255 lines
5.7 KiB
HTML
255 lines
5.7 KiB
HTML
|
||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
<HTML><HEAD><TITLE>Man page of ematch</TITLE>
|
||
</HEAD><BODY>
|
||
<H1>ematch</H1>
|
||
Section: Linux (8)<BR>Updated: 6 August 2012<BR><A HREF="#index">Index</A>
|
||
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
|
||
|
||
<A NAME="lbAB"> </A>
|
||
<H2>NAME</H2>
|
||
|
||
ematch - extended matches for use with "basic", "cgroup" or "flow" filters
|
||
<A NAME="lbAC"> </A>
|
||
<H2>SYNOPSIS</H2>
|
||
|
||
<P>
|
||
|
||
<B>tc filter add .. basic match</B>
|
||
|
||
EXPR
|
||
|
||
<B>.. flowid ..</B>
|
||
|
||
<P>
|
||
<P>
|
||
<I>EXPR</I> := <I>TERM</I> [ {
|
||
|
||
<B>and | or</B>
|
||
|
||
}
|
||
<I>EXPR</I>
|
||
|
||
]
|
||
<P>
|
||
<I>TERM</I> := [ <I></I><B>not</B> ] { <I>MATCH</I> | '(' <I>EXPR</I> ')' }
|
||
|
||
<P>
|
||
<I>MATCH</I> := <I>module</I> '(' <I>ARGS</I> ')'
|
||
|
||
<P>
|
||
<I>ARGS</I> := <I>ARG1</I> <I>ARG2</I> ..
|
||
|
||
<P>
|
||
<A NAME="lbAD"> </A>
|
||
<H2>MATCHES</H2>
|
||
|
||
<P>
|
||
<A NAME="lbAE"> </A>
|
||
<H3>cmp</H3>
|
||
|
||
Simple comparison ematch: arithmetic compare of packet data to a given value.
|
||
<P>
|
||
<I>cmp</I>( <I>ALIGN</I> at <I>OFFSET</I> [ <I>ATTRS</I> ] { <I>eq</I> | <I>lt</I> | <I>gt</I> } <I>VALUE</I> )
|
||
|
||
<P>
|
||
<I>ALIGN</I> := { <I>u8</I> | <I>u16</I> | <I>u32</I> }
|
||
|
||
<P>
|
||
<I>ATTRS</I> := [ layer <I>LAYER</I> ] [ mask <I>MASK</I> ] [ trans ]
|
||
|
||
<P>
|
||
<I>LAYER</I> := { <I>link</I> | <I>network</I> | <I>transport</I> | <I>0..2</I> }
|
||
|
||
<P>
|
||
<A NAME="lbAF"> </A>
|
||
<H3>meta</H3>
|
||
|
||
Metadata ematch
|
||
<P>
|
||
<I>meta</I>( <I>OBJECT</I> { <I>eq</I> | <I>lt</I> |<I>gt</I> } <I>OBJECT</I> )
|
||
|
||
<P>
|
||
<I>OBJECT</I> := { <I>META_ID</I> | <I>VALUE</I> }
|
||
|
||
<P>
|
||
<I>META_ID</I> := <I>id</I> [ shift <I>SHIFT</I> ] [ mask <I>MASK</I> ]
|
||
|
||
<P>
|
||
<DL COMPACT>
|
||
<DT id="1">meta attributes:<DD>
|
||
<P>
|
||
<B>random</B> 32 bit random value
|
||
<P>
|
||
<B>loadavg_1</B> Load average in last 5 minutes
|
||
<P>
|
||
<B>nf_mark</B> Netfilter mark
|
||
<P>
|
||
<B>vlan</B> Vlan tag
|
||
<P>
|
||
<B>sk_rcvbuf</B> Receive buffer size
|
||
<P>
|
||
<B>sk_snd_queue</B> Send queue length
|
||
<P>
|
||
</DL>
|
||
<P>
|
||
|
||
A full list of meta attributes can be obtained via
|
||
<P>
|
||
# tc filter add dev eth1 basic match 'meta(list)'
|
||
<P>
|
||
<A NAME="lbAG"> </A>
|
||
<H3>nbyte</H3>
|
||
|
||
match packet data byte sequence
|
||
<P>
|
||
<I>nbyte</I>( <I>NEEDLE</I> at <I>OFFSET</I> [ layer <I>LAYER</I> ] )
|
||
|
||
<P>
|
||
<I>NEEDLE</I> := { <I>string</I> | <I>c-escape-sequence</I> }
|
||
|
||
<P>
|
||
<I>OFFSET</I> := <I>int</I>
|
||
|
||
<P>
|
||
<I>LAYER</I> := { <I>link</I> | <I>network</I> | <I>transport</I> | <I>0..2</I> }
|
||
|
||
<P>
|
||
<A NAME="lbAH"> </A>
|
||
<H3>u32</H3>
|
||
|
||
u32 ematch
|
||
<P>
|
||
<I>u32</I>( <I>ALIGN</I> <I>VALUE</I> <I>MASK</I> at [ nexthdr+ ] <I>OFFSET</I> )
|
||
|
||
<P>
|
||
<I>ALIGN</I> := { <I>u8</I> | <I>u16</I> | <I>u32</I> }
|
||
|
||
<P>
|
||
<A NAME="lbAI"> </A>
|
||
<H3>ipset</H3>
|
||
|
||
test packet against ipset membership
|
||
<P>
|
||
<I>ipset</I>( <I>SETNAME</I> <I>FLAGS</I> )
|
||
|
||
<P>
|
||
<I>SETNAME</I> := <I>string</I>
|
||
|
||
<P>
|
||
<I>FLAGS</I> := { <I>FLAG</I> [, <I>FLAGS</I>] }
|
||
|
||
<P>
|
||
The flag options are the same as those used by the iptables "set" match.
