You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
133 lines
3.0 KiB
133 lines
3.0 KiB
.TH ematch 8 "6 August 2012" iproute2 Linux
|
|
.
|
|
.SH NAME
|
|
ematch \- extended matches for use with "basic" or "flow" filters
|
|
.
|
|
.SH SYNOPSIS
|
|
.sp
|
|
.ad l
|
|
.B "tc filter add .. basic match"
|
|
.RI EXPR
|
|
.B .. flowid ..
|
|
.sp
|
|
|
|
.IR EXPR " := " TERM " [ { "
|
|
.B and | or
|
|
}
|
|
.IR EXPR
|
|
]
|
|
|
|
.IR TERM " := [ " \fBnot " ] { " MATCH " | '(' " EXPR " ')' } "
|
|
|
|
.IR MATCH " := " module " '(' " ARGS " ')' "
|
|
|
|
.IR ARGS " := " ARG1 " " ARG2 " ..
|
|
|
|
.SH MATCHES
|
|
|
|
.SS cmp
|
|
Simple comparison ematch: arithmetic compare of packet data to a given value.
|
|
|
|
.IR cmp "( " ALIGN " at " OFFSET " [ " ATTRS " ] { " eq " | " lt " | " gt " } " VALUE " )
|
|
|
|
.IR ALIGN " := { " u8 " | " u16 " | " u32 " } "
|
|
|
|
.IR ATTRS " := [ layer " LAYER " ] [ mask " MASK " ] [ trans ]
|
|
|
|
.IR LAYER " := { " link " | " network " | " transport " | " 0..2 " }
|
|
|
|
.SS meta
|
|
Metadata ematch
|
|
|
|
.IR meta "( " OBJECT " { " eq " | " lt " |" gt " } " OBJECT " )
|
|
|
|
.IR OBJECT " := { " META_ID " | " VALUE " }
|
|
|
|
.IR META_ID " := " id " [ shift " SHIFT " ] [ mask " MASK " ]
|
|
|
|
.TP
|
|
meta attributes:
|
|
|
|
\fBrandom\fP 32 bit random value
|
|
|
|
\fBloadavg_1\fP Load average in last 5 minutes
|
|
|
|
\fBnf_mark\fP Netfilter mark
|
|
|
|
\fBvlan\fP Vlan tag
|
|
|
|
\fBsk_rcvbuf\fP Receive buffer size
|
|
|
|
\fBsk_snd_queue\fP Send queue length
|
|
|
|
.PP
|
|
A full list of meta attributes can be obtained via
|
|
|
|
# tc filter add dev eth1 basic match 'meta(list)'
|
|
|
|
.SS nbyte
|
|
match packet data byte sequence
|
|
|
|
.IR nbyte "( " NEEDLE " at " OFFSET " [ layer " LAYER " ] )
|
|
|
|
.IR NEEDLE " := { " string " | " c-escape-sequence " } "
|
|
|
|
.IR OFFSET " := " int
|
|
|
|
.IR LAYER " := { " link " | " network " | " transport " | " 0..2 " }
|
|
|
|
.SS u32
|
|
u32 ematch
|
|
|
|
.IR u32 "( " ALIGN " " VALUE " " MASK " at [ nexthdr+ ] " OFFSET " )
|
|
|
|
.IR ALIGN " := { " u8 " | " u16 " | " u32 " }
|
|
|
|
.SS ipset
|
|
test packet against ipset membership
|
|
|
|
.IR ipset "( " SETNAME " " FLAGS " )
|
|
|
|
.IR SETNAME " := " string
|
|
|
|
.IR FLAGS " := { " FLAG " [, " FLAGS "] }
|
|
|
|
The flag options are the same as those used by the iptables "set" match.
|
|
|
|
When using the ipset ematch with the "ip_set_hash:net,iface" set type,
|
|
the interface can be queried using "src,dst (source ip address, outgoing interface) or
|
|
"src,src" (source ip address, incoming interface) syntax.
|
|
|
|
.SH CAVEATS
|
|
|
|
The ematch syntax uses '(' and ')' to group expressions. All braces need to be
|
|
escaped properly to prevent shell commandline from interpreting these directly.
|
|
|
|
When using the ipset ematch with the "ifb" device, the outgoing device will be the
|
|
ifb device itself, e.g. "ifb0".
|
|
The original interface (i.e. the device the packet arrived on) is treated as the incoming interface.
|
|
|
|
.SH EXAMPLE & USAGE
|
|
|
|
# tc filter add .. basic match ...
|
|
|
|
# 'cmp(u16 at 3 layer 2 mask 0xff00 gt 20)'
|
|
|
|
# 'meta(nfmark gt 24)' and 'meta(tcindex mask 0xf0 eq 0xf0)'
|
|
|
|
# 'nbyte("ababa" at 12 layer 1)'
|
|
|
|
# 'u32(u16 0x1122 0xffff at nexthdr+4)'
|
|
|
|
Check if packet source ip address is member of set named \fBbulk\fP:
|
|
|
|
# 'ipset(bulk src)'
|
|
|
|
Check if packet source ip and the interface the packet arrived on is member of "hash:net,iface" set named \fBinteractive\fP:
|
|
|
|
# 'ipset(interactive src,src)'
|
|
|
|
.SH "AUTHOR"
|
|
|
|
The extended match infrastructure was added by Thomas Graf.
|