man-pages/man8/tc-ematch.8.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of ematch</TITLE>
</HEAD><BODY>
<H1>ematch</H1>
Section: Linux (8)<BR>Updated: 6 August 2012<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>

<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>

ematch - extended matches for use with &quot;basic&quot;, &quot;cgroup&quot;  or &quot;flow&quot; filters
<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>

<P>

<B>tc filter add .. basic match</B>

EXPR

<B>.. flowid ..</B>

<P>
<P>
<I>EXPR</I> := <I>TERM</I> [ { 

<B>and | or</B>

}
<I>EXPR</I>

]
<P>
<I>TERM</I> := [ <I></I><B>not</B> ] { <I>MATCH</I> | '(' <I>EXPR</I> ')' } 

<P>
<I>MATCH</I> := <I>module</I> '(' <I>ARGS</I> ')' 

<P>
<I>ARGS</I> := <I>ARG1</I> <I>ARG2</I> ..

<P>
<A NAME="lbAD">&nbsp;</A>
<H2>MATCHES</H2>

<P>
<A NAME="lbAE">&nbsp;</A>
<H3>cmp</H3>

Simple comparison ematch: arithmetic compare of packet data to a given value.
<P>
<I>cmp</I>( <I>ALIGN</I> at <I>OFFSET</I> [ <I>ATTRS</I> ] { <I>eq</I> | <I>lt</I> | <I>gt</I> } <I>VALUE</I> )

<P>
<I>ALIGN</I> := { <I>u8</I> | <I>u16</I> | <I>u32</I> } 

<P>
<I>ATTRS</I> := [ layer <I>LAYER</I> ] [ mask <I>MASK</I> ] [ trans ]

<P>
<I>LAYER</I> := { <I>link</I> | <I>network</I> | <I>transport</I> | <I>0..2</I> }

<P>
<A NAME="lbAF">&nbsp;</A>
<H3>meta</H3>

Metadata ematch
<P>
<I>meta</I>( <I>OBJECT</I> { <I>eq</I> | <I>lt</I> |<I>gt</I> } <I>OBJECT</I> )

<P>
<I>OBJECT</I> := { <I>META_ID</I> |  <I>VALUE</I> }

<P>
<I>META_ID</I> := <I>id</I> [ shift <I>SHIFT</I> ] [ mask <I>MASK</I> ]

<P>
<DL COMPACT>
<DT id="1">meta attributes:<DD>
<P>
<B>random</B> 32 bit random value
<P>
<B>loadavg_1</B> Load average in last 5 minutes
<P>
<B>nf_mark</B> Netfilter mark
<P>
<B>vlan</B> Vlan tag
<P>
<B>sk_rcvbuf</B> Receive buffer size
<P>
<B>sk_snd_queue</B> Send queue length
<P>
</DL>
<P>

A full list of meta attributes can be obtained via
<P>
# tc filter add dev eth1 basic match 'meta(list)'
<P>
<A NAME="lbAG">&nbsp;</A>
<H3>nbyte</H3>

match packet data byte sequence
<P>
<I>nbyte</I>( <I>NEEDLE</I> at <I>OFFSET</I> [ layer <I>LAYER</I> ] )

<P>
<I>NEEDLE</I> := { <I>string</I> | <I>c-escape-sequence</I>  } 

<P>
<I>OFFSET</I> := <I>int</I>

<P>
<I>LAYER</I> := { <I>link</I> | <I>network</I> | <I>transport</I> | <I>0..2</I> }

<P>
<A NAME="lbAH">&nbsp;</A>
<H3>u32</H3>

u32 ematch
<P>
<I>u32</I>( <I>ALIGN</I> <I>VALUE</I> <I>MASK</I> at [ nexthdr+ ] <I>OFFSET</I> )

<P>
<I>ALIGN</I> := { <I>u8</I> | <I>u16</I> | <I>u32</I> }

<P>
<A NAME="lbAI">&nbsp;</A>
<H3>ipset</H3>

test packet against ipset membership
<P>
<I>ipset</I>( <I>SETNAME</I> <I>FLAGS</I> )