|
||
<P>
|
||
When using the ipset ematch with the "ip_set_hash:net,iface" set type,
|
||
the interface can be queried using "src,dst (source ip address, outgoing interface) or
|
||
"src,src" (source ip address, incoming interface) syntax.
|
||
<P>
|
||
<A NAME="lbAJ"> </A>
|
||
<H3>ipt</H3>
|
||
|
||
test packet against xtables matches
|
||
<P>
|
||
<I>ipt</I>( <I>[-6]</I> -m<I> </I>MATCH_NAME<I> </I>FLAGS<I> )</I>
|
||
|
||
<P>
|
||
<I>MATCH_NAME</I> := <I>string</I>
|
||
|
||
<P>
|
||
<I>FLAGS</I> := { <I>FLAG</I> [, <I>FLAGS</I>] }
|
||
|
||
<P>
|
||
The flag options are the same as those used by the xtable match used.
|
||
<P>
|
||
<A NAME="lbAK"> </A>
|
||
<H3>canid</H3>
|
||
|
||
ematch rule to match CAN frames
|
||
<P>
|
||
<I>canid</I>( <I>IDLIST</I> )
|
||
|
||
<P>
|
||
<I>IDLIST</I> := <I>IDSPEC</I>[<I>IDLIST</I>]
|
||
|
||
<P>
|
||
<I>IDSPEC</I> := { ’sff’ <I>CANID</I> | ’eff’ <I>CANID</I> }
|
||
|
||
<P>
|
||
<I>CANID</I> := <I>ID</I>[<I>:MASK</I>]
|
||
|
||
<P>
|
||
<I>ID</I>, <I>MASK</I> := hexadecimal number (i.e. 0x123)
|
||
|
||
<P>
|
||
<A NAME="lbAL"> </A>
|
||
<H2>CAVEATS</H2>
|
||
|
||
<P>
|
||
The ematch syntax uses '(' and ')' to group expressions. All braces need to be
|
||
escaped properly to prevent shell commandline from interpreting these directly.
|
||
<P>
|
||
When using the ipset ematch with the "ifb" device, the outgoing device will be the
|
||
ifb device itself, e.g. "ifb0".
|
||
The original interface (i.e. the device the packet arrived on) is treated as the incoming interface.
|
||
<P>
|
||
<A NAME="lbAM"> </A>
|
||
<H2>EXAMPLE & USAGE</H2>
|
||
|
||
<P>
|
||
# tc filter add .. basic match ...
|
||
<P>
|
||
# 'cmp(u16 at 3 layer 2 mask 0xff00 gt 20)'
|
||
<P>
|
||
# 'meta(nfmark gt 24)' and 'meta(tcindex mask 0xf0 eq 0xf0)'
|
||
<P>
|
||
# 'nbyte("ababa" at 12 layer 1)'
|
||
<P>
|
||
# 'u32(u16 0x1122 0xffff at nexthdr+4)'
|
||
<P>
|
||
Check if packet source ip address is member of set named <B>bulk</B>:
|
||
<P>
|
||
# 'ipset(bulk src)'
|
||
<P>
|
||
Check if packet source ip and the interface the packet arrived on is member of "hash:net,iface" set named <B>interactive</B>:
|
||
<P>
|
||
# 'ipset(interactive src,src)'
|
||
<P>
|
||
Check if packet matches an IPSec state with reqid 1:
|
||
<P>
|
||
# 'ipt(-m policy --dir in --pol ipsec --reqid 1)'
|
||
<P>
|
||
<A NAME="lbAN"> </A>
|
||
<H2>AUTHOR</H2>
|
||
|
||
<P>
|
||
The extended match infrastructure was added by Thomas Graf.
|
||
<P>
|
||
|
||
<HR>
|
||
<A NAME="index"> </A><H2>Index</H2>
|
||
<DL>
|
||
<DT id="2"><A HREF="#lbAB">NAME</A><DD>
|
||
<DT id="3"><A HREF="#lbAC">SYNOPSIS</A><DD>
|
||
<DT id="4"><A HREF="#lbAD">MATCHES</A><DD>
|
||
<DL>
|
||
<DT id="5"><A HREF="#lbAE">cmp</A><DD>
|
||
<DT id="6"><A HREF="#lbAF">meta</A><DD>
|
||
<DT id="7"><A HREF="#lbAG">nbyte</A><DD>
|
||
<DT id="8"><A HREF="#lbAH">u32</A><DD>
|
||
<DT id="9"><A HREF="#lbAI">ipset</A><DD>
|
||
<DT id="10"><A HREF="#lbAJ">ipt</A><DD>
|
||
<DT id="11"><A HREF="#lbAK">canid</A><DD>
|
||
</DL>
|
||
<DT id="12"><A HREF="#lbAL">CAVEATS</A><DD>
|
||
<DT id="13"><A HREF="#lbAM">EXAMPLE & USAGE</A><DD>
|
||
<DT id="14"><A HREF="#lbAN">AUTHOR</A><DD>
|
||
</DL>
|
||
<HR>
|
||
This document was created by
|
||
<A HREF="/cgi-bin/man/man2html">man2html</A>,
|
||
using the manual pages.<BR>
|
||
Time: 00:06:17 GMT, March 31, 2021
|
||
</BODY>
|
||
</HTML>
|