Protocol arp, Protocol all, Matching specific ingress ports – Znyx Networks bh5700 User Manual

match ip tos 0xa0 0xe0

would match an IP precedence of 5.

Specific fields can also be specified by giving their offset from the beginning of the IP header and
a field name of u8, u16, or u32, depending on the width of the field. For example, to match the
SYN bit in the TCP flags, the specification is:

match u8 2 0x02 at 33

Several IP fields can be matched in the same filter by specifying multiple match operations. The
filter will be satisfied only if all matches are true. For example, to put all UDP packets from a
particular IP subnet into cos queue 1, the filter might be:

tc filter add dev zre5 parent 105: protocol ip u32 match ip src

10.90.90.0/24 match ip protocol 17 0xFF classid 105:2

Protocol arp

In addition to IP packets, there is a limited capability to match other types of packets. To match
an arp packet, specify protocol arp. In this case the fields which can be matched are limited to the
arp operation, specified by match u16 <operation> 0xffff at 6, and the target IP
address, specified by match u32 <ip address> <mask> at 24. For example:

tc filter add dev zre5 parent 105: protocol arp u32 match u16 1

0xFFFF at 6 match u32 0x0A5A5A65 0xFFFFFF at 24 classid 105:3

Protocol all

Packets with IEEE 802.3/802.2 (LLC) encapsulation can be recognized based on their
DSAP/SSAP values, using protocol all. It is also possible to match the source or destination
MAC address, or the VLAN. For this protocol, displacements are measured from the beginning
of the MAC header, which always includes a VLAN tag after the source MAC address, so a
match for DSAP 0x42 and SSAP 0x42 would be:

tc filter add dev zre5 parent 105: protocol all u32 match u16 0x4242
0xFFFF at 18 classid 105:5

To match a full MAC address, two matches are needed, since no more than 32 bit can be matched
with one specification. This filter matches a source MAC address and VLAN:

tc filter add dev zre5 parent 105: protocol all u32 match u16 0x00c0
0xffff at 6 match u32 0x95123456 0xffffffff at 8 match u16 5 0x0fff

at 14 classid 105:7

Matching Specific Ingress Ports

The filters shown so far applied to all packets arriving at the switch from any of the switch ports.
To restrict the filter to only apply to packets from a specific port or ports, or only arriving on a
specific VLAN, an ingress queue discipline can be defined for those ports and the filter defined
on that qdisc. The classid of the target then identifies both the destination port and traffic class.
An ingress qdisc is very minimal:

Ethernet Switch Blade User's Guide

release 3.2.2j

page 116