tc-ematch

tc filter ... ematch [ '...' ]

help
    Displays help about ematch filter.

nbyte
    Match single byte on the packet at a given offset.

u16
    Match unsigned 16 bit word on the packet at a given offset.

u32
    Match unsigned 32 bit word on the packet at a given offset.

range
    Match when a byte at an offset is within a range between value1 and value2 inclusive.

l3proto
    Match L3 protocol. Protocol can be ip, arp or ipv6

l4proto
    Match L4 protocol. Protocol can be tcp, udp or icmp

skb->...
    Directly access fields from the sk_buff structure (e.g., skb->priority).

vlan_id
    Match VLAN ID.

mask
    Match by masking bits at given offset with and comparing the result to .

relation
    Compare value at an offset with relation operator: eq, ne, gt, lt, ge, le.

The tc-ematch filter in Linux's Traffic Control (tc) system allows for sophisticated packet filtering based on various criteria. It provides a flexible mechanism to classify network traffic beyond simple IP address or port matching.
Ematch uses expressions, which allow to match packets based on multiple criteria, including packet offsets, bitwise operations, and comparison operators. This enables fine-grained control over network traffic, enabling administrators to prioritize, shape, or drop packets based on complex rules.
It's particularly useful in scenarios where standard filters like u32 or fwmark are insufficient, offering greater expressiveness in specifying packet selection criteria. The filter uses bytecode internally to execute match operations.

Ematch expressions can become complex and computationally expensive, potentially impacting network performance if not designed carefully. Debugging can also be challenging. Requires careful understanding of packet structures and offsets.

Determining the correct packet offsets for matching is crucial. Tools like Wireshark can assist in analyzing packet structures and identifying relevant offsets. Incorrect offsets will lead to incorrect filtering.

Complex ematch expressions can be resource-intensive. Consider simplifying expressions or using alternative filtering methods if performance becomes an issue.

The `tc-ematch` filter was introduced to provide greater flexibility and expressiveness in traffic classification compared to simpler filters. Its development was driven by the need to handle more complex filtering scenarios, such as those requiring bitwise operations or comparisons based on packet offsets. The `tc` command itself has evolved significantly since its introduction in the early 2000s, with `ematch` representing a powerful addition to its filtering capabilities.

tc(8), tc-u32(8), tc-flow(8)