Network flow rule
Rules are stored in a table in which one or more match entries is followed by an action. If more than one match precedes an action, the rule is the AND of all matches. An action with no match is always taken since it matches anything. If nothing matches, the default action is DROP.
This is designed to be a more memory-efficient way of storing rules than a wide table, yet still fast and simple to access in code.
Type and flags
Bits are: NOTTTTTT
N - If true, sense of match is inverted (no effect on actions) O - If true, result is ORed with previous instead of ANDed (no effect on actions) T - Rule or action type
AND with 0x3f to get type, 0x80 to get NOT bit, and 0x40 to get OR bit.
IPv6 address in big-endian / network byte order and netmask bits
IPv4 address in big-endian / network byte order
Integer range match in packet payload
This allows matching of ranges of integers up to 64 bits wide where the range is +/- INT32_MAX. It's packed this way so it fits in 16 bytes and doesn't enlarge the overall size of this union.
Packet characteristic flags being matched
IP port range – start-end inclusive – host byte order
40-bit ZeroTier address (in least significant bits, host byte order)
0 = never, UINT32_MAX = always
48-bit Ethernet MAC address in big-endian order
VLAN ID in host byte order
VLAN PCP (least significant 3 bits)
VLAN DEI (single bit / boolean)
Ethernet type in host byte order
IP type of service a.k.a. DSCP field
Ethernet packet size in host byte order (start-end, inclusive)
ICMP type and code
For tag-related rules
Destinations for TEE and REDIRECT
Quality of Service (QoS) bucket we want a frame to be placed in
Union containing the value of this rule – which field is used depends on 't'
Updated on 25 October 2021 at 23:59:59 UTC