[mirror_iproute2.git] / man / man8 / tc-ematch.8

.TH ematch 8 "6 August 2012" iproute2 Linux
.
.SH NAME
ematch \- extended matches for use with "basic" or "flow" filters
.
.SH SYNOPSIS
.sp
.ad l
.in +8
.ti -8
.B "tc filter add .. basic match"
.RI EXPR
.B .. flowid ..
.sp

.ti -8
.IR EXPR " := " TERM " [ { "
.B and | or
}
.IR EXPR
]

.ti -8
.IR TERM " := [ " \fBnot " ] { " MATCH " | '(' " EXPR " ')' } "

.ti -8
.IR MATCH " := " module " '(' " ARGS " ')' "

.ti -8
.IR ARGS " := " ARG1 " " ARG2 " ..

.SH MATCHES

.SS cmp
Simple comparison ematch: arithmetic compare of packet data to a given value.
.ti
.IR cmp "( " ALIGN " at " OFFSET " [ " ATTRS " ] { " eq " | " lt " | " gt " } " VALUE " )

.ti
.IR ALIGN " := { " u8 " | " u16 " | " u32 " } "

.ti
.IR ATTRS " := [ layer " LAYER " ] [ mask " MASK " ] [ trans ]

.ti
.IR LAYER " := { " link " | " network " | " transport " | " 0..2 " }

.SS meta
Metadata ematch
.ti
.IR meta "( " OBJECT " { " eq " | " lt " |" gt " } " OBJECT " )

.ti
.IR OBJECT " := { " META_ID " |  " VALUE " }

.ti
.IR META_ID " := " id " [ shift " SHIFT " ] [ mask " MASK " ]

.TP
meta attributes:

\fBrandom\fP 32 bit random value

\fBloadavg_1\fP Load average in last 5 minutes

\fBnf_mark\fP Netfilter mark

\fBvlan\fP Vlan tag

\fBsk_rcvbuf\fP Receive buffer size

\fBsk_snd_queue\fP Send queue length

.PP
A full list of meta attributes can be obtained via

# tc filter add dev eth1 basic match 'meta(list)'

.SS nbyte
match packet data byte sequence
.ti
.IR nbyte "( " NEEDLE  " at " OFFSET " [ layer " LAYER " ] )

.ti
.IR NEEDLE  " := { " string " | " c-escape-sequence "  } "

.ti
.IR OFFSET  " := " int

.ti
.IR LAYER " := { " link " | " network " | " transport " | " 0..2 " }

.SS u32
u32 ematch
.ti
.IR u32 "( " ALIGN " " VALUE " " MASK " at [ nexthdr+ ] " OFFSET " )

.ti
.IR ALIGN " := { " u8 " | " u16 " | " u32 " }

.SS ipset
test packet against ipset membership
.ti
.IR ipset "( " SETNAME " " FLAGS " )

.ti
.IR SETNAME " := " string

.ti
.IR FLAGS " := { " FLAG " [, " FLAGS "] }

The flag options are the same as those used by the iptables "set" match.

When using the ipset ematch with the "ip_set_hash:net,iface" set type,
the interface can be queried using "src,dst (source ip address, outgoing interface) or
"src,src" (source ip address, incoming interface) syntax.

.SH CAVEATS

The ematch syntax uses '(' and ')' to group expressions. All braces need to be
escaped properly to prevent shell commandline from interpreting these directly.

When using the ipset ematch with the "ifb" device, the outgoing device will be the
ifb device itself, e.g. "ifb0".
The original interface (i.e. the device the packet arrived on) is treated as the incoming interface.

.SH EXAMPLE & USAGE

# tc filter add .. basic match ...

# 'cmp(u16 at 3 layer 2 mask 0xff00 gt 20)'

# 'meta(nfmark gt 24)' and 'meta(tcindex mask 0xf0 eq 0xf0)'

# 'nbyte("ababa" at 12 layer 1)'

# 'u32(u16 0x1122 0xffff at nexthdr+4)'

Check if packet source ip address is member of set named \fBbulk\fP:

# 'ipset(bulk src)'

Check if packet source ip and the interface the packet arrived on is member of "hash:net,iface" set named \fBinteractive\fP:

# 'ipset(interactive src,src)'

.SH "AUTHOR"