<P>
<I>SETNAME</I> := <I>string</I>

<P>
<I>FLAGS</I> := { <I>FLAG</I> [, <I>FLAGS</I>] }

<P>
The flag options are the same as those used by the iptables &quot;set&quot; match.
<P>
When using the ipset ematch with the &quot;ip_set_hash:net,iface&quot; set type,
the interface can be queried using &quot;src,dst (source ip address, outgoing interface) or
&quot;src,src&quot; (source ip address, incoming interface) syntax.
<P>
<A NAME="lbAJ">&nbsp;</A>
<H3>ipt</H3>

test packet against xtables matches
<P>
<I>ipt</I>( <I>[-6]</I> -m<I> </I>MATCH_NAME<I> </I>FLAGS<I> )</I>

<P>
<I>MATCH_NAME</I> := <I>string</I>

<P>
<I>FLAGS</I> := { <I>FLAG</I> [, <I>FLAGS</I>] }

<P>
The flag options are the same as those used by the xtable match used.
<P>
<A NAME="lbAK">&nbsp;</A>
<H3>canid</H3>

ematch rule to match CAN frames
<P>
<I>canid</I>( <I>IDLIST</I> )

<P>
<I>IDLIST</I> :=  <I>IDSPEC</I>[<I>IDLIST</I>]

<P>
<I>IDSPEC</I> := { ’sff’ <I>CANID</I> | ’eff’ <I>CANID</I> }

<P>
<I>CANID</I> := <I>ID</I>[<I>:MASK</I>]

<P>
<I>ID</I>, <I>MASK</I> := hexadecimal number (i.e. 0x123)

<P>
<A NAME="lbAL">&nbsp;</A>
<H2>CAVEATS</H2>

<P>
The ematch syntax uses '(' and ')' to group expressions. All braces need to be
escaped properly to prevent shell commandline from interpreting these directly.
<P>
When using the ipset ematch with the &quot;ifb&quot; device, the outgoing device will be the
ifb device itself, e.g. &quot;ifb0&quot;.
The original interface (i.e. the device the packet arrived on) is treated as the incoming interface.
<P>
<A NAME="lbAM">&nbsp;</A>
<H2>EXAMPLE &amp; USAGE</H2>

<P>
# tc filter add .. basic match ...
<P>
# 'cmp(u16 at 3 layer 2 mask 0xff00 gt 20)'
<P>
# 'meta(nfmark gt 24)' and 'meta(tcindex mask 0xf0 eq 0xf0)'
<P>
# 'nbyte(&quot;ababa&quot; at 12 layer 1)'
<P>
# 'u32(u16 0x1122 0xffff at nexthdr+4)'
<P>
Check if packet source ip address is member of set named <B>bulk</B>:
<P>
# 'ipset(bulk src)'
<P>
Check if packet source ip and the interface the packet arrived on is member of &quot;hash:net,iface&quot; set named <B>interactive</B>:
<P>
# 'ipset(interactive src,src)'
<P>
Check if packet matches an IPSec state with reqid 1:
<P>
# 'ipt(-m policy --dir in --pol ipsec --reqid 1)'
<P>
<A NAME="lbAN">&nbsp;</A>
<H2>AUTHOR</H2>

<P>
The extended match infrastructure was added by Thomas Graf.
<P>

<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="2"><A HREF="#lbAB">NAME</A><DD>
<DT id="3"><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT id="4"><A HREF="#lbAD">MATCHES</A><DD>
<DL>
<DT id="5"><A HREF="#lbAE">cmp</A><DD>
<DT id="6"><A HREF="#lbAF">meta</A><DD>
<DT id="7"><A HREF="#lbAG">nbyte</A><DD>
<DT id="8"><A HREF="#lbAH">u32</A><DD>
<DT id="9"><A HREF="#lbAI">ipset</A><DD>
<DT id="10"><A HREF="#lbAJ">ipt</A><DD>
<DT id="11"><A HREF="#lbAK">canid</A><DD>
</DL>
<DT id="12"><A HREF="#lbAL">CAVEATS</A><DD>
<DT id="13"><A HREF="#lbAM">EXAMPLE &amp; USAGE</A><DD>
<DT id="14"><A HREF="#lbAN">AUTHOR</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:06:17 GMT, March 31, 2021
</BODY>
</HTML>