Hazard's stuff

07 Mar, 2007

Matching range of values using tc u32

— Posted by hazard @ 2007-03-07 16:00
Very few people realize that Linux's tc u32 filter allows you to match range of values. Basicly the logic is very similar to IP address/netmask matching.

For example, this u32 rule will match all source ports in the port range 0-1023: match ip sport 0x0 0xfc00

All you need is some simple binary arithmetic. Remember that u32 does an AND operation of the parameter against the mask, and then compares it with the target value. 1023 is 0x3FF in hex, after inversion (XOR 0xffff) we get 0xfc00. So, 0xfc00 is 1111110000000000 in binary, and if we use it as a mask it will mean that any bits with values below 1024 will be discarded. 0x0 (zero) is the target value that u32 will compare against. Any port values above or equal 1024 will not have a zero value after "[port] AND 0xfc00" binary arithmetic operation is done, so the filter will match only the ports below 1024.


  1. Well but how is it possible to match ports in the range 1024:65535 (for passive FTP for instance) ?

    Posted by Afshin — 16 May 2007, 07:26

  2. sda

    Posted by sdas — 23 May 2007, 06:57

  3. Match 0:1023, and then have a rule without any conditions, it would match whatever the first rule didn't match (e.g. 1024:65535).

    Posted by hazard — 15 Aug 2007, 12:07

  4. We are taking port ranges from the user and thus user can enter any range.
    Thus, please if you can let me know the formula behind calculation of mask value.

    eg. suppose I have to find whether the port entered is in the range 10-20 or not.
    How to formulate tc filter rule to match ports in the range 10 -20.

    Anshul Makkar

    Posted by anshul makkar — 22 Oct 2007, 05:57

    Delta = Stop - Start
    Mask = Delta XOR FFFF
    match ip sport 0xStart 0xMask

    Posted by erdem — 15 Jul 2008, 10:22

Add comment