================ Traffic Selector ================ .. sidebar:: Contents .. contents:: :depth: 2 :local: This chapter covers some aspects related to ``traffic selector``, which is a set of rules that allows us to filter network packets based on different attributes: incoming/outgoing interface, source/destination address, protocol, VRF, etc. ``traffic selectors`` behaves like ACLs (Access Control Lists) and can be used in many places in configuration; such as, ``traffic policies``, ``NAT``, ``Netflow``, ``traffic trace``, etc. Every ``traffic selector`` contains a set of rules that are processed in order until one of them matches the current network packet. The sense of matching can be inverted by using the ``not`` command. The special ``exclude`` command can be used to stop checking remaining rules if current one matches. .. note:: Rules are evaluated in ascending order. Meaning that, if first rule is met, the remaining rules are not evaluated and network packet is selected. As a reminder, ``exclude`` is an exception: if a rule with the ``exclude`` command matches, the remanining rules are not evaluated and packet is not selected. Configuration ============= This is the syntax to create a ``traffic selector``: .. code-block:: none set traffic selector [ ... ] In order to attach a ``traffic selector`` in a ``traffic policy rule`` you can use the following command: .. code-block:: none set traffic policy rule selector And, in the case of an interface with NAT: .. code-block:: none set interfaces traffic nat rule selector Below, you can find the different fitlers available. *Network family* refers to the network layer where this filter will act: - ARP filters act on level 2. - IPv4 / IPv6 filters act on level 3. Inet refers to both IPv4 & IPv6 filters. The filters that do not have a specific *Network family* is because the match is based on some metadata information (e.g., the packet input interface). The *compatible features* column refers to the OSDx features where a specific traffic selector filter can be used. .. dropdown:: **Available filters**: +-------------------------+----------------+---------------------------------+ | Traffic selector filter | Network family | Compatible features | +=========================+================+=================================+ | advisor | | All | +-------------------------+----------------+---------------------------------+ | app-id | Inet | Regular policies, NAT & Netflow | +-------------------------+----------------+---------------------------------+ | arp-operation | ARP | Link policy | +-------------------------+----------------+---------------------------------+ | connmark | | Regular policies, NAT & Netflow | +-------------------------+----------------+---------------------------------+ | destination | Inet / ARP | All | +-------------------------+----------------+---------------------------------+ | dscp | IPv4 | All, except IPv6 | +-------------------------+----------------+---------------------------------+ | ecn | IPv4 | All, except IPv6 | +-------------------------+----------------+---------------------------------+ | ether-type | ARP | Link policy | +-------------------------+----------------+---------------------------------+ | extra-connmark | | Regular policies, NAT & Netflow | +-------------------------+----------------+---------------------------------+ | extra-mark | | Regular policies, NAT & Netflow | +-------------------------+----------------+---------------------------------+ | fragmentation | IPv4 | All, except IPv6 | +-------------------------+----------------+---------------------------------+ | header-length | IPv4 | All, except IPv6 | +-------------------------+----------------+---------------------------------+ | hoplimit | IPv6 | All, except IPv4 | +-------------------------+----------------+---------------------------------+ | icmp-code | IPv4 | All, except IPv6 | +-------------------------+----------------+---------------------------------+ | icmp-type | IPv4 | All, except IPv6 | +-------------------------+----------------+---------------------------------+ | in-interface | | All | +-------------------------+----------------+---------------------------------+ | ip-option | IPv4 | All, except IPv6 | +-------------------------+----------------+---------------------------------+ | ipv6-dscp | IPv6 | All, except IPv4 | +-------------------------+----------------+---------------------------------+ | ipv6-ecn | IPv6 | All, except IPv4 | +-------------------------+----------------+---------------------------------+ | ipv6-extension | IPv6 | All, except IPv4 | +-------------------------+----------------+---------------------------------+ | ipv6-fragmentation | IPv6 | All, except IPv4 | +-------------------------+----------------+---------------------------------+ | ipv6-icmp-code | IPv6 | All, except IPv4 | +-------------------------+----------------+---------------------------------+ | ipv6-icmp-type | IPv6 | All, except IPv4 | +-------------------------+----------------+---------------------------------+ | ipv6-next-header | IPv6 | All, except IPv4 | +-------------------------+----------------+---------------------------------+ | label | | Regular policies, NAT & Netflow | +-------------------------+----------------+---------------------------------+ | length | ARP | All | +-------------------------+----------------+---------------------------------+ | mark | | Regular policies, NAT & Netflow | +-------------------------+----------------+---------------------------------+ | ori-in-interface | | All | +-------------------------+----------------+---------------------------------+ | out-interface | | All | +-------------------------+----------------+---------------------------------+ | pkt-type | ARP | All | +-------------------------+----------------+---------------------------------+ | protocol | Inet | All | +-------------------------+----------------+---------------------------------+ | source | Inet / ARP | All | +-------------------------+----------------+---------------------------------+ | state | | Regular policies, NAT & Netflow | +-------------------------+----------------+---------------------------------+ | tcp-flags | Inet | All | +-------------------------+----------------+---------------------------------+ | tcp-mss | Inet | All | +-------------------------+----------------+---------------------------------+ | tcp-option | Inet | All | +-------------------------+----------------+---------------------------------+ | tcp-window | Inet | All | +-------------------------+----------------+---------------------------------+ | ttl | IPv4 | All, except IPv6 | +-------------------------+----------------+---------------------------------+ | vrf-connmark | | Regular policies, NAT & Netflow | +-------------------------+----------------+---------------------------------+ | vrf-mark | | Regular policies, NAT & Netflow | +-------------------------+----------------+---------------------------------+ Examples ======== Let's suppose we need to control the network packets that meet one of the following conditions: * Source address is one of the addresses specified in ADDR_LAN group (click :doc:`here <../group/index>` for more information about ``traffic groups``). * Protocol is tcp and destination port is 80 or 443. * Protocol is icmp or udp and destination address is not 10.0.0.0/24. In order to filter the network packets that meet those constraints, you can create the following ``traffic selector``: .. code-block:: none set traffic selector SEL_LAN rule 1 source address-group ADDR_LAN set traffic selector SEL_LAN rule 2 protocol tcp set traffic selector SEL_LAN rule 2 destination port 80,443 set traffic selector SEL_LAN rule 3 protocol icmp,udp set traffic selector SEL_LAN rule 3 not destination address 10.0.0.0/24 :ref:`Here `, you can find more examples related to ``traffic selector``. Monitoring ========== The operational command :osdx:op:`traffic selector * show` can be used to display some network statistics. *Example:* .. code-block:: none admin@osdx$ traffic selector SEL_SUBNET2 show Selector SEL_SUBNET2 (nat destination -- ifc eth1 -- rule 1) ----------------------------------------------------- rule pkts match pkts eval bytes match bytes eval ----------------------------------------------------- 1 2 2 106 106 ----------------------------------------------------- Total 2 2 106 106 Command Summary =============== .. osdx:cmdtree:: cfg :maxdepth: 4 traffic selector .. osdx:cmdtree:: op traffic selector