on TCP/UDP source ports.
| Flower key | Value | Example | IPv4 | IPv6 | Other |
|---|---|---|---|---|---|
src_mac |
<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK> |
src_mac 00:33:33:33:33:33 or src_mac 00:33:33:00:00:00/ff:ff:ff:00:00:00 |
✔ |
✔ |
✔ |
dst_mac |
<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK> |
dst_mac 00:44:44:44:44:44 or dst_mac 00:44:44:00:00:00/ff:ff:ff:00:00:00 |
✔ |
✔ |
✔ |
vlan_id |
<VID> or <VID>/<VID_MASK> |
vlan_id 1234 or vlan_id 0x100/0xff0 |
✔ |
✔ |
✔ |
vlan_prio |
<PCP> or <PCP>/<PCP_MASK> |
vlan_prio 3 or vlan_id 0x0/0x1 |
✔ |
✔ |
✔ |
vlan_ethtype |
<PROTO> |
vlan_ethtype 802.1q or vlan_ethtype ip Note: Supports the same values as in |
✔ |
✔ |
✔ |
cvlan_id |
<VID> or <VID>/<VID_MASK> |
cvlan_id 1234 or cvlan_id 0x100/0xff0 |
✔ |
✔ |
✔ |
cvlan_prio |
<PCP> or <PCP>/<PCP_MASK> |
cvlan_prio 3 or cvlan_id 0x0/0x1 |
✔ |
✔ |
✔ |
cvlan_ethtype |
<PROTO> |
cvlan_ethtype 0xf1c1 or vlan_ethtype ip Note: Supports the same values as in |
✔ |
✔ |
✔ |
ip_flags |
<IP_FLAG>[/<IP_FLAG>] |
ip_flags { [no]frag | [no]firstfrag } |
✔ |
· |
· |
src_ip |
<IPv6 ADDR> |
src_ip 2001:0:0:0:e1de:2244:0ff8:0123 |
✔ |
✔ |
· |
dst_ip |
<IPv6 ADDR> |
dst_ip 2001:0:0:0:e1de:2244:0ff8:4567 |
✔ |
✔ |
· |
ip_proto |
<IP_PROTO> |
ip_proto 0x12 or ip_proto tcp. |
✔ |
✔ |
· |
src_port |
<PORT> or <PORT>/<PORT_MASK> |
src_port 1000 or src_port 0x200/0xff0 |
✔ |
✔ |
· |
The filter below matches on MAC addresses, two VLAN tags and all supported IPv6 matches.
The filter in inserted into chain 1000000 (first lookup), and drops the matched frames and goes to second lookup in IS1 (chain 1100000).
# tc qdisc add dev eth0 clsact # tc filter add dev eth12 ingress chain 1000000 prio 100 handle 100 protocol 802.1ad flower skip_sw \ src_mac 00:33:33:33:33:33 \ dst_mac 00:44:44:44:00:00/ff:ff:ff:ff:00:00 \ vlan_id 100 \ vlan_prio 1 \ vlan_ethtype 802.1q \ cvlan_id 200 \ cvlan_prio 2 \ cvlan_ethtype ipv6 \ ip_flags frag/nofirstfrag \ src_ip 1:2::3:4 \ dst_ip 5:6::7:8 \ ip_proto tcp \ action mirred egress mirror dev eth49 \ action goto chain 1100000
3.3. 7TUPLE
The 7TUPLE keyset is used by default for all IS1 Frame Type and lookup combinations.
Apart from only partial support of IPv6 addresses it is the most general keyset but it is also one of the largest keysets in LAN966x.
