.. _clicmd_src_vnet_classify:
===============================================================
Classify cli reference
===============================================================
classify filter
-------------------------------------------------------------------------
.. code-block:: console
classify filter <intfc> | pcap mask <mask-value> match <match-value>
| trace mask <mask-value> match <match-value> [del]
[buckets <nn>] [memory-size <n>]
Construct an arbitrary set of packet classifier tables for use with
"pcap trace rx | tx," and with the vpp packet tracer
Packets which match a rule in the classifier table chain
will be traced. The tables are automatically ordered so that
matches in the most specific table are tried first.
It's reasonably likely that folks will configure a single
table with one or two matches. As a result, we configure
8 hash buckets and 128K of match rule space. One can override
the defaults by specifying "buckets <nnn>" and "memory-size <xxx>"
as desired.
To build up complex filter chains, repeatedly issue the
classify filter debug CLI command. Each command must specify the desired
mask and match values. If a classifier table with a suitable mask
already exists, the CLI command adds a match rule to the existing table.
If not, the CLI command add a new table and the indicated mask rule
Here is a terse description of the "mask <xxx>" syntax:
l2 src dst proto tag1 tag2 ignore-tag1 ignore-tag2 cos1 cos2 dot1q dot1ad
l3 ip4 <ip4-mask> ip6 <ip6-mask>
<ip4-mask> version hdr_length src[/width] dst[/width]
tos length fragment_id ttl protocol checksum
<ip6-mask> version traffic-class flow-label src dst proto
payload_length hop_limit protocol
l4 tcp <tcp-mask> udp <udp_mask> src_port dst_port
<tcp-mask> src dst # ports
<udp-mask> src_port dst_port
To construct matches, add the values to match after the indicated keywords:
in the match syntax. For example:
mask l3 ip4 src -> match l3 ip4 src 192.168.1.11
Configuring the classify filter
Configure a simple classify filter, and configure pcap trace rx to use it:
.. code-block:: console
classify filter rx mask l3 ip4 src match l3 ip4 src 192.168.1.11
``pcap trace rx max 100 filter``
Configure another fairly simple filter
.. code-block:: console
classify filter mask l3 ip4 src dst match l3 ip4 src 192.168.1.10 dst 192.168.2.10
Configure a filter for use with the vpp packet tracer:
.. code-block:: console
classify filter trace mask l3 ip4 src dst match l3 ip4 src 192.168.1.10 dst 192.168.2.10
``trace add dpdk-input 100 filter``
Clear classifier filters
``classify filter [trace | rx | tx | <intfc>] del``
To display the top-level classifier tables for each use case:
``show classify filter``
To inspect the classifier tables, use
``show classify table [verbose]``
The verbose form displays all of the match rules, with hit-counters
Declaration: ``classify_filter`` `src/vnet/classify/vnet_classify.c line 2124 <https://github.com/FDio/vpp/blob/master//src/vnet/classify/vnet_classify.c#L2124>`_
Implementation: ``classify_filter_command_fn``
classify session
-------------------------------------------------------------------------
.. code-block:: console
classify session [hit-next|l2-input-hit-next|l2-output-hit-next|acl-hit-next <next_index>|policer-hit-next <policer_name>]
table-index <nn> match [hex] [l2] [l3 ip4] [opaque-index <index>]
[action set-ip4-fib-id|set-ip6-fib-id|set-sr-policy-index <n>] [del]
Declaration: ``classify_session_command`` `src/vnet/classify/vnet_classify.c line 2921 <https://github.com/FDio/vpp/blob/master//src/vnet/classify/vnet_classify.c#L2921>`_
Implementation: ``classify_session_command_fn``
classify table
-------------------------------------------------------------------------
.. code-block:: console
classify table [miss-next|l2-miss_next|acl-miss-next <next_index>]
mask <mask-value> buckets <nn> [skip <n>] [match <n>]
[current-data-flag <n>] [current-data-offset <n>] [table <n>]
[memory-size <nn>[M][G]] [next-table <n>]
[del] [del-chain]
Declaration: ``classify_table`` `src/vnet/classify/vnet_classify.c line 1638 <https://github.com/FDio/vpp/blob/master//src/vnet/classify/vnet_classify.c#L1638>`_
