December 28, 2025
Packets, potions, and parentheses
tc-ematch(8) extended matches for use with "basic", "cgroup" or "flow" filters
New Linux packet spells land—admins argue: genius or gibberish
TLDR: Linux’s tc gets extended packet matching for powerful filtering across data, metadata, sets, firewall rules. Comments split between praise and pain, mocking the cryptic syntax and debating tc vs nftables/eBPF, while many ask for clearer docs and safer examples.
Linux just refreshed its packet “match” toolbox for the tc traffic control tool, and the comment section lit up. Power users are clapping for ematch—a way to stack rules that decide which network packets get special treatment—while newcomers are begging for an English translation. One top vote: “This is regex for packets.”
What’s inside? Plain-English version: you can compare bytes in a packet (cmp), check system or firewall tags (meta, like a mark from Netfilter), search for a byte pattern (nbyte), peek at headers (u32), see if an address sits in a list (ipset), reuse firewall matches (ipt), and even match car-bus messages (canid). It’s powerful, but the syntax looks like a wizard’s spellbook, with parentheses you must escape just right. Cue memes: “Summon packets with parentheses,” “tc = too complex.”
The civil war: old-school netops say this is the Swiss‑army upgrade they’ve wanted for shaping container traffic via cgroups; another camp shouts “just use nftables or eBPF” and calls tc a legacy maze. Pragmatists ask for clearer examples, safer defaults, and a friendlier wrapper. Credit where due: Thomas Graf’s extended match system gets nods. Curious? Check the iproute2 docs and the man page. Brace yourself for packet wizardry today.
Key Points
- •ematch provides extended matching for Linux tc filters, usable with basic, cgroup, and flow filters via a defined EXPR syntax.
- •Available modules include cmp (arithmetic packet data comparison), meta (metadata comparison), nbyte (byte sequence match), u32, ipset (set membership), ipt (xtables match), and canid (CAN frames).
- •ipset ematch uses flags identical to iptables’ set match and supports interface-aware queries for the ip_set_hash:net,iface type using src,dst or src,src.
- •Special handling with ifb devices: the outgoing device is the ifb itself; the original interface is treated as incoming for ipset queries.
- •Examples demonstrate usage of cmp, meta, nbyte, u32, ipset, and ipt; ematch infrastructure was added by Thomas Graf and is part of the iproute2 project (Linux Foundation link provided).