| Flower key | Value | Example | IPv4 | IPv6 | Other |
|---|---|---|---|---|---|
src_mac |
<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK> |
src_mac 00:33:33:33:33:33 or src_mac 00:33:33:00:00:00/ff:ff:ff:00:00:00 |
✔ |
✔ |
✔ |
dst_mac |
<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK> |
dst_mac 00:44:44:44:44:44 or dst_mac 00:44:44:00:00:00/ff:ff:ff:00:00:00 |
✔ |
✔ |
✔ |
vlan_id |
<VID> or <VID>/<VID_MASK> |
vlan_id 1234 or vlan_id 0x100/0xff0 |
✔ |
✔ |
✔ |
vlan_prio |
<PCP> or <PCP>/<PCP_MASK> |
vlan_prio 3 or vlan_id 0x0/0x1 |
✔ |
✔ |
✔ |
vlan_ethtype |
<PROTO> |
vlan_ethtype 802.1q or vlan_ethtype ip Note: Supports the same values as in |
✔ |
✔ |
✔ |
cvlan_id |
<VID> or <VID>/<VID_MASK> |
cvlan_id 1234 or cvlan_id 0x100/0xff0 |
✔ |
✔ |
✔ |
cvlan_prio |
<PCP> or <PCP>/<PCP_MASK> |
cvlan_prio 3 or cvlan_id 0x0/0x1 |
✔ |
✔ |
✔ |
cvlan_ethtype |
<PROTO> |
cvlan_ethtype 0xf1c1 or vlan_ethtype ip Note: Supports the same values as in |
✔ |
✔ |
✔ |
ip_tos |
<TOS> or <TOS>/<TOS_MASK> |
ip_tos 0x12 or ip_tos 0x4/0x3f. Note: Only the 6 LSBs can be matched in IS1 (The DSCP part). |
✔ |
✔ |
· |
ip_flags |
<IP_FLAG>[/<IP_FLAG>] |
ip_flags { [no]frag | [no]firstfrag } |
✔ |
· |
· |
src_ip |
<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK> when IPv4 and <IPv6_ADDR> when IPv6 |
src_ip 10.10.10.10, src_ip 10.10.0.0/255.255.0.0 or src_ip 2001:0:0:0:e1de:2244:0ff8:0123 Note: IPv6 cannot be masked and even all the blocks can’t be used for matching, only the non-zero blocks from above example can be used to match an IPv6 address. |
✔ |
✔ |
· |
dst_ip |
<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK> when IPv4 and <IPv6_ADDR> when IPv6 |
dst_ip 20.20.20.20, dst_ip 20.20.0.0/255.255.0.0 or dst_ip 2001:0:0:0:e1de:2244:0ff8:4567 Note: IPv6 cannot be masked and even all the blocks can’t be used for matching, only the non-zero blocks from above example can be used to match an IPv6 address. |
✔ |
✔ |
· |
ip_proto |
<IP_PROTO> |
ip_proto 0x12 or ip_proto tcp. |
✔ |
✔ |
· |
src_port |
<PORT> or <PORT>/<PORT_MASK> |
src_port 1000 or src_port 0x200/0xff0 |
✔ |
✔ |
· |
dst_port |
<PORT> or <PORT>/<PORT_MASK> |
dst_port 2000 or dst_port 0x100/0xff0 |
✔ |
✔ |
· |
The 7TUPLE LAN966x IS1 keyset is the default keyset and can be used without specifying a chain template.
The filter below matches on MAC addresses, two VLAN tags and all supported IPv4 matches.
The filter is inserted into chain 1000000 (first lookup), classifies all matching packets to priority 5 and goes to second lookup in IS1 (chain 1100000).
# tc qdisc add dev eth0 clsact # tc filter add dev eth0 ingress chain 1000000 prio 10 handle 42 protocol 802.1ad flower skip_sw \ src_mac 00:33:33:33:33:33 \ dst_mac 00:44:44:44:00:00/ff:ff:ff:ff:00:00 \ vlan_id 100 \ vlan_prio 1 \ vlan_ethtype 802.1q \ cvlan_id 200 \ cvlan_prio 2 \ cvlan_ethtype ipv4 \ ip_tos 0xf/0x3f \ ip_flags frag/nofirstfrag \ src_ip 10.10.10.10 \ dst_ip 20.20.20.20 \ ip_proto tcp \ src_port 1000 \ dst_port 2000 \ action skbedit priority 5 \ action goto chain 1100000
This filter is the same as above but with only one VLAN tag match.