Implementation: ``classify_table_command_fn``
set interface input acl
-------------------------------------------------------------------------
.. code-block:: console
set interface input acl intfc <int> [ip4-table <index>]
[ip6-table <index>] [l2-table <index>] [ip4-punt-table <index>]
[ip6-punt-table <index> [del]
Declaration: ``set_input_acl_command`` `src/vnet/classify/in_out_acl.c line 258 <https://github.com/FDio/vpp/blob/master//src/vnet/classify/in_out_acl.c#L258>`_
Implementation: ``set_input_acl_command_fn``
set interface output acl
-------------------------------------------------------------------------
.. code-block:: console
set interface output acl intfc <int> [ip4-table <index>]
[ip6-table <index>] [l2-table <index>] [del]
Declaration: ``set_output_acl_command`` `src/vnet/classify/in_out_acl.c line 266 <https://github.com/FDio/vpp/blob/master//src/vnet/classify/in_out_acl.c#L266>`_
Implementation: ``set_output_acl_command_fn``
set policer classify
-------------------------------------------------------------------------
.. code-block:: console
set policer classify interface <int> [ip4-table <index>]
[ip6-table <index>] [l2-table <index>] [del]
Declaration: ``set_policer_classify_command`` `src/vnet/classify/policer_classify.c line 167 <https://github.com/FDio/vpp/blob/master//src/vnet/classify/policer_classify.c#L167>`_
Implementation: ``set_policer_classify_command_fn``
show classify filter
-------------------------------------------------------------------------
.. code-block:: console
show classify filter [verbose [nn]]
Declaration: ``show_classify_filter`` `src/vnet/classify/vnet_classify.c line 2212 <https://github.com/FDio/vpp/blob/master//src/vnet/classify/vnet_classify.c#L2212>`_
Implementation: ``show_classify_filter_command_fn``
show classify flow
-------------------------------------------------------------------------
.. code-block:: console
show classify flow type [ip4|ip6]
Declaration: ``show_flow_classify_command`` `src/vnet/classify/flow_classify.c line 216 <https://github.com/FDio/vpp/blob/master//src/vnet/classify/flow_classify.c#L216>`_
Implementation: ``show_flow_classify_command_fn``
show classify policer
-------------------------------------------------------------------------
.. code-block:: console
show classify policer type [ip4|ip6|l2]
Declaration: ``show_policer_classify_command`` `src/vnet/classify/policer_classify.c line 232 <https://github.com/FDio/vpp/blob/master//src/vnet/classify/policer_classify.c#L232>`_
Implementation: ``show_policer_classify_command_fn``
show classify tables
-------------------------------------------------------------------------
.. code-block:: console
show classify tables [index <nn>]
Declaration: ``show_classify_table_command`` `src/vnet/classify/vnet_classify.c line 2304 <https://github.com/FDio/vpp/blob/master//src/vnet/classify/vnet_classify.c#L2304>`_
Implementation: ``show_classify_tables_command_fn``
show inacl
-------------------------------------------------------------------------
.. code-block:: console
show inacl type [ip4|ip6|l2]
Declaration: ``show_inacl_command`` `src/vnet/classify/in_out_acl.c line 391 <https://github.com/FDio/vpp/blob/master//src/vnet/classify/in_out_acl.c#L391>`_
Implementation: ``show_inacl_command_fn``
show outacl
-------------------------------------------------------------------------
.. code-block:: console
show outacl type [ip4|ip6|l2]
Declaration: ``show_outacl_command`` `src/vnet/classify/in_out_acl.c line 396 <https://github.com/FDio/vpp/blob/master//src/vnet/classify/in_out_acl.c#L396>`_
Implementation: ``show_outacl_command_fn``
test classify
-------------------------------------------------------------------------
.. code-block:: console
test classify [src <ip>] [sessions <nn>] [buckets <nn>] [seed <nnn>]
[memory-size <nn>[M|G]]
[churn-test]
Declaration: ``test_classify_command`` `src/vnet/classify/vnet_classify.c line 3347 <https://github.com/FDio/vpp/blob/master//src/vnet/classify/vnet_classify.c#L3347>`_
Implementation: ``test_classify_command_fn``