tc-ematch
Match packets based on packet data
SYNOPSIS
tc filter ... ematch [ '...' ]
PARAMETERS
help
Displays help about ematch filter.
nbyte
Match single byte on the packet at a given offset.
u16
Match unsigned 16 bit word on the packet at a given offset.
u32
Match unsigned 32 bit word on the packet at a given offset.
range
Match when a byte at an offset is within a range between value1 and value2 inclusive.
l3proto
Match L3 protocol. Protocol can be ip, arp or ipv6
l4proto
Match L4 protocol. Protocol can be tcp, udp or icmp
skb->...
Directly access fields from the sk_buff structure (e.g., skb->priority).
vlan_id
Match VLAN ID.
mask
Match by masking bits at given offset with
relation
Compare value at an offset with relation operator: eq, ne, gt, lt, ge, le.
DESCRIPTION
The tc-ematch filter in Linux's Traffic Control (tc) system allows for sophisticated packet filtering based on various criteria. It provides a flexible mechanism to classify network traffic beyond simple IP address or port matching.
Ematch uses expressions, which allow to match packets based on multiple criteria, including packet offsets, bitwise operations, and comparison operators. This enables fine-grained control over network traffic, enabling administrators to prioritize, shape, or drop packets based on complex rules.
It's particularly useful in scenarios where standard filters like u32 or fwmark are insufficient, offering greater expressiveness in specifying packet selection criteria. The filter uses bytecode internally to execute match operations.
CAVEATS
Ematch expressions can become complex and computationally expensive, potentially impacting network performance if not designed carefully. Debugging can also be challenging. Requires careful understanding of packet structures and offsets.
PACKET OFFSETS
Determining the correct packet offsets for matching is crucial. Tools like Wireshark can assist in analyzing packet structures and identifying relevant offsets. Incorrect offsets will lead to incorrect filtering.
OPTIMIZATION
Complex ematch expressions can be resource-intensive. Consider simplifying expressions or using alternative filtering methods if performance becomes an issue.
HISTORY
The `tc-ematch` filter was introduced to provide greater flexibility and expressiveness in traffic classification compared to simpler filters. Its development was driven by the need to handle more complex filtering scenarios, such as those requiring bitwise operations or comparisons based on packet offsets. The `tc` command itself has evolved significantly since its introduction in the early 2000s, with `ematch` representing a powerful addition to its filtering capabilities.
SEE ALSO
tc(8), tc-u32(8), tc-flow(8)