# tc qdisc add dev eth0 clsact # tc filter add dev eth0 ingress chain 1000000 prio 10 handle 42 protocol 802.1q flower skip_sw \ src_mac 00:33:33:33:33:33 \ dst_mac 00:44:44:44:00:00/ff:ff:ff:ff:00:00 \ vlan_id 100 \ vlan_prio 1 \ vlan_ethtype ipv4 \ ip_tos 0xf/0x3f \ ip_flags frag/nofirstfrag \ src_ip 10.10.10.10 \ dst_ip 20.20.20.20 \ ip_proto tcp \ src_port 1000 \ dst_port 2000 \ action skbedit priority 5 \ action goto chain 1100000
This filter is the same as above but without VLAN matching.
# tc qdisc add dev eth0 clsact # tc filter add dev eth0 ingress chain 1000000 prio 10 handle 42 protocol ipv4 flower skip_sw \ src_mac 00:33:33:33:33:33 \ dst_mac 00:44:44:44:00:00/ff:ff:ff:ff:00:00 \ ip_tos 0xf/0x3f \ ip_flags frag/nofirstfrag \ src_ip 10.10.10.10 \ dst_ip 20.20.20.20 \ ip_proto tcp \ src_port 1000 \ dst_port 2000 \ action skbedit priority 5 \ action goto chain 1100000
This filter matches on MAC addresses and ARP frames.
# tc qdisc add dev eth0 clsact # tc filter add dev eth0 ingress chain 1000000 prio 10 handle 42 protocol arp flower skip_sw \ src_mac 00:33:33:33:33:33 \ dst_mac 00:44:44:44:44:44 \ action skbedit priority 5 \ action goto chain 1100000
This filter matches on MAC addresses and all kind of frames.
# tc qdisc add dev eth0 clsact # tc filter add dev eth0 ingress chain 1000000 prio 10 handle 42 protocol all flower skip_sw \ src_mac 00:33:33:33:33:33 \ dst_mac 00:44:44:44:44:44 \ action skbedit priority 5 \ action goto chain 1100000
3.4. NORMAL_IP6
The NORMAL_IP6 keyset can only be used for IPv6 lookups.
It is the only keyset that is able to match on both MAC address and full IPv6 address simultaneously. On the other hand it is only possible to match on either source or destination MAC/IPv6 addresses.
A tc chain template is required in order to use it.
The template selects whether to use source or destination addresses.
| Flower key | Value | Example | IPv4 | IPv6 | Other |
|---|---|---|---|---|---|
src_mac or dst_mac |
<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK> |
src_mac 00:33:33:33:33:33, src_mac 00:33:33:00:00:00/ff:ff:ff:00:00:00, dst_mac 00:44:44:44:44:44 or dst_mac 00:44:44:00:00:00/ff:ff:ff:00:00:00 |
· |
✔ |
· |
vlan_id |
<VID> or <VID>/<VID_MASK> |
vlan_id 1234 or vlan_id 0x100/0xff0 |
· |
✔ |
· |
vlan_prio |
<PCP> or <PCP>/<PCP_MASK> |
vlan_prio 3 or vlan_id 0x0/0x1 |
· |
✔ |
· |
vlan_ethtype |
<PROTO> |
vlan_ethtype 802.1q or vlan_ethtype ipv6 |
· |
✔ |
· |
cvlan_id |
<VID> or <VID>/<VID_MASK> |
cvlan_id 1234 or cvlan_id 0x100/0xff0 |
· |
✔ |
· |
cvlan_prio |
<PCP> or <PCP>/<PCP_MASK> |
cvlan_prio 3 or cvlan_id 0x0/0x1 |
· |
✔ |
· |
cvlan_ethtype |
<PROTO> |
vlan_ethtype ipv6 |
· |
✔ |
· |
ip_tos |
<TOS> or <TOS>/<TOS_MASK> |
ip_tos 0x12 or ip_tos 0x4/0x3f. Note: Only the 6 LSBs can be matched in IS1 (The DSCP part). |
· |
✔ |
· |
src_ip or dst_ip |
<IPv6_ADDR> |
src_ip 2001:0:0:0:e1de:2244:0ff8:0123 or dst_ip 2001:0:0:0:e1de:2244:0ff8:4567 |
· |
✔ |
· |
ip_proto |
<IP_PROTO> |
ip_proto 0x12 or ip_proto tcp. |
· |
✔ |
· |
This IS1 keyset requires a chain template.
This filter matches on two VLAN tags and source MAC and IPv6 address.
