This section specifies the syntax and semantics for the Key Match tests.
The syntax for the KeyMatch tests is shown below.
<KeyMatchTest> :== 'KeyMatch' '(' <ProtocolField8> ')' <EqualNotEqualTest> <KeySetIdOrAny> <KeySetIdOrAny> :== <KeySetId> | 'ANY'
Note: IP match test is not available on products with Flow matcher functionality
The KeyMatch test is a more generic version of the IPMatch Test. You can specify one or 2 fields that will be matched against values entered through the IPMatchList command. If the key is found, the result of the match is the key set id associated with the value. If the key is not found, the result is 0. If this result satisfies the comparison, the filter will give a hit.
It is essential that the protocol field that is extracted for matching is of the same type as the values associated with the key set number in the IPMatchList. E.g. if a set of IPv4 addresses are associated with the key set number '7', a protocol field containing an IPv4 address must be specified when comparing to '7'.
Note: Due to the filter architecture, it is important that if you have multiple assign commands only with KeyMatch filters, then the fields extracted must be the same. So you cannot test the IP source address in one filter and the destination in another. You will then have to include both source and destination address in both filter expressions. The 'ANY' keyword can be used in this case to specify a "dummy" KeyMatch statement that will always evaluate to true. However, if the KeyMatch filters are combined with other mutually exclusive filters, these restrictions do not apply. See example below.
This example shows how to create a filter that matches IP packets coming from five distinct source IP addresses (3 IPv4 and 2 IPv6).
Define isIPv4 = Filter(Layer3Protocol == IPv4)
Define isIPv6 = Filter(Layer3Protocol == IPv6)
Define IPv4Src = Field(Layer3Header/32)
Define IPv6Src = Field(Layer3Header/128)
IPMatchList[KeySet = 7] = IPv4Addr == [10.32.1.76], [10.32.1.77], [10.33.11.6]
IPMatchList[KeySet = 8] = IPv6Addr == [DEAD:BEEF:0:0:0:0:0:27], [DEAD:BEEF:0:0:0:0:0:45]
Assign[StreamId=0] = isIPv4 AND KeyMatch(IPv4Src) == 7
Assign[StreamId=1] = isIPv6 AND KeyMatch(IPv6Src) == 8
As we have mutually exclusive filters in combination with the KeyMatch filter, there are no restrictions in what we can test for.