From: Florian Westphal Date: Thu, 9 Aug 2012 09:18:51 +0000 (+0000) Subject: add ematch man page X-Git-Tag: v3.6.0~29 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c487348a9c009260b9b1d2f8530873e9bda7d9b5;p=thirdparty%2Fiproute2.git add ematch man page --- diff --git a/man/man8/tc-ematch.8 b/man/man8/tc-ematch.8 new file mode 100644 index 000000000..53ae16190 --- /dev/null +++ b/man/man8/tc-ematch.8 @@ -0,0 +1,152 @@ +.TH filter ematch "6 August 2012" iproute2 Linux +. +.SH NAME +ematch \- extended matches for use with "basic" or "flow" filters +. +.SH SYNOPSIS +.sp +.ad l +.in +8 +.ti -8 +.B "tc filter add .. basic match" +.RI EXPR +.B .. flowid .. +.sp + +.ti -8 +.IR EXPR " := " TERM " [ { " +.B and | or +} +.IR EXPR +] + +.ti -8 +.IR TERM " := [ " not " ] { " MATCH " | '(' " EXPR " ')' } " + +.ti -8 +.IR MATCH " := " module " '(' " ARGS " ')' " + +.ti -8 +.IR ARGS " := " ARG1 " " ARG2 " .. + +.SH MATCHES + +.SS cmp +Simple comparison ematch: arithmetic compare of packet data to a given value. +.ti +.IR cmp "( " ALIGN " at " OFFSET " [ " ATTRS " ] { " eq " | " lt " | " gt " } " VALUE " ) + +.ti +.IR ALIGN " := { " u8 " | " u16 " | " u32 " } " + +.ti +.IR ATTRS " := [ layer " LAYER " ] [ mask " MASK " ] [ " trans " ] " + +.ti +.IR ALIGN " := { " u8 " | " u16 " | " u32 } " + +.ti +.IR LAYER " := { " link " | " network " | " transport " | " 0..%d " } + +.SS meta +Metadata ematch +.ti +.IR meta "( " OBJECT " { " eq " | " lt " |" gt " } " OBJECT " ) + +.ti +.IR OBJECT " := { " META_ID " | " VALUE " } + +.ti +.IR META_ID " := id " [ shift " SHIFT " ] [ mask " MASK " ] + +.TP +meta attributes: + +\fBrandom\fP 32 bit random value + +\fBloadavg_1\fP Load average in last 5 minutes + +\fBnf_mark\fP Netfilter mark + +\fBvlan\fP Vlan tag + +\fBsk_rcvbuf\fP Receive buffer size + +\fBsk_snd_queue\fP Send queue length + +.PP +A full list of meta attributes can be obtained via + +# tc filter add dev eth1 basic match 'meta(list)' + +.SS nbyte +match packet data byte sequence +.ti +.IR nbyte "( " NEEDLE " at " OFFSET " [ layer " LAYER " ] ) + +.ti +.IR NEEDLE " := { " string " | " c-escape-sequence " } " + +.ti +.IR OFFSET " := " int + +.ti +.IR LAYER " := { " link " | " network " | " transport " | " 0..%d " } + +.SS u32 +u32 ematch +.ti +.IR u32 "( " ALIGN VALUE MASK " at " [ nexthdr+ ] " OFFSET " ) + +.ti +.IR ALIGN " := " { " u8 " | " u16 " | " u32 " } + +.SS ipset +test packet agains ipset membership +.ti +.IR ipset "( " SETNAME FLAGS ) + +.ti +.IR SETNAME " := " string + +.ti +.IR FLAGS " := " { " FLAG " [, " FLAGS "] } + +The flag options are the same as those used by the iptables "set" match. + +When using the ipset ematch with the "ip_set_hash:net,iface" set type, +the interface can be queried using "src,dst (source ip address, outgoing interface) or +"src,src" (source ip address, incoming interface) syntax. + +.SH CAVEATS + +The ematch syntax uses '(' and ')' to group expressions. All braces need to be +escaped properly to prevent shell commandline from interpreting these directly. + +When using the ipset ematch with the "ifb" device, the outgoing device will be the +ifb device itself, e.g. "ifb0". +The original interface (i.e. the device the packet arrived on) is treated as the incoming interface. + +.SH EXAMPLE & USAGE + +# tc filter add .. basic match ... + +# 'cmp(u16 at 3 layer 2 mask 0xff00 gt 20)' + +# 'meta(nfmark gt 24)' and 'meta(tcindex mask 0xf0 eq 0xf0)' + +# 'nbyte("ababa" at 12 layer 1)' + +# 'u32(u16 0x1122 0xffff at nexthdr+4)' + +Check if packet source ip address is member of set named \fBbulk\fP: + +# 'ipset(bulk src)' + +Check if packet source ip and the interface the packet arrived on is member of "hash:net,iface" set named \fBinteractive\fP: + +# 'ipset(interactive src,src)' + +.SH "AUTHOR" + +The extended match infrastructure was added by Thomas Graf. diff --git a/man/man8/tc.8 b/man/man8/tc.8 index 95571a3ee..a285c4956 100644 --- a/man/man8/tc.8 +++ b/man/man8/tc.8 @@ -374,6 +374,7 @@ was written by Alexey N. Kuznetsov and added in Linux 2.2. .BR tc-choke (8), .BR tc-codel (8), .BR tc-drr (8), +.BR tc-ematch (8), .BR tc-fq_codel (8), .BR tc-hfsc (7), .BR tc-hfsc (8),