The filter in inserted into chain 1000000 (first lookup), classifies all matching packets to priority 5 and goes to second lookup in IS1 (chain 1100000).
# tc qdisc add dev eth0 clsact # tc chain add dev eth0 ingress chain 1000000 protocol 802.1ad flower skip_sw \ src_mac 00:00:00:00:00:00 \ vlan_id 0 \ vlan_prio 0 \ vlan_ethtype 802.1q \ cvlan_id 0 \ cvlan_prio 0 \ cvlan_ethtype ipv6 \ ip_tos 0x00/0x3f \ src_ip 0::0 \ ip_proto udp # tc filter add dev eth0 ingress chain 1000000 prio 10 handle 42 protocol 802.1ad flower skip_sw \ src_mac 00:33:33:33:33:33 \ vlan_id 100 \ vlan_prio 1 \ vlan_ethtype 802.1q \ cvlan_id 200 \ cvlan_prio 2 \ cvlan_ethtype ipv6 \ ip_tos 0xf/0x3f \ src_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:0123 \ ip_proto tcp \ action skbedit priority 5 \ action goto chain 1100000
This filter matches on destination MAC and IPv6 address.
The filter in inserted into chain 1000000 (first lookup), classifies all matching packets to priority 5 and goes to second lookup in IS1 (chain 1100000).
# tc qdisc add dev eth0 clsact # tc chain add dev eth0 ingress chain 1000000 protocol ipv6 flower skip_sw \ dst_mac 00:00:00:00:00:00 \ ip_tos 0x00/0x3f \ dst_ip 0::0 \ ip_proto udp # tc filter add dev eth0 ingress chain 1000000 prio 10 handle 42 protocol ipv6 flower skip_sw \ dst_mac 00:44:44:44:44:44 \ ip_tos 0xf/0x3f \ dst_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:4567 \ ip_proto tcp \ action skbedit priority 5 \ action goto chain 1100000
3.5. 5TUPLE_IP6
The 5TUPLE_IP6 keyset can only be used for IPv6 lookups.
It is the only keyset that is able to match full IPv6 source and destination addresses simultaneously.
A tc chain template is required in order to use it.
| Flower key | Value | Example | IPv4 | IPv6 | Other |
|---|---|---|---|---|---|
vlan_id |
<VID> or <VID>/<VID_MASK> |
vlan_id 1234 or vlan_id 0x100/0xff0 |
· |
✔ |
· |
vlan_prio |
<PCP> or <PCP>/<PCP_MASK> |
vlan_prio 3 or vlan_id 0x0/0x1 |
· |
✔ |
· |
vlan_ethtype |
<PROTO> |
vlan_ethtype 802.1q or vlan_ethtype ipv6 |
· |
✔ |
· |
cvlan_id |
<VID> or <VID>/<VID_MASK> |
cvlan_id 1234 or cvlan_id 0x100/0xff0 |
· |
✔ |
· |
cvlan_prio |
<PCP> or <PCP>/<PCP_MASK> |
cvlan_prio 3 or cvlan_id 0x0/0x1 |
· |
✔ |
· |
cvlan_ethtype |
<PROTO> |
vlan_ethtype ipv6 |
· |
✔ |
· |
ip_tos |
<TOS> or <TOS>/<TOS_MASK> |
ip_tos 0x12 or ip_tos 0x4/0x3f. Note: Only the 6 LSBs can be matched in IS1 (The DSCP part). |
· |
✔ |
· |
src_ip |
<IPv6_ADDR> |
src_ip 2001:0:0:0:e1de:2244:0ff8:0123 |
· |
✔ |
· |
dst_ip |
<IPv6_ADDR> |
dst_ip 2001:0:0:0:e1de:2244:0ff8:4567 |
· |
✔ |
· |
ip_proto |
<IP_PROTO> |
ip_proto 0x12 or ip_proto tcp. |
· |
✔ |
· |
This IS1 keyset requires a chain template.
This filter matches on two VLAN tags and source and destination IPv6 addresses.
The filter in inserted into chain 1000000 (first lookup), classifies all matching packets to priority 5 and goes to second lookup in IS1 (chain 1100000).
