man-pages/man8/tc-ematch.8.html
2021-03-31 01:06:50 +01:00

255 lines
5.7 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of ematch</TITLE>
</HEAD><BODY>
<H1>ematch</H1>
Section: Linux (8)<BR>Updated: 6 August 2012<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>
ematch - extended matches for use with &quot;basic&quot;, &quot;cgroup&quot; or &quot;flow&quot; filters
<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>
<P>
<B>tc filter add .. basic match</B>
EXPR
<B>.. flowid ..</B>
<P>
<P>
<I>EXPR</I> := <I>TERM</I> [ {
<B>and | or</B>
}
<I>EXPR</I>
]
<P>
<I>TERM</I> := [ <I></I><B>not</B> ] { <I>MATCH</I> | '(' <I>EXPR</I> ')' }
<P>
<I>MATCH</I> := <I>module</I> '(' <I>ARGS</I> ')'
<P>
<I>ARGS</I> := <I>ARG1</I> <I>ARG2</I> ..
<P>
<A NAME="lbAD">&nbsp;</A>
<H2>MATCHES</H2>
<P>
<A NAME="lbAE">&nbsp;</A>
<H3>cmp</H3>
Simple comparison ematch: arithmetic compare of packet data to a given value.
<P>
<I>cmp</I>( <I>ALIGN</I> at <I>OFFSET</I> [ <I>ATTRS</I> ] { <I>eq</I> | <I>lt</I> | <I>gt</I> } <I>VALUE</I> )
<P>
<I>ALIGN</I> := { <I>u8</I> | <I>u16</I> | <I>u32</I> }
<P>
<I>ATTRS</I> := [ layer <I>LAYER</I> ] [ mask <I>MASK</I> ] [ trans ]
<P>
<I>LAYER</I> := { <I>link</I> | <I>network</I> | <I>transport</I> | <I>0..2</I> }
<P>
<A NAME="lbAF">&nbsp;</A>
<H3>meta</H3>
Metadata ematch
<P>
<I>meta</I>( <I>OBJECT</I> { <I>eq</I> | <I>lt</I> |<I>gt</I> } <I>OBJECT</I> )
<P>
<I>OBJECT</I> := { <I>META_ID</I> | <I>VALUE</I> }
<P>
<I>META_ID</I> := <I>id</I> [ shift <I>SHIFT</I> ] [ mask <I>MASK</I> ]
<P>
<DL COMPACT>
<DT id="1">meta attributes:<DD>
<P>
<B>random</B> 32 bit random value
<P>
<B>loadavg_1</B> Load average in last 5 minutes
<P>
<B>nf_mark</B> Netfilter mark
<P>
<B>vlan</B> Vlan tag
<P>
<B>sk_rcvbuf</B> Receive buffer size
<P>
<B>sk_snd_queue</B> Send queue length
<P>
</DL>
<P>
A full list of meta attributes can be obtained via
<P>
# tc filter add dev eth1 basic match 'meta(list)'
<P>
<A NAME="lbAG">&nbsp;</A>
<H3>nbyte</H3>
match packet data byte sequence
<P>
<I>nbyte</I>( <I>NEEDLE</I> at <I>OFFSET</I> [ layer <I>LAYER</I> ] )
<P>
<I>NEEDLE</I> := { <I>string</I> | <I>c-escape-sequence</I> }
<P>
<I>OFFSET</I> := <I>int</I>
<P>
<I>LAYER</I> := { <I>link</I> | <I>network</I> | <I>transport</I> | <I>0..2</I> }
<P>
<A NAME="lbAH">&nbsp;</A>
<H3>u32</H3>
u32 ematch
<P>
<I>u32</I>( <I>ALIGN</I> <I>VALUE</I> <I>MASK</I> at [ nexthdr+ ] <I>OFFSET</I> )
<P>
<I>ALIGN</I> := { <I>u8</I> | <I>u16</I> | <I>u32</I> }
<P>
<A NAME="lbAI">&nbsp;</A>
<H3>ipset</H3>
test packet against ipset membership
<P>
<I>ipset</I>( <I>SETNAME</I> <I>FLAGS</I> )
<P>
<I>SETNAME</I> := <I>string</I>
<P>
<I>FLAGS</I> := { <I>FLAG</I> [, <I>FLAGS</I>] }
<P>
The flag options are the same as those used by the iptables &quot;set&quot; match.
