This is automatically generated documentation. Edit after the "COMMENTS" heading; changes to the main body will be lost.
IPClassifier -- Click element;
classifies IP packets by contents
IPClassifier(PATTERN_1, ..., PATTERN_N)
Ports: 1 input, any number of outputs
Package: ip (core)
Classifies IP packets according to tcpdump-like patterns. The
IPClassifier has N outputs, each associated with the corresponding pattern
from the configuration string. The input packets must have their IP header
annotation set; CheckIPHeader and MarkIPHeader do this.
Patterns are built from pattern primitives. The primitives
IPClassifier understands are:
- ip proto PROTO
- PROTO is an IP protocol name (see below) or a valid IP protocol number.
Matches packets of the given protocol.
- [SRCORDST] host IPADDR
- IPADDR is an IP address and SRCORDST is 'src', 'dst', 'src or dst', or 'src
and dst'. (If SRCORDST is missing, 'src or dst' is assumed.) Matches
packets sent to and/or from the given address.
- [SRCORDST] net NETADDR
- NETADDR is an IP network address (either CIDR-style 'IPADDR/BITS' or
'IPADDR mask MASK') and SRCORDST is as above. Matches packets sent to
and/or from the given network.
- [SRCORDST] [tcp | udp] port PORT
- PORT is a TCP or UDP port name (see below) or number and SRCORDST is as
above. Matches packets sent to and/or from the given TCP or UDP port. If
you leave out 'tcp' or 'udp', then either TCP or UDP is accepted.
- ip vers VERSION
- VERSION is a value between 0 and 15. Matches IP packets with the given
- ip hl HL
- HL is a value between 0 and 15. Matches IP packets with the given header
- ip id ID
- ID is a value between 0 and 65535. Matches IP packets with the given IP ID.
- ip tos TOS
- TOS is a value between 0 and 255. Matches IP packets with the given TOS
- ip dscp DSCP
- DSCP is a value between 0 and 63. Matches IP packets with the given DSCP
value (the upper 6 bits of TOS).
- ip ect
- Matches IP packets with ECN Capable Transport turned on.
- ip ce
- Matches IP packets with ECN Congestion Experienced set.
- ip ttl TTL
- TTL is a value between 0 and 255. Matches IP packets with the given TTL value.
- ip frag
- Matches fragmented IP packets (that is, packets with the more-fragments bit
set and/or a nonzero fragment offset).
- ip unfrag
- Equivalent to 'not ip frag'.
- tcp opt TCPOPT
- TCPOPT is a TCP option name (see below). Matches TCP packets with the given
- tcp win TCPWIN
- TCPWIN is a TCP receive window length. Matches TCP packets with the given
window length. Note that window scaling is not applied.
- icmp type TYPE
- TYPE is a value between 0 and 255 or an ICMP type name (see below). Matches
ICMP packets with the given ICMP type.
- ip[POS:LEN] VALUE
- Matches packets whose IP header field starting at byte position POS, and going
on for LEN bytes, equals VALUE. You can say ip[POS] instead of
- transp[POS:LEN] VALUE
- Like ip[POS:LEN], but for transport header fields. You can also give
particular transport protocols, such as tcp[POS:LEN].
- [SRCORDST] ether host ETH
- Matches packets whose source and/or destination Ethernet address matches ETH.
The packet's MAC header annotation must be set.
- Matches every packet.
- Matches no packets.
These primitives can be combined with the connectives 'and', 'or', and 'not'
(synonyms '&&', '||', and '!'), with the ternary operator '?:' (the colon
must be surrounded by spaces!), and with parentheses. For example, '(dst port
www or dst port ssh) and tcp opt syn'.
All primitives except tcp opt accept an optional OPERATION, '==' or '!=',
which can occur before the actual option. If no OPERATION is specified, '=='
is assumed. 'src host == 10.0.0.10' matches packets whose source host is
10.0.0.10; 'src host != 10.0.0.10' matches packets whose source host is not
10.0.0.10. Directives with integer values also support the '<', '>', '<=',
and '>=' operations.
For port and icmp type directives, 'DIRECTIVE != VALUE' is not the
same as 'not (DIRECTIVE == VALUE)'. For example, 'src tcp port != 5'
matches TCP packets whose source port is not 5, while '!(src tcp port ==
5)' matches non-TCP packets as well. (The 'src tcp port != 5' option is
effectively equivalent to 'tcp and not src tcp port 5'.) Similarly, 'icmp
type != 4' will not match non-ICMP packets. The same goes for the '<', '>',
'<=', and '>=' relations.
Most primitives also accept bitmasks: 'DIRECTIVE & MASK udp] port**, **icmp type**, **tcp opt**, and **tcp win** directives can
only be true on the first fragment of a fragmented packet.
Every IPClassifier element has an equivalent corresponding [[IPFilter element
and vice versa. Use the element whose syntax is more convenient for your
IPClassifier(10.0.0.0/24 and syn,
10.0.0.0/24 and fin ack,
10.0.0.0/24 and tcp,
creates an element with four outputs. The first three outputs are for TCP
packets from net 10.0.0.x. SYN packets are sent to output 0, FIN packets
with the ACK bit set to output 1, and all other TCP packets to output 2.
The last output is for all other IP packets, and non-TCP packets from net
IPClassifier(dst tcp port 8000 or 8080,
dst tcp port > 1023,
creates an element with three outputs. The first output is for TCP packets
destined for port 8000 or 8080; the second output is for TCP packets
destined for any other user port (that is, port > 1023); and the third
output is for all other TCP packets. Non-TCP packets are dropped.
- program (read-only)
- Returns a human-readable definition of the program the IPClassifier element
is using to classify packets. At each step in the program, four bytes
of packet data are ANDed with a mask and compared against four bytes of