1ematch(8) Linux ematch(8)
2
3
4
6 ematch - extended matches for use with "basic", "cgroup" or "flow"
7 filters
8
10 tc filter add .. basic match EXPR .. flowid ..
11
12
13 EXPR := TERM [ { and | or } EXPR ]
14
15 TERM := [ not ] { MATCH | '(' EXPR ')' }
16
17 MATCH := module '(' ARGS ')'
18
19 ARGS := ARG1 ARG2 ..
20
21
23 cmp
24 Simple comparison ematch: arithmetic compare of packet data to a given
25 value.
26
27 cmp( ALIGN at OFFSET [ ATTRS ] { eq | lt | gt } VALUE )
28
29 ALIGN := { u8 | u16 | u32 }
30
31 ATTRS := [ layer LAYER ] [ mask MASK ] [ trans ]
32
33 LAYER := { link | network | transport | 0..2 }
34
35
36 meta
37 Metadata ematch
38
39 meta( OBJECT { eq | lt |gt } OBJECT )
40
41 OBJECT := { META_ID | VALUE }
42
43 META_ID := id [ shift SHIFT ] [ mask MASK ]
44
45
46 meta attributes:
47
48 random 32 bit random value
49
50 loadavg_1 Load average in last 5 minutes
51
52 nf_mark Netfilter mark
53
54 vlan Vlan tag
55
56 sk_rcvbuf Receive buffer size
57
58 sk_snd_queue Send queue length
59
60
61 A full list of meta attributes can be obtained via
62
63 # tc filter add dev eth1 basic match 'meta(list)'
64
65
66 nbyte
67 match packet data byte sequence
68
69 nbyte( NEEDLE at OFFSET [ layer LAYER ] )
70
71 NEEDLE := { string | c-escape-sequence }
72
73 OFFSET := int
74
75 LAYER := { link | network | transport | 0..2 }
76
77
78 u32
79 u32 ematch
80
81 u32( ALIGN VALUE MASK at [ nexthdr+ ] OFFSET )
82
83 ALIGN := { u8 | u16 | u32 }
84
85
86 ipset
87 test packet against ipset membership
88
89 ipset( SETNAME FLAGS )
90
91 SETNAME := string
92
93 FLAGS := { FLAG [, FLAGS] }
94
95 The flag options are the same as those used by the iptables "set"
96 match.
97
98 When using the ipset ematch with the "ip_set_hash:net,iface" set type,
99 the interface can be queried using "src,dst (source ip address, outgo‐
100 ing interface) or "src,src" (source ip address, incoming interface)
101 syntax.
102
103
104 ipt
105 test packet against xtables matches
106
107 ipt( [-6] -m MATCH_NAME FLAGS )
108
109 MATCH_NAME := string
110
111 FLAGS := { FLAG [, FLAGS] }
112
113 The flag options are the same as those used by the xtable match used.
114
115
116 canid
117 ematch rule to match CAN frames
118
119 canid( IDLIST )
120
121 IDLIST := IDSPEC[IDLIST]
122
123 IDSPEC := { ’sff’ CANID | ’eff’ CANID }
124
125 CANID := ID[:MASK]
126
127 ID, MASK := hexadecimal number (i.e. 0x123)
128
129
131 The ematch syntax uses '(' and ')' to group expressions. All braces
132 need to be escaped properly to prevent shell commandline from inter‐
133 preting these directly.
134
135 When using the ipset ematch with the "ifb" device, the outgoing device
136 will be the ifb device itself, e.g. "ifb0". The original interface
137 (i.e. the device the packet arrived on) is treated as the incoming
138 interface.
139
140
142 # tc filter add .. basic match ...
143
144 # 'cmp(u16 at 3 layer 2 mask 0xff00 gt 20)'
145
146 # 'meta(nfmark gt 24)' and 'meta(tcindex mask 0xf0 eq 0xf0)'
147
148 # 'nbyte("ababa" at 12 layer 1)'
149
150 # 'u32(u16 0x1122 0xffff at nexthdr+4)'
151
152 Check if packet source ip address is member of set named bulk:
153
154 # 'ipset(bulk src)'
155
156 Check if packet source ip and the interface the packet arrived on is
157 member of "hash:net,iface" set named interactive:
158
159 # 'ipset(interactive src,src)'
160
161 Check if packet matches an IPSec state with reqid 1:
162
163 # 'ipt(-m policy --dir in --pol ipsec --reqid 1)'
164
165
167 The extended match infrastructure was added by Thomas Graf.
168
169
170
171iproute2 6 August 2012 ematch(8)