<P>
When using the ipset ematch with the &quot;ip_set_hash:net,iface&quot; set type,
the interface can be queried using &quot;src,dst (source ip address, outgoing interface) or
&quot;src,src&quot; (source ip address, incoming interface) syntax.
<P>
<A NAME="lbAJ">&nbsp;</A>
<H3>ipt</H3>
test packet against xtables matches
<P>
<I>ipt</I>( <I>[-6]</I> -m<I> </I>MATCH_NAME<I> </I>FLAGS<I> )</I>
<P>
<I>MATCH_NAME</I> := <I>string</I>
<P>
<I>FLAGS</I> := { <I>FLAG</I> [, <I>FLAGS</I>] }
<P>
The flag options are the same as those used by the xtable match used.
<P>
<A NAME="lbAK">&nbsp;</A>
<H3>canid</H3>
ematch rule to match CAN frames
<P>
<I>canid</I>( <I>IDLIST</I> )
<P>
<I>IDLIST</I> := <I>IDSPEC</I>[<I>IDLIST</I>]
<P>
<I>IDSPEC</I> := { sff <I>CANID</I> | eff <I>CANID</I> }
<P>
<I>CANID</I> := <I>ID</I>[<I>:MASK</I>]
<P>
<I>ID</I>, <I>MASK</I> := hexadecimal number (i.e. 0x123)
<P>
<A NAME="lbAL">&nbsp;</A>
<H2>CAVEATS</H2>
<P>
The ematch syntax uses '(' and ')' to group expressions. All braces need to be
escaped properly to prevent shell commandline from interpreting these directly.
<P>
When using the ipset ematch with the &quot;ifb&quot; device, the outgoing device will be the
ifb device itself, e.g. &quot;ifb0&quot;.
The original interface (i.e. the device the packet arrived on) is treated as the incoming interface.
<P>
<A NAME="lbAM">&nbsp;</A>
<H2>EXAMPLE &amp; USAGE</H2>
<P>
# tc filter add .. basic match ...
<P>
# 'cmp(u16 at 3 layer 2 mask 0xff00 gt 20)'
<P>
# 'meta(nfmark gt 24)' and 'meta(tcindex mask 0xf0 eq 0xf0)'
<P>
# 'nbyte(&quot;ababa&quot; at 12 layer 1)'
<P>
# 'u32(u16 0x1122 0xffff at nexthdr+4)'
<P>
Check if packet source ip address is member of set named <B>bulk</B>:
<P>
# 'ipset(bulk src)'
<P>
Check if packet source ip and the interface the packet arrived on is member of &quot;hash:net,iface&quot; set named <B>interactive</B>:
<P>
# 'ipset(interactive src,src)'
<P>
Check if packet matches an IPSec state with reqid 1:
<P>
# 'ipt(-m policy --dir in --pol ipsec --reqid 1)'
<P>
<A NAME="lbAN">&nbsp;</A>
<H2>AUTHOR</H2>
<P>
The extended match infrastructure was added by Thomas Graf.
<P>
<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="2"><A HREF="#lbAB">NAME</A><DD>
<DT id="3"><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT id="4"><A HREF="#lbAD">MATCHES</A><DD>
<DL>
<DT id="5"><A HREF="#lbAE">cmp</A><DD>
<DT id="6"><A HREF="#lbAF">meta</A><DD>
<DT id="7"><A HREF="#lbAG">nbyte</A><DD>
<DT id="8"><A HREF="#lbAH">u32</A><DD>
<DT id="9"><A HREF="#lbAI">ipset</A><DD>
<DT id="10"><A HREF="#lbAJ">ipt</A><DD>
<DT id="11"><A HREF="#lbAK">canid</A><DD>
</DL>
<DT id="12"><A HREF="#lbAL">CAVEATS</A><DD>
<DT id="13"><A HREF="#lbAM">EXAMPLE &amp; USAGE</A><DD>
<DT id="14"><A HREF="#lbAN">AUTHOR</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:06:17 GMT, March 31, 2021
</BODY>
</HTML>