1ematch(8)                            Linux                           ematch(8)
2
3
4

NAME

6       ematch  -  extended  matches  for use with "basic", "cgroup"  or "flow"
7       filters
8

SYNOPSIS

10       tc filter add .. basic match EXPR .. flowid ..
11
12
13       EXPR := TERM [ { and | or } EXPR ]
14
15       TERM := [ not ] { MATCH | '(' EXPR ')' }
16
17       MATCH := module '(' ARGS ')'
18
19       ARGS := ARG1 ARG2 ..
20
21

MATCHES

23   cmp
24       Simple comparison ematch: arithmetic compare of packet data to a given
25       value.
26
27       cmp( ALIGN at OFFSET [ ATTRS ] { eq | lt | gt } VALUE )
28
29       ALIGN := { u8 | u16 | u32 }
30
31       ATTRS := [ layer LAYER ] [ mask MASK ] [ trans ]
32
33       LAYER := { link | network | transport | 0..2 }
34
35
36   meta
37       Metadata ematch
38
39       meta( OBJECT { eq | lt |gt } OBJECT )
40
41       OBJECT := { META_ID |  VALUE }
42
43       META_ID := id [ shift SHIFT ] [ mask MASK ]
44
45
46       meta attributes:
47
48              random 32 bit random value
49
50              loadavg_1 Load average in last 5 minutes
51
52              nf_mark Netfilter mark
53
54              vlan Vlan tag
55
56              sk_rcvbuf Receive buffer size
57
58              sk_snd_queue Send queue length
59
60
61       A full list of meta attributes can be obtained via
62
63       # tc filter add dev eth1 basic match 'meta(list)'
64
65
66   nbyte
67       match packet data byte sequence
68
69       nbyte( NEEDLE at OFFSET [ layer LAYER ] )
70
71       NEEDLE := { string | c-escape-sequence  }
72
73       OFFSET := int
74
75       LAYER := { link | network | transport | 0..2 }
76
77
78   u32
79       u32 ematch
80
81       u32( ALIGN VALUE MASK at [ nexthdr+ ] OFFSET )
82
83       ALIGN := { u8 | u16 | u32 }
84
85
86   ipset
87       test packet against ipset membership
88
89       ipset( SETNAME FLAGS )
90
91       SETNAME := string
92
93       FLAGS := { FLAG [, FLAGS] }
94
95       The flag options are the same as those used by the iptables "set"
96       match.
97
98       When using the ipset ematch with the "ip_set_hash:net,iface" set type,
99       the interface can be queried using "src,dst (source ip address, outgo‐
100       ing interface) or "src,src" (source ip address, incoming interface)
101       syntax.
102
103
104   ipt
105       test packet against xtables matches
106
107       ipt( [-6] -m MATCH_NAME FLAGS )
108
109       MATCH_NAME := string
110
111       FLAGS := { FLAG [, FLAGS] }
112
113       The flag options are the same as those used by the xtable match used.
114
115
116   canid
117       ematch rule to match CAN frames
118
119       canid( IDLIST )
120
121       IDLIST :=  IDSPEC[IDLIST]
122
123       IDSPEC := { ’sff’ CANID | ’eff’ CANID }
124
125       CANID := ID[:MASK]
126
127       ID, MASK := hexadecimal number (i.e. 0x123)
128
129

CAVEATS

131       The ematch syntax uses '(' and ')' to group expressions. All braces
132       need to be escaped properly to prevent shell commandline from inter‐
133       preting these directly.
134
135       When using the ipset ematch with the "ifb" device, the outgoing device
136       will be the ifb device itself, e.g. "ifb0".  The original interface
137       (i.e. the device the packet arrived on) is treated as the incoming
138       interface.
139
140

EXAMPLE & USAGE

142       # tc filter add .. basic match ...
143
144       # 'cmp(u16 at 3 layer 2 mask 0xff00 gt 20)'
145
146       # 'meta(nfmark gt 24)' and 'meta(tcindex mask 0xf0 eq 0xf0)'
147
148       # 'nbyte("ababa" at 12 layer 1)'
149
150       # 'u32(u16 0x1122 0xffff at nexthdr+4)'
151
152       Check if packet source ip address is member of set named bulk:
153
154       # 'ipset(bulk src)'
155
156       Check if packet source ip and the interface the packet arrived on is
157       member of "hash:net,iface" set named interactive:
158
159       # 'ipset(interactive src,src)'
160
161       Check if packet matches an IPSec state with reqid 1:
162
163       # 'ipt(-m policy --dir in --pol ipsec --reqid 1)'
164
165

AUTHOR

167       The extended match infrastructure was added by Thomas Graf.
168
169
170
171iproute2                         6 August 2012                       ematch(8)
Impressum