# tc qdisc add dev eth0 clsact # tc chain add dev eth0 ingress chain 1000000 protocol 802.1ad flower skip_sw \ vlan_id 0 \ vlan_prio 0 \ vlan_ethtype 802.1q \ cvlan_id 0 \ cvlan_prio 0 \ cvlan_ethtype ipv6 \ ip_tos 0x00/0x3f \ src_ip 0::0 \ dst_ip 0::0 \ ip_proto udp # tc filter add dev eth0 ingress chain 1000000 prio 10 handle 42 protocol 802.1ad flower skip_sw \ vlan_id 100 \ vlan_prio 1 \ vlan_ethtype 802.1q \ cvlan_id 200 \ cvlan_prio 2 \ cvlan_ethtype ipv6 \ ip_tos 0xf/0x3f \ src_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:0123 \ dst_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:4567 \ ip_proto tcp \ action skbedit priority 5 \ action goto chain 1100000
This filter is the same as above but without VLAN matching.
The filter in inserted into chain 1000000 (first lookup), classifies all matching packets to priority 5 and goes to second lookup in IS1 (chain 1100000).
# tc qdisc add dev eth0 clsact # tc chain add dev eth0 ingress chain 1000000 protocol ipv6 flower skip_sw \ ip_tos 0x00/0x3f \ src_ip 0::0 \ dst_ip 0::0 \ ip_proto udp # tc filter add dev eth0 ingress chain 1000000 prio 10 handle 42 protocol ipv6 flower skip_sw \ ip_tos 0xf/0x3f \ src_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:0123 \ dst_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:4567 \ ip_proto tcp \ action skbedit priority 5 \ action goto chain 1100000
3.6. NORMAL
The NORMAL keyset can be used with all Traffic Types but is more limited compared with 7TUPLE.
It can only match on a single VLAN header.
It cannot match on IPv6 addresses but it is able to match on both MAC address and IPv4 address simultaneously as long as you match on either source or destination MAC/IP addresses.
A tc chain template is required in order to use it.
The template selects whether to use source or destination addresses.
| Flower key | Value | Example | IPv4 | IPv6 | Other |
|---|---|---|---|---|---|
src_mac or dst_mac |
<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK> |
src_mac 00:33:33:33:33:33, src_mac 00:33:33:00:00:00/ff:ff:ff:00:00:00, dst_mac 00:44:44:44:44:44 or dst_mac 00:44:44:00:00:00/ff:ff:ff:00:00:00 |
✔ |
✔ |
✔ |
vlan_id |
<VID> or <VID>/<VID_MASK> |
vlan_id 1234 or vlan_id 0x100/0xff0 |
✔ |
✔ |
✔ |
vlan_prio |
<PCP> or <PCP>/<PCP_MASK> |
vlan_prio 3 or vlan_id 0x0/0x1 |
✔ |
✔ |
✔ |
vlan_ethtype |
<PROTO> |
vlan_ethtype ip or vlan_ethtype ipv6 |
✔ |
✔ |
✔ |
ip_tos |
<TOS> or <TOS>/<TOS_MASK> |
ip_tos 0x12 or ip_tos 0x4/0x3f. Note: Only the 6 LSBs can be matched in IS1 (The DSCP part). |
✔ |
✔ |
· |
ip_flags |
<IP_FLAG>[/<IP_FLAG>] |
ip_flags { [no]frag | [no]firstfrag } |
✔ |
· |
· |
src_ip or dst_ip |
<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK> |
src_ip 10.10.10.10, src_ip 10.10.0.0/255.255.0.0, dst_ip 20.20.20.20 or dst_ip 20.20.0.0/255.255.0.0 |
✔ |
· |
· |
ip_proto |
<IP_PROTO> |
ip_proto 0x12 or ip_proto tcp. |
✔ |
✔ |
· |
src_port |
<PORT> or <PORT>/<PORT_MASK> |
src_port 1000 or src_port 0x200/0xff0 |
✔ |
✔ |
· |
dst_port |
<PORT> or <PORT>/<PORT_MASK> |
dst_port 2000 or dst_port 0x100/0xff0 |
✔ |
✔ |
· |
This IS1 keyset requires a chain template.
This filter matches on one VLAN tag and source MAC and IPv4 addresses.
