Name
ematch - extended matches for use with "basic", "cgroup" or "flow" filtersSynopsis
"tc filter add .. basic match" EXPR .. flowid ..EXPR " := " TERM " [ { "
and | or } EXPR
] TERM " := [ " not " ] { " MATCH " | '(' " EXPR " ')' } "
MATCH " := " module " '(' " ARGS " ')' "
ARGS " := " ARG1 " " ARG2 " ..
Matches
Cmp
Simple comparison ematch: arithmetic compare of packet data to a given value.cmp "( " ALIGN " at " OFFSET " [ " ATTRS " ] { " eq " | " lt " | " gt " } " VALUE " )
ALIGN " := { " u8 " | " u16 " | " u32 " } "
ATTRS " := [ layer " LAYER " ] [ mask " MASK " ] [ trans ]
LAYER " := { " link " | " network " | " transport " | " 0..2 " }
Meta
Metadata ematchmeta "( " OBJECT " { " eq " | " lt " |" gt " } " OBJECT " )
OBJECT " := { " META_ID " | " VALUE " }
META_ID " := " id " [ shift " SHIFT " ] [ mask " MASK " ]
meta attributes: random 32 bit random value loadavg_1 Load average in last 5 minutes nf_mark Netfilter mark vlan Vlan tag sk_rcvbuf Receive buffer size sk_snd_queue Send queue length
A full list of meta attributes can be obtained via # tc filter add dev eth1 basic match 'meta(list)'
Nbyte
match packet data byte sequencenbyte "( " NEEDLE " at " OFFSET " [ layer " LAYER " ] )
NEEDLE " := { " string " | " c-escape-sequence " } "
OFFSET " := " int
LAYER " := { " link " | " network " | " transport " | " 0..2 " }
U32
u32 ematchu32 "( " ALIGN " " VALUE " " MASK " at [ nexthdr+ ] " OFFSET " )
ALIGN " := { " u8 " | " u16 " | " u32 " }
Ipset
test packet against ipset membershipipset "( " SETNAME " " FLAGS " )
SETNAME " := " string
FLAGS " := { " FLAG " [, " FLAGS "] }
The flag options are the same as those used by the iptables "set" match. When using the ipset ematch with the "ip_set_hash:net,iface" set type, the interface can be queried using "src,dst (source ip address, outgoing interface) or "src,src" (source ip address, incoming interface) syntax. Ipt
test packet against xtables matchesipt "( " [-6] " "-m " " MATCH_NAME " " FLAGS " )
MATCH_NAME " := " string
FLAGS " := { " FLAG " [, " FLAGS "] }
The flag options are the same as those used by the xtable match used. Canid
ematch rule to match CAN framescanid "( " IDLIST " )
IDLIST " := " IDSPEC [ IDLIST ]
IDSPEC " := { ’sff’ " CANID " | ’eff’ " CANID " }
CANID " := " ID [ ":MASK" ]
ID ", " MASK " := hexadecimal number (i.e. 0x123)