Classify cli reference

classify filter

classify filter <intfc> | pcap mask <mask-value> match <match-value>
  | trace mask <mask-value> match <match-value> [del]
    [buckets <nn>] [memory-size <n>]

Construct an arbitrary set of packet classifier tables for use with “pcap rx | tx trace,” and with the vpp packet tracer

Packets which match a rule in the classifier table chain will be traced. The tables are automatically ordered so that matches in the most specific table are tried first.

It’s reasonably likely that folks will configure a single table with one or two matches. As a result, we configure 8 hash buckets and 128K of match rule space. One can override the defaults by specifying “buckets <nnn>” and “memory-size <xxx>” as desired.

To build up complex filter chains, repeatedly issue the classify filter debug CLI command. Each command must specify the desired mask and match values. If a classifier table with a suitable mask already exists, the CLI command adds a match rule to the existing table. If not, the CLI command add a new table and the indicated mask rule

Here is a terse description of the “mask <xxx>” syntax:

l2 src dst proto tag1 tag2 ignore-tag1 ignore-tag2 cos1 cos2 dot1q dot1ad

l3 ip4 <ip4-mask> ip6 <ip6-mask>

<ip4-mask> version hdr_length src[/width] dst[/width]

tos length fragment_id ttl protocol checksum

<ip6-mask> version traffic-class flow-label src dst proto

payload_length hop_limit protocol

l4 tcp <tcp-mask> udp <udp_mask> src_port dst_port

<tcp-mask> src dst # ports

<udp-mask> src_port dst_port

To construct matches, add the values to match after the indicated keywords: in the match syntax. For example: mask l3 ip4 src -> match l3 ip4 src 192.168.1.11

Configuring the classify filter

Configure a simple classify filter, and configure pcap rx trace to use it:

classify filter rx mask l3 ip4 src match l3 ip4 src 192.168.1.11

pcap rx trace on max 100 filter

Configure another fairly simple filter

classify filter mask l3 ip4 src dst match l3 ip4 src 192.168.1.10 dst 192.168.2.10

Configure a filter for use with the vpp packet tracer:

classify filter trace mask l3 ip4 src dst match l3 ip4 src 192.168.1.10 dst 192.168.2.10

trace add dpdk-input 100 filter

Clear classifier filters

classify filter [trace | rx | tx  | <intfc>] del

To display the top-level classifier tables for each use case: show classify filter

To inspect the classifier tables, use

show classify table [verbose] The verbose form displays all of the match rules, with hit-counters

Declaration: classify_filter src/vnet/classify/vnet_classify.c line 2130

Implementation: classify_filter_command_fn

classify session

classify session [hit-next|l2-input-hit-next|l2-output-hit-next|acl-hit-next <next_index>|policer-hit-next <policer_name>]
 table-index <nn> match [hex] [l2] [l3 ip4] [opaque-index <index>]
 [action set-ip4-fib-id|set-ip6-fib-id|set-sr-policy-index <n>] [del]

Declaration: classify_session_command src/vnet/classify/vnet_classify.c line 2935

Implementation: classify_session_command_fn

classify table

classify table [miss-next|l2-miss_next|acl-miss-next <next_index>]
 mask <mask-value> buckets <nn> [skip <n>] [match <n>]
 [current-data-flag <n>] [current-data-offset <n>] [table <n>]
 [memory-size <nn>[M][G]] [next-table <n>]
 [del] [del-chain]

Declaration: classify_table src/vnet/classify/vnet_classify.c line 1642

Implementation: classify_table_command_fn

set interface input acl

set interface input acl intfc <int> [ip4-table <index>]
  [ip6-table <index>] [l2-table <index>] [ip4-punt-table <index>]
  [ip6-punt-table <index> [del]

Declaration: set_input_acl_command src/vnet/classify/in_out_acl.c line 259

Implementation: set_input_acl_command_fn

set interface output acl

set interface output acl intfc <int> [ip4-table <index>]
  [ip6-table <index>] [l2-table <index>] [del]

Declaration: set_output_acl_command src/vnet/classify/in_out_acl.c line 267

Implementation: set_output_acl_command_fn

set policer classify

set policer classify interface <int> [ip4-table <index>]
  [ip6-table <index>] [l2-table <index>] [del]

Declaration: set_policer_classify_command src/vnet/classify/policer_classify.c line 168

Implementation: set_policer_classify_command_fn

show classify filter

show classify filter [verbose [nn]]

Declaration: show_classify_filter src/vnet/classify/vnet_classify.c line 2220

Implementation: show_classify_filter_command_fn

show classify flow

show classify flow type [ip4|ip6]

Declaration: show_flow_classify_command src/vnet/classify/flow_classify.c line 219

Implementation: show_flow_classify_command_fn

show classify policer

show classify policer type [ip4|ip6|l2]

Declaration: show_policer_classify_command src/vnet/classify/policer_classify.c line 235

Implementation: show_policer_classify_command_fn

show classify tables

show classify tables [index <nn>]

Declaration: show_classify_table_command src/vnet/classify/vnet_classify.c line 2316

Implementation: show_classify_tables_command_fn

show inacl

show inacl type [ip4|ip6|l2]

Declaration: show_inacl_command src/vnet/classify/in_out_acl.c line 396

Implementation: show_inacl_command_fn

show outacl

show outacl type [ip4|ip6|l2]

Declaration: show_outacl_command src/vnet/classify/in_out_acl.c line 401

Implementation: show_outacl_command_fn

test classify

test classify [src <ip>] [sessions <nn>] [buckets <nn>] [seed <nnn>]
              [memory-size <nn>[M|G]]
              [churn-test]

Declaration: test_classify_command src/vnet/classify/vnet_classify.c line 3358

Implementation: test_classify_command_fn