1ematch(8) Linux ematch(8)
2
6 ematch - extended matches for use with "basic", "cgroup" or "flow"
7 filters
8
10 tc filter add .. basic match EXPR .. flowid ..
11 EXPR := TERM [ { and | or } EXPR ]
14 TERM := [ not ] { MATCH | '(' EXPR ')' }
16 MATCH := module '(' ARGS ')'
18 ARGS := ARG1 ARG2 ..
20
23 cmp
24 Simple comparison ematch: arithmetic compare of packet data to a given
25 value.
26 cmp( ALIGN at OFFSET [ ATTRS ] { eq | lt | gt } VALUE )
28 ALIGN := { u8 | u16 | u32 }
30 ATTRS := [ layer LAYER ] [ mask MASK ] [ trans ]
32 LAYER := { link | network | transport | 0..2 }
34 meta
37 Metadata ematch
38 meta( OBJECT { eq | lt |gt } OBJECT )
40 OBJECT := { META_ID | VALUE }
42 META_ID := id [ shift SHIFT ] [ mask MASK ]
44 meta attributes:
47 random 32 bit random value
49 loadavg_1 Load average in last 5 minutes
51 nf_mark Netfilter mark
53 vlan Vlan tag
55 sk_rcvbuf Receive buffer size
57 sk_snd_queue Send queue length
59 A full list of meta attributes can be obtained via
62 # tc filter add dev eth1 basic match 'meta(list)'
64 nbyte
67 match packet data byte sequence
68 nbyte( NEEDLE at OFFSET [ layer LAYER ] )
70 NEEDLE := { string | c-escape-sequence }
72 OFFSET := int
74 LAYER := { link | network | transport | 0..2 }
76 u32
79 u32 ematch
80 u32( ALIGN VALUE MASK at [ nexthdr+ ] OFFSET )
82 ALIGN := { u8 | u16 | u32 }
84 ipset
87 test packet against ipset membership
88 ipset( SETNAME FLAGS )
90 SETNAME := string
92 FLAGS := { FLAG [, FLAGS] }
94 The flag options are the same as those used by the iptables "set"
96 match.
97 When using the ipset ematch with the "ip_set_hash:net,iface" set type,
99 the interface can be queried using "src,dst (source ip address, outgo‐
100 ing interface) or "src,src" (source ip address, incoming interface)
101 syntax.
102 ipt
105 test packet against xtables matches
106 ipt( [-6] -m MATCH_NAME FLAGS )
108 MATCH_NAME := string
110 FLAGS := { FLAG [, FLAGS] }
112 The flag options are the same as those used by the xtable match used.
114 canid
117 ematch rule to match CAN frames
118 canid( IDLIST )
120 IDLIST := IDSPEC[IDLIST]
122 IDSPEC := { ’sff’ CANID | ’eff’ CANID }
124 CANID := ID[:MASK]
126 ID, MASK := hexadecimal number (i.e. 0x123)
128
131 The ematch syntax uses '(' and ')' to group expressions. All braces
132 need to be escaped properly to prevent shell commandline from inter‐
133 preting these directly.
134 When using the ipset ematch with the "ifb" device, the outgoing device
136 will be the ifb device itself, e.g. "ifb0". The original interface
137 (i.e. the device the packet arrived on) is treated as the incoming
138 interface.
139
142 # tc filter add .. basic match ...
143 # 'cmp(u16 at 3 layer 2 mask 0xff00 gt 20)'
145 # 'meta(nfmark gt 24)' and 'meta(tcindex mask 0xf0 eq 0xf0)'
147 # 'nbyte("ababa" at 12 layer 1)'
149 # 'u32(u16 0x1122 0xffff at nexthdr+4)'
151 Check if packet source ip address is member of set named bulk:
153 # 'ipset(bulk src)'
155 Check if packet source ip and the interface the packet arrived on is
157 member of "hash:net,iface" set named interactive:
158 # 'ipset(interactive src,src)'
160 Check if packet matches an IPSec state with reqid 1:
162 # 'ipt(-m policy --dir in --pol ipsec --reqid 1)'
164
167 The extended match infrastructure was added by Thomas Graf.
168iproute2 6 August 2012 ematch(8)