.TH ematch 8 "6 August 2012" iproute2 Linux

.

.SH NAME

ematch \- extended matches for use with "basic" or "flow" filters

.

.SH SYNOPSIS

.sp

.ad l

.B "tc filter add .. basic match"

.RI EXPR

.B .. flowid ..

.sp

.IR EXPR " := " TERM " [ { "

.B and | or

}

.IR EXPR

]

.IR TERM " := [ " \fBnot " ] { " MATCH " | '(' " EXPR " ')' } "

.IR MATCH " := " module " '(' " ARGS " ')' "

.IR ARGS " := " ARG1 " " ARG2 " ..

.SH MATCHES

.SS cmp

Simple comparison ematch: arithmetic compare of packet data to a given value.

.IR cmp "( " ALIGN " at " OFFSET " [ " ATTRS " ] { " eq " | " lt " | " gt " } " VALUE " )

.IR ALIGN " := { " u8 " | " u16 " | " u32 " } "

.IR ATTRS " := [ layer " LAYER " ] [ mask " MASK " ] [ trans ]

.IR LAYER " := { " link " | " network " | " transport " | " 0..2 " }

.SS meta

Metadata ematch

.IR meta "( " OBJECT " { " eq " | " lt " |" gt " } " OBJECT " )

.IR OBJECT " := { " META_ID " |  " VALUE " }

.IR META_ID " := " id " [ shift " SHIFT " ] [ mask " MASK " ]

.TP

meta attributes:

\fBrandom\fP 32 bit random value

\fBloadavg_1\fP Load average in last 5 minutes

\fBnf_mark\fP Netfilter mark

\fBvlan\fP Vlan tag

\fBsk_rcvbuf\fP Receive buffer size

\fBsk_snd_queue\fP Send queue length

.PP

A full list of meta attributes can be obtained via

# tc filter add dev eth1 basic match 'meta(list)'

.SS nbyte

match packet data byte sequence

.IR nbyte "( " NEEDLE  " at " OFFSET " [ layer " LAYER " ] )

.IR NEEDLE  " := { " string " | " c-escape-sequence "  } "

.IR OFFSET  " := " int

.IR LAYER " := { " link " | " network " | " transport " | " 0..2 " }

.SS u32

u32 ematch

.IR u32 "( " ALIGN " " VALUE " " MASK " at [ nexthdr+ ] " OFFSET " )

.IR ALIGN " := { " u8 " | " u16 " | " u32 " }

.SS ipset

test packet against ipset membership

.IR ipset "( " SETNAME " " FLAGS " )

.IR SETNAME " := " string

.IR FLAGS " := { " FLAG " [, " FLAGS "] }

The flag options are the same as those used by the iptables "set" match.

When using the ipset ematch with the "ip_set_hash:net,iface" set type,

the interface can be queried using "src,dst (source ip address, outgoing interface) or

"src,src" (source ip address, incoming interface) syntax.

.SS ipt

test packet against xtables matches

.IR ipt "( " [-6] " "-m " " MATCH_NAME " " FLAGS " )

.IR MATCH_NAME " := " string

.IR FLAGS " := { " FLAG " [, " FLAGS "] }

The flag options are the same as those used by the xtable match used.

.SH CAVEATS

The ematch syntax uses '(' and ')' to group expressions. All braces need to be

escaped properly to prevent shell commandline from interpreting these directly.

When using the ipset ematch with the "ifb" device, the outgoing device will be the

ifb device itself, e.g. "ifb0".

The original interface (i.e. the device the packet arrived on) is treated as the incoming interface.

.SH EXAMPLE & USAGE

# tc filter add .. basic match ...

# 'cmp(u16 at 3 layer 2 mask 0xff00 gt 20)'

# 'meta(nfmark gt 24)' and 'meta(tcindex mask 0xf0 eq 0xf0)'

# 'nbyte("ababa" at 12 layer 1)'

# 'u32(u16 0x1122 0xffff at nexthdr+4)'

Check if packet source ip address is member of set named \fBbulk\fP:

# 'ipset(bulk src)'

Check if packet source ip and the interface the packet arrived on is member of "hash:net,iface" set named \fBinteractive\fP:

# 'ipset(interactive src,src)'

Check if packet matches an IPSec state with reqid 1:

# 'ipt(-m policy --dir in --pol ipsec --reqid 1)'

.SH "AUTHOR"

The extended match infrastructure was added by Thomas Graf.