EXPRESSION allows filtering based on specific criteria.
EXPRESSION consists of a series of predicates combined by boolean
operators. The possible operators in increasing order of
precedence are or (or | or ||), and (or & or &&), and not (or !).
If no operator is between consecutive predicates, an implicit and
operator is assumed. Subexpressions can be grouped with "(" and
")".
The following predicates are supported:
{dst|src} [=] HOST
Test if the destination or source matches HOST. See HOST
SYNTAX for details.
{dport|sport} [OP] [FAMILY:]:PORT
Compare the destination or source port to PORT. OP can be
any of "<", "<=", "=", "!=", ">=" and ">". Following
normal arithmetic rules. FAMILY and PORT are as described
in HOST SYNTAX below.
dev [=|!=] DEVICE
Match based on the device the connection uses. DEVICE can
either be a device name or the index of the interface.
fwmark [=|!=] MASK
Matches based on the fwmark value for the connection. This
can either be a specific mark value or a mark value
followed by a "/" and a bitmask of which bits to use in
the comparison. For example "fwmark = 0x01/0x03" would
match if the two least significant bits of the fwmark were
0x01.
cgroup [=|!=] PATH
Match if the connection is part of a cgroup at the given
path.
autobound
Match if the port or path of the source address was
automatically allocated (rather than explicitly
specified).
Most operators have aliases. If no operator is supplied "=" is
assumed. Each of the following groups of operators are all
equivalent:
• = == eq
• != ne neq
• > gt
• < lt
• >= ge geq
• <= le leq
• ! not
• | || or
• & && and
