Provided by: fireqos-doc_3.1.5+ds-1ubuntu1_all 
      
    
NAME
       fireqos-params-match - optional match parameters
SYNOPSIS
       at { root | name }
       class name
       syn|syns
       ack|acks
       { proto|protocol protocol [,protocol...] } |tcp|udp|icmp|gre|ipv6
       { tos | priority } tosid [,tosid...]
       { DSCP } classname [,classname...]
       mark mark [,mark...]
       connmark mark [,mark...]
       rawmark mark [,mark...]
       custommark name mark [,mark...]
       { port | ports } port[:range] [ ,port[:range]...  ]
       { sport | sports } port[:range] [ ,port[:range]...  ]
       { dport | dports } port[:range] [ ,port[:range]...  ]
       { ip | net | host } net [,net...]
       src net [,net...]
       dst net [,net...]
       { srcmac | smac } mac
       { dstmac | dmac } mac
       prio id
       input
       output
       custom 'custom tc parameters'
       estimator interval decay
       police police
       insidegre
DESCRIPTION
       These options apply to match statements.
   input, output
       On  bidirectional interfaces, input and output will check the current direction of the interface.  If the
       match is input but the interface is output the match will be reversed.  The same will happen if output is
       given at the match and the interface is input.
       The parameters that are reversed are:
       • src and dst
       • sport and dport
       • srcmac and dstmac
       This allows a definition like this:
                interface dsl0 world bidirectional ...
                  class surfing ...
                    match input sport 0:1023
       The above will match sport 0:1023 at the input interface, and will  automatically  reverse  it  to  match
       dport 0:1023 at the output interface.
   at
       By  default a match is attached to the parent of its parent class.  For example, if its parent is a class
       directly under the interface, then the match is attached to the interface and  is  compared  against  all
       traffic  of the interface.  For nested classes, a match of a leaf, is attached to the parent class and is
       compared against all traffic of this parent class.
       With the at parameter, a match can be attached any class.  The name parameter should  be  a  class  name.
       The name root attaches the match to the interface.
   class
       Defines the name of the class that will get the packets matched by this match.
       By default it is the name of the class the match statement appears under.
              Note
              There is also a class definition for traffic, see fireqos-class(5).
   syn, syns
       Match TCP SYN packets.  Note that the tcp parameter must be specified.
       If the same match statement includes more protocols than TCP, then this match will work for the TCP pack‐
       ets (it will be silently ignored for all other protocols).
       For example, syn is ignored when generating the UDP filter in the below:
              match tcp syn
              match proto tcp,udp syn
   ack, acks
       Same as syn, but matching small TCP packets with the ACK bit set.
   proto, protocol, tcp, udp, icmp, gre, ipv6
       Match the protocol in the IP header.
   tos, priority
       Match  to  TOS  field of ipv4 or the priority field of ipv6.  The tosid can be a value/mask in any format
       tc(8) accepts, or one of the following:
       • min-delay, minimize-delay, minimum-delay, low-delay, interactive
       • maximize-throughput, maximum-throughput, max-throughput, high-throughput, bulk
       • maximize-reliability, maximum-reliability, max-reliability, reliable
       • min-cost, minimize-cost, minimum-cost, low-cost, cheap, normal-service, normal
         Note
         There is also a class parameter called priority, see fireqos-params-class(5).
   dscp
       Match to DSCP value in IP TOS header field.  The classname has to be one of the following values:
       • CS1, CS2, CS3, CS4, CS5, CS6, CS7
       • AF11, AF12, AF13
       • AF21, AF22, AF23
       • AF31, AF32, AF33
       • AF41, AF42, AF43
       • EF
         Note
         tc-filter only supports ToS parameters.  That is why a lookaside table  is  configured  within  fireqos
         code to translate the DSCP value to their matching TOS value.  See RFC2474 for more information.
   mark, connmark, custommark, rawmark
       Match  an iptables(8) MARK.  This works the same way it works for FireHOL.  FireHOL and FireQOS share the
       same marks and their masks.
       Matching iptables(8) MARKs do not work on input interfaces.  You can use them only on  output.   The  IFB
       devices that are used for shaping inbound traffic do not have any iptables hooks to allow matching MARKs.
       If  you try it, FireQOS will attempt to do it, but currently you will get an error from the tc(8) command
       executed or they will be silently ignored by it.
