ematch(8)                (6 August 2012)                ematch(8)

     NAME
          ematch - extended matches for use with "basic", "cgroup"  or
          "flow" filters

     SYNOPSIS
          tc filter add .. basic match EXPR .. flowid ..

          EXPR := TERM [ { and | or } EXPR ]

          TERM := [ not ] { MATCH | '('

          MATCH := module '(' ARGS ')'

          ARGS := ARG1 ARG2 ..

     MATCHES
        cmp
          Simple comparison ematch: arithmetic compare of packet data
          to a given value.

          cmp( ALIGN at OFFSET [

          ALIGN := { u8 | u16 |

          ATTRS := [ layer LAYER ] [ mask MASK ] [ trans ]

          LAYER := { link | network |

        meta
          Metadata ematch

          meta( OBJECT { eq |

          OBJECT := { META_ID |  VALUE }

          META_ID := id [ shift SHIFT ] [ mask

          meta attributes:

               random 32 bit random value

               loadavg_1 Load average in last 5 minutes

               nf_mark Netfilter mark

               vlan Vlan tag

     Page 1                      iproute2            (printed 5/24/22)

     ematch(8)                (6 August 2012)                ematch(8)

               sk_rcvbuf Receive buffer size

               sk_snd_queue Send queue length

          A full list of meta attributes can be obtained via

          # tc filter add dev eth1 basic match 'meta(list)'

        nbyte
          match packet data byte sequence

          nbyte( NEEDLE at OFFSET [ layer

          NEEDLE := { string | c-escape-sequence  }

          OFFSET := int

          LAYER := { link | network |

        u32
          u32 ematch

          u32( ALIGN VALUE

          ALIGN := { u8 | u16 |

        ipset
          test packet against ipset membership

          ipset( SETNAME FLAGS )

          SETNAME := string

          FLAGS := { FLAG [, FLAGS] }

          The flag options are the same as those used by the iptables
          "set" match.

          When using the ipset ematch with the "ip_set_hash:net,iface"
          set type, the interface can be queried using "src,dst
          (source ip address, outgoing interface) or "src,src" (source
          ip address, incoming interface) syntax.

        ipt
          test packet against xtables matches

          ipt( [-6] -m

     Page 2                      iproute2            (printed 5/24/22)

     ematch(8)                (6 August 2012)                ematch(8)

          MATCH_NAME := string

          FLAGS := { FLAG [, FLAGS] }

          The flag options are the same as those used by the xtable
          match used.

        canid
          ematch rule to match CAN frames

          canid( IDLIST )

          IDLIST :=  IDSPEC[IDLIST]

          IDSPEC := { ’sff’ CANID | ’eff’ CANID }

          CANID := ID[:MASK]

          ID, MASK := hexadecimal number (i.e. 0x123)

     CAVEATS
          The ematch syntax uses '(' and ')' to group expressions. All
          braces need to be escaped properly to prevent shell command-
          line from interpreting these directly.

          When using the ipset ematch with the "ifb" device, the out-
          going device will be the ifb device itself, e.g. "ifb0".
          The original interface (i.e. the device the packet arrived
          on) is treated as the incoming interface.

     EXAMPLE & USAGE
          # tc filter add .. basic match ...

          # 'cmp(u16 at 3 layer 2 mask 0xff00 gt 20)'

          # 'meta(nfmark gt 24)' and 'meta(tcindex mask 0xf0 eq 0xf0)'

          # 'nbyte("ababa" at 12 layer 1)'

          # 'u32(u16 0x1122 0xffff at nexthdr+4)'

          Check if packet source ip address is member of set named
          bulk:

          # 'ipset(bulk src)'

          Check if packet source ip and the interface the packet
          arrived on is member of "hash:net,iface" set named interac-
          tive:

     Page 3                      iproute2            (printed 5/24/22)

     ematch(8)                (6 August 2012)                ematch(8)

          # 'ipset(interactive src,src)'

          Check if packet matches an IPSec state with reqid 1:

          # 'ipt(-m policy --dir in --pol ipsec --reqid 1)'

     AUTHOR
          The extended match infrastructure was added by Thomas Graf.

     Page 4                      iproute2            (printed 5/24/22)