The filter in inserted into chain 1000000 (first lookup), classifies all matching packets to priority 5 and goes to second lookup in IS1 (chain 1100000).
# tc qdisc add dev eth0 clsact # tc chain add dev eth0 ingress chain 1000000 protocol 802.1q flower skip_sw \ src_mac 00:00:00:00:00:00 \ vlan_id 0 \ vlan_prio 0 \ vlan_ethtype ipv4 \ ip_tos 0x00/0x3f \ ip_flags frag/firstfrag \ src_ip 0.0.0.0 \ ip_proto udp \ src_port 100 \ dst_port 200 # tc filter add dev eth0 ingress chain 1000000 prio 10 handle 42 protocol 802.1q flower skip_sw \ src_mac 00:33:33:33:33:33 \ vlan_id 100 \ vlan_prio 1 \ vlan_ethtype ipv4 \ ip_tos 0xf/0x3f \ ip_flags frag/nofirstfrag \ src_ip 10.10.10.10 \ ip_proto tcp \ src_port 1000 \ dst_port 2000 action skbedit priority 5 \ action goto chain 1100000
This filter matches on destination MAC and IPv4 addresses.
The filter in inserted into chain 1000000 (first lookup), classifies all matching packets to priority 5 and goes to second lookup in IS1 (chain 1100000).
# tc qdisc add dev eth0 clsact # tc chain add dev eth0 ingress chain 1000000 protocol ipv4 flower skip_sw \ dst_mac 00:00:00:00:00:00 \ ip_tos 0x00/0x3f \ ip_flags frag/firstfrag \ src_ip 0.0.0.0 \ ip_proto udp \ src_port 100 \ dst_port 200 # tc filter add dev eth0 ingress chain 1000000 prio 10 handle 42 protocol ipv4 flower skip_sw \ dst_mac 00:44:44:44:44:44 \ ip_tos 0xf/0x3f \ ip_flags frag/nofirstfrag \ dst_ip 20.20.20.20 \ ip_proto tcp \ src_port 1000 \ dst_port 2000 action skbedit priority 5 \ action goto chain 1100000
3.7. 5TUPLE_IP4
The 5TUPLE_IP4 keyset can be used for both IPv4 and IPv6 lookups.
It cannot match on IPv6 addresses but it is able to match on both IPv4 source and destination addresses simultaneously.
A tc chain template is required in order to use it.
| Flower key | Value | Example | IPv4 | IPv6 | Other |
|---|---|---|---|---|---|
vlan_id |
<VID> or <VID>/<VID_MASK> |
vlan_id 1234 or vlan_id 0x100/0xff0 |
✔ |
✔ |
· |
vlan_prio |
<PCP> or <PCP>/<PCP_MASK> |
vlan_prio 3 or vlan_id 0x0/0x1 |
✔ |
✔ |
· |
vlan_ethtype |
<PROTO> |
vlan_ethtype 802.1q or vlan_ethtype ipv6 |
✔ |
✔ |
· |
cvlan_id |
<VID> or <VID>/<VID_MASK> |
cvlan_id 1234 or cvlan_id 0x100/0xff0 |
✔ |
✔ |
· |
cvlan_prio |
<PCP> or <PCP>/<PCP_MASK> |
cvlan_prio 3 or cvlan_id 0x0/0x1 |
✔ |
✔ |
· |
cvlan_ethtype |
<PROTO> |
vlan_ethtype ipv6 |
✔ |
✔ |
· |
ip_flags |
<IP_FLAG>[/<IP_FLAG>] |
ip_flags { [no]frag | [no]firstfrag } |
✔ |
· |
· |
src_ip |
<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK> |
src_ip 10.10.10.10 or src_ip 10.10.0.0/255.255.0.0 |
✔ |
· |
· |
dst_ip |
<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK> |
dst_ip 20.20.20.20, dst_ip 20.20.0.0/255.255.0.0 |
✔ |
· |
· |
ip_proto |
<IP_PROTO> |
ip_proto 0x12 or ip_proto tcp. |
✔ |
✔ |
· |
This IS1 keyset requires a chain template.
You can see some example of IPv4 filters here IS0/IS1 IPv4 filter examples
3.8. DMAC_VID
The DMAC_VID keyset can be used for all IS1 Frame Type and lookup combinations.