       On some Linux distributions (e.g.  OpenWRT) there is a module called act_commark that  will  enable  this
       feature.  Set this within your fireqos.conf to enable it:
              FIREQOS_CONNMARK_RESTORE="act_connmark"
       Also  note that matching marks requires a suitably configured kernel (with CONFIG_CLS_U32_MARK=y).  There
       is no error if the kernel is not configured correctly; it just silently drops the rules.  For details see
       this error report (https://github.com/firehol/firehol/issues/231).
   ports, sports, dports
       Match ports of the IP header.  ports will create rules for matching source and destination  ports  (sepa‐
       rate rules for each).  dports matches destination ports, sports matches source ports.
   ip, net, host, src, dst
       Match  IPs  of the IP header.  ip, net and host will create rules for matching source and destination IPs
       (separate rules for each).  src matches source IPs and dst destination IPs.
              Note
              If the class these matches appear in are IPv4, then only IPv4 IPs can be used.   To  override  use
              match6 ... src/dst *IPV6_IP*
              Similarly,   if   the  class  is  IPv6,  then  only  IPv6  IPs  can  be  used.   To  override  use
              match4 ... src/dst *IPV4_IP*.
       You can mix IPv4 and IPv6 in any way you like.  FireQOS supports inheritance,  to  figure  out  for  each
       statement which is the default.  For example:
              interface46 eth0 lan output rate 1Gbit # ipv4 and ipv6 enabled
                class voip # ipv4 and ipv6 class, as interface is both
                  match udp port 53 # ipv4 and ipv6 rule, as class is both
                  match4 src 192.0.2.1 # ipv4 only rule
                  match6 src 2001:db8::1 # ipv6 only rule
                class4 realtime # ipv4 only class
                  match src 198.51.100.1 # ipv4 only rule, as class is ipv4-only
                class6 servers # ipv6 only class
                      match src 2001:db8::2 # ipv6 only rule, as class is ipv6-only
       To  convert an IPv4 interface to IPv6, just replace interface with interface6.  All the rules in that in‐
       terface, will automatically inherit the new protocol.  Of course, if you use IP  addresses  for  matching
       packets, make sure they are IPv6 IPs too.
   prio (match)
              Note
              There is also a class parameter called prio, see fireqos-params-class(5).
       All  match  statements  are attached to the interface.  They forward traffic to their class, but they are
       actually executed for all packets that are leaving the interface (note: input matches are actually output
       matches on an IFB device).
       By default, the priority they are executed, is the priority they appear in the configuration  file,  i.e.
       the first match of the first class is executed first, then the rest matches of the first class in the se‐
       quence they appear, then the matches of the second class, etc.
       It  is sometimes necessary to control the order of matches.  For example, when you want host 192.0.2.1 to
       be assigned the first class, except port tcp/1234 which should be assigned the second class.  The follow‐
       ing will not work:
              interface eth0 lan output rate 1Gbit
                class high
                  match host 192.0.2.1
                class low
                  match host 192.0.2.1 port 1234 # Will never match
       In this case, the first match is assigned priority 10 and the second priority 20.  The second match  will
       never match anything, since all traffic for the host is already matched by the first one.
       Setting  an  explicit priority allows you to change the order in which the matches are executed.  FireQOS
       gives priority 10 to the first match of every interface, 20 to the second match, 30 to the  third  match,
       etc.  So the default is 10 x the sequence number.  You can set prio to overwrite this number.
       To  force  executing  the  second match before the first, just set a lower priority for it.  For example,
       this will cause the desired behaviour:
              interface eth0 lan output rate 1Gbit
                class high
                  match host 192.0.2.1
                class low
                  match host 192.0.2.1 port 1234 prio 1 # Matches before host-only
   insidegre
       By specifying keyword insidegre a GRE (Generic Routing Encapsulation) packet can be matched on the encap‐
       sulated IP packet header information.
       insidegre is available for the following matches:
       • src
       • dst
       • protocol
       • port
       • tos
       • dscp
           interface eth0 world ...
             class surfing commit 128kbit ceil 1024kbit prio 7
               match src 10.1.128.230 dst 8.8.8.8 insidegre
               match protocol ospf insidegre
               match port 25 insidegre
               match tos 3 insidegre
               match dscp ef insidegre
SEE ALSO
       • fireqos(1) - FireQOS program
       • fireqos.conf(5) - FireQOS configuration file
       • fireqos-match(5) - QOS traffic match
       • FireHOL Website (http://firehol.org/)
       • FireQOS Online PDF Manual (http://firehol.org/fireqos-manual.pdf)
       • FireQOS Online Documentation (http://firehol.org/documentation/)
AUTHORS
       FireHOL Team.
FireQOS Reference                               Built 04 Nov 2017                        fireqos-params-match(5)