The extended match infrastructure was added by Thomas Graf.
Commit	Line	Data
caadda93	1	.TH ematch 8 "6 August 2012" iproute2 Linux
c487348a FW	2	.
	3	.SH NAME
	4	ematch \- extended matches for use with "basic" or "flow" filters
	5	.
	6	.SH SYNOPSIS
	7	.sp
	8	.ad l
	9	.in +8
	10	.ti -8
	11	.B "tc filter add .. basic match"
	12	.RI EXPR
	13	.B .. flowid ..
	14	.sp
	15
	16	.ti -8
	17	.IR EXPR " := " TERM " [ { "
	18	.B and \| or
	19	}
	20	.IR EXPR
	21	]
	22
	23	.ti -8
1b3c149b	24	.IR TERM " := [ " \fBnot " ] { " MATCH " \| '(' " EXPR " ')' } "
c487348a FW	25
	26	.ti -8
	27	.IR MATCH " := " module " '(' " ARGS " ')' "
	28
	29	.ti -8
	30	.IR ARGS " := " ARG1 " " ARG2 " ..
	31
	32	.SH MATCHES
	33
	34	.SS cmp
	35	Simple comparison ematch: arithmetic compare of packet data to a given value.
	36	.ti
1b3c149b	37	.IR cmp "( " ALIGN " at " OFFSET " [ " ATTRS " ] { " eq " \| " lt " \| " gt " } " VALUE " )
c487348a FW	38
	39	.ti
	40	.IR ALIGN " := { " u8 " \| " u16 " \| " u32 " } "
	41
	42	.ti
1b3c149b	43	.IR ATTRS " := [ layer " LAYER " ] [ mask " MASK " ] [ trans ]
c487348a FW	44
c487348a FW	45	.ti
1b3c149b	46	.IR LAYER " := { " link " \| " network " \| " transport " \| " 0..2 " }
c487348a FW	47
	48	.SS meta
	49	Metadata ematch
	50	.ti
1b3c149b	51	.IR meta "( " OBJECT " { " eq " \| " lt " \|" gt " } " OBJECT " )
c487348a FW	52
	53	.ti
	54	.IR OBJECT " := { " META_ID " \| " VALUE " }
	55
	56	.ti
1b3c149b	57	.IR META_ID " := " id " [ shift " SHIFT " ] [ mask " MASK " ]
c487348a FW	58
	59	.TP
	60	meta attributes:
	61
	62	\fBrandom\fP 32 bit random value
	63
	64	\fBloadavg_1\fP Load average in last 5 minutes
	65
	66	\fBnf_mark\fP Netfilter mark
	67
	68	\fBvlan\fP Vlan tag
	69
	70	\fBsk_rcvbuf\fP Receive buffer size
	71
	72	\fBsk_snd_queue\fP Send queue length
	73
	74	.PP
	75	A full list of meta attributes can be obtained via
	76
	77	# tc filter add dev eth1 basic match 'meta(list)'
	78
	79	.SS nbyte
	80	match packet data byte sequence
	81	.ti
	82	.IR nbyte "( " NEEDLE " at " OFFSET " [ layer " LAYER " ] )
	83
	84	.ti
	85	.IR NEEDLE " := { " string " \| " c-escape-sequence " } "
	86
	87	.ti
	88	.IR OFFSET " := " int
	89
	90	.ti
1b3c149b	91	.IR LAYER " := { " link " \| " network " \| " transport " \| " 0..2 " }
c487348a FW	92
	93	.SS u32
	94	u32 ematch
	95	.ti
1b3c149b	96	.IR u32 "( " ALIGN " " VALUE " " MASK " at [ nexthdr+ ] " OFFSET " )
c487348a FW	97
c487348a FW	98	.ti
1b3c149b	99	.IR ALIGN " := { " u8 " \| " u16 " \| " u32 " }
c487348a FW	100
c487348a FW	101	.SS ipset
6274b0b7	102	test packet against ipset membership
c487348a	103	.ti
1b3c149b	104	.IR ipset "( " SETNAME " " FLAGS " )
c487348a FW	105
	106	.ti
	107	.IR SETNAME " := " string
	108
	109	.ti
1b3c149b	110	.IR FLAGS " := { " FLAG " [, " FLAGS "] }
c487348a FW	111
	112	The flag options are the same as those used by the iptables "set" match.
	113
	114	When using the ipset ematch with the "ip_set_hash:net,iface" set type,
	115	the interface can be queried using "src,dst (source ip address, outgoing interface) or
	116	"src,src" (source ip address, incoming interface) syntax.
	117
	118	.SH CAVEATS
	119
	120	The ematch syntax uses '(' and ')' to group expressions. All braces need to be
	121	escaped properly to prevent shell commandline from interpreting these directly.
	122
	123	When using the ipset ematch with the "ifb" device, the outgoing device will be the
	124	ifb device itself, e.g. "ifb0".
	125	The original interface (i.e. the device the packet arrived on) is treated as the incoming interface.
	126
	127	.SH EXAMPLE & USAGE
	128
	129	# tc filter add .. basic match ...
	130
	131	# 'cmp(u16 at 3 layer 2 mask 0xff00 gt 20)'
	132
	133	# 'meta(nfmark gt 24)' and 'meta(tcindex mask 0xf0 eq 0xf0)'
	134
	135	# 'nbyte("ababa" at 12 layer 1)'
	136
	137	# 'u32(u16 0x1122 0xffff at nexthdr+4)'
	138
	139	Check if packet source ip address is member of set named \fBbulk\fP:
	140
	141	# 'ipset(bulk src)'
	142
	143	Check if packet source ip and the interface the packet arrived on is member of "hash:net,iface" set named \fBinteractive\fP:
	144
	145	# 'ipset(interactive src,src)'
	146
	147	.SH "AUTHOR"
	148
	149	The extended match infrastructure was added by Thomas Graf.