NAME<\/a> ematch \u2212 extended matches for use with “basic”, “cgroup” or “flow” filters<\/p>\n tc filter add .. basic match<\/b> EXPR .. flowid ..<\/b><\/p>\n EXPR<\/i> := TERM<\/i> [ { and | or<\/b> } EXPR<\/i> ]<\/p>\n TERM<\/i> := [ not<\/b> ] { MATCH<\/i> | \u2019(\u2019 EXPR<\/i> \u2019)\u2019 }<\/p>\n MATCH<\/i> := module<\/i> \u2019(\u2019 ARGS<\/i> \u2019)\u2019<\/p>\n ARGS<\/i> := ARG1 ARG2<\/i> ..<\/p>\n cmp<\/b> cmp<\/i>( ALIGN<\/i> at OFFSET<\/i> [ ATTRS<\/i> ] { eq<\/i> | lt<\/i> | gt<\/i> } VALUE<\/i> )<\/p>\n ALIGN<\/i> := { u8<\/i> | u16<\/i> | u32<\/i> }<\/p>\n ATTRS<\/i> := [ layer LAYER<\/i> ] [ mask MASK<\/i> ] [ trans ]<\/p>\n LAYER<\/i> := { link<\/i> | network<\/i> | transport<\/i> | 0..2<\/i> }<\/p>\n meta<\/b> meta<\/i>( OBJECT<\/i> { eq<\/i> | lt<\/i> |gt<\/i> } OBJECT<\/i> )<\/p>\n OBJECT<\/i> := { META_ID<\/i> | VALUE<\/i> }<\/p>\n META_ID<\/i> := id<\/i> [ shift SHIFT<\/i> ] [ mask MASK<\/i> ] random<\/b> 32 bit random value<\/p>\n loadavg_1<\/b> Load average in last 5 minutes<\/p>\n nf_mark<\/b> Netfilter mark<\/p>\n vlan<\/b> Vlan tag<\/p>\n sk_rcvbuf<\/b> Receive buffer size<\/p>\n sk_snd_queue<\/b> Send queue length<\/p>\n A full list of meta attributes can be obtained via<\/p>\n # tc filter add dev eth1 basic match \u2019meta(list)\u2019<\/p>\n nbyte<\/b> nbyte<\/i>( NEEDLE<\/i> at OFFSET<\/i> [ layer LAYER<\/i> ] )<\/p>\n NEEDLE<\/i> := { string<\/i> | c-escape-sequence<\/i> }<\/p>\n OFFSET<\/i> := int<\/i><\/p>\n LAYER<\/i> := { link<\/i> | network<\/i> | transport<\/i> | 0..2<\/i> }<\/p>\n u32<\/b> u32<\/i>( ALIGN VALUE MASK<\/i> at [ nexthdr+ ] OFFSET<\/i> )<\/p>\n ALIGN<\/i> := { u8<\/i> | u16<\/i> | u32<\/i> }<\/p>\n ipset<\/b> ipset<\/i>( SETNAME FLAGS<\/i> )<\/p>\n SETNAME<\/i> := string<\/i><\/p>\n FLAGS<\/i> := { FLAG<\/i> [, FLAGS<\/i>] }<\/p>\n The flag options are the same as those used by the iptables “set” match.<\/p>\n When using the ipset ematch with the “ip_set_hash:net,iface” set type, the interface can be queried using “src,dst (source ip address, outgoing interface) or “src,src” (source ip address, incoming interface) syntax.<\/p>\n ipt<\/b> ipt<\/i>( [-6] -m MATCH_NAME FLAGS<\/i> )<\/p>\n MATCH_NAME<\/i> := string<\/i><\/p>\n FLAGS<\/i> := { FLAG<\/i> [, FLAGS<\/i>] }<\/p>\n The flag options are the same as those used by the xtable match used.<\/p>\n canid<\/b> canid<\/i>( IDLIST<\/i> )<\/p>\n IDLIST<\/i> := IDSPEC<\/i>[IDLIST<\/i>]<\/p>\n IDSPEC<\/i> := { \u00e2sff\u00e2 CANID<\/i> | \u00e2eff\u00e2 CANID<\/i> }<\/p>\n CANID<\/i> := ID<\/i>[:MASK<\/i>]<\/p>\n ID<\/i>, MASK<\/i> := hexadecimal number (i.e. 0x123)<\/p>\n The ematch syntax uses \u2019(\u2019 and \u2019)\u2019 to group expressions. All braces need to be escaped properly to prevent shell commandline from interpreting these directly.<\/p>\n When using the ipset ematch with the “ifb” device, the outgoing device will be the ifb device itself, e.g. “ifb0”. The original interface (i.e. the device the packet arrived on) is treated as the incoming interface.<\/p>\n # tc filter add .. basic match …<\/p>\n # \u2019cmp(u16 at 3 layer 2 mask 0xff00 gt 20)\u2019<\/p>\n # \u2019meta(nfmark gt 24)\u2019 and \u2019meta(tcindex mask 0xf0 eq 0xf0)\u2019<\/p>\n # \u2019nbyte(“ababa” at 12 layer 1)\u2019<\/p>\n # \u2019u32(u16 0x1122 0xffff at nexthdr+4)\u2019<\/p>\n Check if packet source ip address is member of set named bulk<\/b>:<\/p>\n # \u2019ipset(bulk src)\u2019<\/p>\n Check if packet source ip and the interface the packet arrived on is member of “hash:net,iface” set named interactive<\/b>:<\/p>\n # \u2019ipset(interactive src,src)\u2019<\/p>\n Check if packet matches an IPSec state with reqid 1:<\/p>\n # \u2019ipt(-m policy –dir in –pol ipsec –reqid 1)\u2019<\/p>\n The extended match infrastructure was added by Thomas Graf.<\/p>\n ematch \u2212 extended matches for use with “basic”, “cgroup” or “flow” filters <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[5,52,4,931],"class_list":["post-3835","post","type-post","status-publish","format-standard","hentry","category-8-administracion-del-sistema","tag-5","tag-administracion","tag-man8","tag-tc-ematch"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3835","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=3835"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3835\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=3835"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=3835"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=3835"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
SYNOPSIS<\/a>
MATCHES<\/a>
CAVEATS<\/a>
EXAMPLE & USAGE<\/a>
AUTHOR<\/a> <\/p>\n
\nNAME <\/a> <\/h2>\n
SYNOPSIS <\/a> <\/h2>\n
MATCHES <\/a> <\/h2>\n
Simple comparison ematch: arithmetic compare of packet data to a given value.<\/p>\n
Metadata ematch<\/p>\n
meta attributes:<\/p>\n
match packet data byte sequence<\/p>\n
u32 ematch<\/p>\n
test packet against ipset membership<\/p>\n
test packet against xtables matches<\/p>\n
ematch rule to match CAN frames<\/p>\nCAVEATS <\/a> <\/h2>\n
EXAMPLE & USAGE <\/a> <\/h2>\n
AUTHOR <\/a> <\/h2>\n
\n","protected":false},"excerpt":{"rendered":"