It is a short keyset that can be used to match on a VLAN and either source or destination MAC address.
A tc chain template is required in order to use it.
The template selects whether to use source or destination MAC address.
| Flower key | Value | Example | IPv4 | IPv6 | Other |
|---|---|---|---|---|---|
src_mac or dst_mac |
<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK> |
src_mac 00:33:33:33:33:33, src_mac 00:33:33:00:00:00/ff:ff:ff:00:00:00, dst_mac 00:44:44:44:44:44 or dst_mac 00:44:44:00:00:00/ff:ff:ff:00:00:00 |
✔ |
✔ |
✔ |
vlan_id |
<VID> or <VID>/<VID_MASK> |
vlan_id 1234 or vlan_id 0x100/0xff0 |
✔ |
✔ |
✔ |
vlan_prio |
<PCP> or <PCP>/<PCP_MASK> |
vlan_prio 3 or vlan_id 0x0/0x1 |
✔ |
✔ |
✔ |
vlan_ethtype |
<PROTO> |
vlan_ethtype ip or vlan_ethtype ipv6 |
✔ |
✔ |
✔ |
This IS1 keyset requires a chain template.
This filter matches on one VLAN tag, source MAC address and all protocols
The filter in inserted into chain 1000000 (first lookup), classifies all matching packets to priority 5 and goes to second lookup in IS1 (chain 1100000).
# tc qdisc add dev eth0 clsact # tc chain add dev eth0 ingress chain 1000000 protocol 802.1q flower skip_sw \ src_mac 00:00:00:00:00:00 \ vlan_id 0 \ vlan_prio 0 \ vlan_ethtype all # tc filter add dev eth0 ingress chain 1000000 prio 10 handle 42 protocol 802.1q flower skip_sw \ src_mac 00:33:33:33:33:33 \ vlan_id 100 \ vlan_prio 1 \ vlan_ethtype all \ action skbedit priority 5 \ action goto chain 1100000
This filter matches on one VLAN tag, destination MAC address and all protocols
# tc qdisc add dev eth0 clsact # tc chain add dev eth0 ingress chain 1000000 protocol 802.1q flower skip_sw \ dst_mac 00:00:00:00:00:00 \ vlan_id 0 \ vlan_prio 0 \ vlan_ethtype all # tc filter add dev eth0 ingress chain 1000000 prio 10 handle 42 protocol 802.1q flower skip_sw \ dst_mac 00:44:44:44:44:44 \ vlan_id 100 \ vlan_prio 1 \ vlan_ethtype all \ action skbedit priority 5 \ action goto chain 1100000
4. IS0/IS1 IPv4 filter examples
The following filter matches on two VLAN tags and source and destination IPv4 addresses.
The filter in inserted into chain 1000000 (first lookup), classifies all matching packets to priority 5 and goes to second lookup in IS0/IS1 (chain 1100000).
| The Sparx5 IS0 VCAP does not support the ip_tos key and the skbedit action. |
# tc qdisc add dev eth0 clsact # tc chain add dev eth0 ingress chain 1000000 protocol 802.1ad flower skip_sw \ vlan_id 0 \ vlan_prio 0 \ vlan_ethtype 802.1q \ cvlan_id 0 \ cvlan_prio 0 \ cvlan_ethtype ipv4 \ ip_tos 0x00/0x3f \ ip_flags frag/firstfrag \ src_ip 0.0.0.0 \ dst_ip 0.0.0.0 \ ip_proto udp # tc filter add dev eth0 ingress chain 1000000 prio 10 handle 42 protocol 802.1ad flower skip_sw \ vlan_id 100 \ vlan_prio 1 \ vlan_ethtype 802.1q \ cvlan_id 200 \ cvlan_prio 2 \ cvlan_ethtype ipv4 \ ip_tos 0xf/0x3f \ ip_flags frag/nofirstfrag \ src_ip 10.10.10.10 \ dst_ip 20.20.20.20 \ ip_proto tcp \ action skbedit priority 5 \ action goto chain 1100000
The following filter is the same as the filter above but without VLAN matching.
The filter in inserted into chain 1000000 (first lookup), classifies all matching packets to priority 5 and goes to second lookup in IS1 (chain 1100000).
