================ Traffic Selector ================ .. sidebar:: Contents .. contents:: :depth: 2 :local: This chapter covers some aspects related to ``traffic selector``, which is a set of rules that allows us to filter network packets based on different attributes: incoming/outgoing interface, source/destination address, protocol, VRF, etc. ``traffic selectors`` behaves like ACLs (Access Control Lists) and can be used in many places in configuration; such as, ``traffic policies``, ``NAT``, ``Netflow``, ``traffic trace``, etc. Every ``traffic selector`` contains a set of rules that are processed in order until one of them matches the current network packet. The sense of matching can be inverted by using the ``not`` command. The special ``exclude`` command can be used to stop checking remaining rules if current one matches. .. note:: Rules are evaluated in ascending order. Meaning that, if first rule is met, the remaining rules are not evaluated and network packet is selected. As a reminder, ``exclude`` is an exception: if a rule with the ``exclude`` command matches, the remanining rules are not evaluated and packet is not selected. Configuration ============= This is the syntax to create a ``traffic selector``: .. code-block:: none set traffic selector [ ... ] In order to attach a ``traffic selector`` in a ``traffic policy rule`` you can use the following command: .. code-block:: none set traffic policy rule selector And, in the case of an interface with NAT: .. code-block:: none set interfaces traffic nat rule selector Below, you can find the different fitlers available. *Network family* refers to the network layer where this filter will act: - ARP filters act on level 2. - IPv4 / IPv6 filters act on level 3. Inet refers to both IPv4 & IPv6 filters. The filters that do not have a specific *Network family* is because the match is based on some metadata information (e.g., the packet input interface). The *compatible features* column refers to the OSDx features where a specific traffic selector filter can be used. .. dropdown:: **Available filters**: +-------------------------+--------------------------------------------+---------------------------------+ | Traffic selector filter | OSI Layer | Compatible features | +=========================+============================================+=================================+ | advisor | | All | +-------------------------+--------------------------------------------+---------------------------------+ | app-id | Application layer | Regular policies, NAT & Netflow | +-------------------------+--------------------------------------------+---------------------------------+ | arp-operation | Data link layer | Link policies | +-------------------------+--------------------------------------------+---------------------------------+ | class | | All | +-------------------------+--------------------------------------------+---------------------------------+ | connlimit | Network / Transport layer | Regular policies, NAT & Netflow | +-------------------------+--------------------------------------------+---------------------------------+ | connmark | | Regular policies, NAT & Netflow | +-------------------------+--------------------------------------------+---------------------------------+ | destination | Data link / Network / Transport Layer | All | +-------------------------+--------------------------------------------+---------------------------------+ | dscp | Network layer (IPv4) | All, except IPv6 | +-------------------------+--------------------------------------------+---------------------------------+ | ecn | Network layer (IPv4) | All, except IPv6 | +-------------------------+--------------------------------------------+---------------------------------+ | ether-type | Data link layer | All, except NAT | +-------------------------+--------------------------------------------+---------------------------------+ | extra-connmark | | Regular policies, NAT & Netflow | +-------------------------+--------------------------------------------+---------------------------------+ | extra-mark | | All | +-------------------------+--------------------------------------------+---------------------------------+ | fragmentation | Network layer (IPv4) | All, except IPv6 | +-------------------------+--------------------------------------------+---------------------------------+ | header-length | Network layer (IPv4) | All, except IPv6 | +-------------------------+--------------------------------------------+---------------------------------+ | hoplimit | Network layer (IPv6) | All, except IPv4 | +-------------------------+--------------------------------------------+---------------------------------+ | icmp-code | Network layer (IPv4) | All, except IPv6 | +-------------------------+--------------------------------------------+---------------------------------+ | icmp-type | Network layer (IPv4) | All, except IPv6 | +-------------------------+--------------------------------------------+---------------------------------+ | in-interface | | All | +-------------------------+--------------------------------------------+---------------------------------+ | ip-option | Network layer (IPv4) | All, except IPv6 | +-------------------------+--------------------------------------------+---------------------------------+ | ipv6-dscp | Network layer (IPv6) | All, except IPv4 | +-------------------------+--------------------------------------------+---------------------------------+ | ipv6-ecn | Network layer (IPv6) | All, except IPv4 | +-------------------------+--------------------------------------------+---------------------------------+ | ipv6-extension | Network layer (IPv6) | All, except IPv4 | +-------------------------+--------------------------------------------+---------------------------------+ | ipv6-fragmentation | Network layer (IPv6) | All, except IPv4 | +-------------------------+--------------------------------------------+---------------------------------+ | ipv6-icmp-code | Network layer (IPv6) | All, except IPv4 | +-------------------------+--------------------------------------------+---------------------------------+ | ipv6-icmp-type | Network layer (IPv6) | All, except IPv4 | +-------------------------+--------------------------------------------+---------------------------------+ | ipv6-next-header | Network layer (IPv6) | All, except IPv4 | +-------------------------+--------------------------------------------+---------------------------------+ | label | | Regular policies, NAT & Netflow | +-------------------------+--------------------------------------------+---------------------------------+ | length | Data link layer | All | +-------------------------+--------------------------------------------+---------------------------------+ | mark | | All | +-------------------------+--------------------------------------------+---------------------------------+ | ori-in-interface | | All | +-------------------------+--------------------------------------------+---------------------------------+ | out-interface | | All | +-------------------------+--------------------------------------------+---------------------------------+ | pkt-type | Data link layer | All | +-------------------------+--------------------------------------------+---------------------------------+ | protocol | Transport layer | All | +-------------------------+--------------------------------------------+---------------------------------+ | source | Data link / Network / Transport Layer | All | +-------------------------+--------------------------------------------+---------------------------------+ | state | | Regular policies, NAT & Netflow | +-------------------------+--------------------------------------------+---------------------------------+ | tcp-flags | Transport layer | All | +-------------------------+--------------------------------------------+---------------------------------+ | tcp-mss | Transport layer | All | +-------------------------+--------------------------------------------+---------------------------------+ | tcp-option | Transport layer | All | +-------------------------+--------------------------------------------+---------------------------------+ | tcp-window | Transport layer | All | +-------------------------+--------------------------------------------+---------------------------------+ | ttl | Network layer (IPv4) | All, except IPv6 | +-------------------------+--------------------------------------------+---------------------------------+ | vrf-connmark | | Regular policies, NAT & Netflow | +-------------------------+--------------------------------------------+---------------------------------+ | vrf-mark | | All | +-------------------------+--------------------------------------------+---------------------------------+ Examples ======== Let's suppose we need to control the network packets that meet one of the following conditions: * Source address is one of the addresses specified in ADDR_LAN group (click :doc:`here <../group/index>` for more information about ``traffic groups``). * Protocol is tcp and destination port is 80 or 443. * Protocol is icmp or udp and destination address is not 10.0.0.0/24. In order to filter the network packets that meet those constraints, you can create the following ``traffic selector``: .. code-block:: none set traffic selector SEL_LAN rule 1 source address-group ADDR_LAN set traffic selector SEL_LAN rule 2 protocol tcp set traffic selector SEL_LAN rule 2 destination port 80,443 set traffic selector SEL_LAN rule 3 protocol icmp,udp set traffic selector SEL_LAN rule 3 not destination address 10.0.0.0/24 :ref:`Here `, you can find more examples related to ``traffic selector``. Monitoring ========== The operational command :osdx:op:`traffic selector * show` can be used to display some network statistics. *Example:* .. code-block:: none admin@osdx$ traffic selector SEL_SUBNET2 show Selector SEL_SUBNET2 (nat destination -- ifc eth1 -- rule 1) ----------------------------------------------------- rule pkts match pkts eval bytes match bytes eval ----------------------------------------------------- 1 2 2 106 106 ----------------------------------------------------- Total 2 2 106 106 Command Summary =============== .. osdx:cmdtree:: cfg :maxdepth: 4 traffic selector .. osdx:cmdtree:: op traffic selector