# tc qdisc add dev eth0 clsact # tc chain add dev eth0 ingress chain 1000000 protocol ipv4 flower skip_sw \ ip_tos 0x00/0x3f \ ip_flags frag/firstfrag \ src_ip 0.0.0.0 \ dst_ip 0.0.0.0 \ ip_proto udp # tc filter add dev eth0 ingress chain 1000000 prio 10 handle 42 protocol ipv4 flower skip_sw \ ip_tos 0xf/0x3f \ ip_flags frag/nofirstfrag \ src_ip 10.10.10.10 \ dst_ip 20.20.20.20 \ ip_proto tcp \ action skbedit priority 5 \ action goto chain 1100000
5. IS0/IS1 Actions
These are the actions supported in the IS0 or IS1 VCAPs:
| Flower action | Sparx5 | LAN966x | Example | Description |
|---|---|---|---|---|
pass |
✔ |
✔ |
action pass |
This is a no-op action. |
vlan modify id <VID> priority <PCP> |
✔ |
✔ |
action vlan modify id 100 priority 3 |
Classifies the packet to a specific VID and PCP. |
skbedit priority <PRIO> |
· |
✔ |
action skbedit priority 5 |
Classifies the packet to a specific priority. |
gate [basetime <BASE_TIME>] sched-entry <GATE_STATE> <INTERVAL> [IPV] [MAX_OCTETS] … |
✔ |
✔ |
action gate base-time 0 sched-entry open 10000000 3 8m sched-entry close 90000000 |
Gate is open in 10 mS and closed in 90 mS. Frames that passes the gate are assigned an internal priority value of 3. A maximum of 8 mega bytes can pass the gate during open time. |
police rate <RATE> burst <BURST> [mtu <MTU>] |
✔ |
✔ |
action police rate 100kbit burst 16000 mtu 1200 |
Police the frames to a specific bit rate and optionally discards frames larger than MTU. |
mirred <DIRECTION> <ACTION> dev <DEVICENAME> |
✔ |
· |
action mirred egress mirror dev eth2 |
Send copied of matched frames to the mirror port |
goto chain <CHAIN> |
✔ |
✔ |
action goto chain 1100000 |
Which chain to go to after this match. A no-op action in first and second lookup. In third lookup the chain number is used to set the PAG value to be used in IS2 lookups. |
6. IS0/IS1 Status
Use the tc filter show command to see the filter configuration for a specific port.
Add -s to also see the statistics:
# tc -s filter show dev eth2 ingress filter protocol 802.1Q pref 1 flower chain 1000000 filter protocol 802.1Q pref 1 flower chain 1000000 handle 0x3e8 vlan_id 100 vlan_ethtype all dst_mac 00:00:00:00:00:22 eth_type 0003 skip_sw in_hw in_hw_count 1 action order 1: priority wildcard clockid TAI flags 0x88a64 base-time 0ns cycle-time 1ms cycle-time-ext 0ns schedule: number 0 gate-state open interval 200us ipv 4 max-octets 8Mb number 1 gate-state close interval 800us ipv wildcard max-octets wildcard pipe index 42 ref 2 bind 1 installed 6 sec used 2 sec Action statistics: Sent 0 bytes 10000 pkt (dropped 7999, overlimits 0 requeues 0) Sent software 0 bytes 0 pkt Sent hardware 0 bytes 10000 pkt backlog 0b 0p requeues 0 used_hw_stats immediate action order 2: gact action goto chain 1100000 random type none pass val 0 index 1 ref 1 bind 1 installed 6 sec used 2 sec Action statistics: Sent 0 bytes 10000 pkt (dropped 7999, overlimits 0 requeues 0) Sent software 0 bytes 0 pkt Sent hardware 0 bytes 10000 pkt backlog 0b 0p requeues 0 used_hw_stats immediate
First comes information about the filter, then the match and finally the actions including statistics.
The number of frames that has his the filter is shown as Sent hardware 0 bytes 10000 pkt.
Note that the hardware does not support counting the number of bytes.
In this case there is a policer involved and the number of dropped frames are shown as (dropped 7999, …).
In the current kernel the same statistics are shown for all actions. This might change in the future.