# ct state new,established, related, untracked
[
{
"match": {
"left": {
"ct": {
"key": "state"
}
},
"op": "in",
"right": [
"established",
"related",
"new",
"untracked"
]
}
}
]
# ct state {new,established, related, untracked}
[
{
"match": {
"left": {
"ct": {
"key": "state"
}
},
"op": "==",
"right": {
"set": [
"established",
"related",
"new",
"untracked"
]
}
}
}
]
# ct state != {new,established, related, untracked}
[
{
"match": {
"left": {
"ct": {
"key": "state"
}
},
"op": "!=",
"right": {
"set": [
"established",
"related",
"new",
"untracked"
]
}
}
}
]
# ct state 8
[
{
"match": {
"left": {
"ct": {
"key": "state"
}
},
"op": "in",
"right": "new"
}
}
]
# ct direction {reply, original}
[
{
"match": {
"left": {
"ct": {
"key": "direction"
}
},
"op": "==",
"right": {
"set": [
"original",
"reply"
]
}
}
}
]
# ct direction != {reply, original}
[
{
"match": {
"left": {
"ct": {
"key": "direction"
}
},
"op": "!=",
"right": {
"set": [
"original",
"reply"
]
}
}
}
]
# ct mark or 0x23 == 0x11
[
{
"match": {
"left": {
"|": [
{
"ct": {
"key": "mark"
}
},
35
]
},
"op": "==",
"right": 17
}
}
]
# ct mark or 0x3 != 0x1
[
{
"match": {
"left": {
"|": [
{
"ct": {
"key": "mark"
}
},
3
]
},
"op": "!=",
"right": 1
}
}
]
# ct mark and 0x23 == 0x11
[
{
"match": {
"left": {
"&": [
{
"ct": {
"key": "mark"
}
},
35
]
},
"op": "==",
"right": 17
}
}
]
# ct mark and 0x3 != 0x1
[
{
"match": {
"left": {
"&": [
{
"ct": {
"key": "mark"
}
},
3
]
},
"op": "!=",
"right": 1
}
}
]
# ct mark xor 0x23 == 0x11
[
{
"match": {
"left": {
"ct": {
"key": "mark"
}
},
"op": "==",
"right": 50
}
}
]
# ct mark xor 0x3 != 0x1
[
{
"match": {
"left": {
"ct": {
"key": "mark"
}
},
"op": "!=",
"right": 2
}
}
]
# ct mark 0x00000032
[
{
"match": {
"left": {
"ct": {
"key": "mark"
}
},
"op": "==",
"right": 50
}
}
]
# ct mark != 0x00000032
[
{
"match": {
"left": {
"ct": {
"key": "mark"
}
},
"op": "!=",
"right": 50
}
}
]
# ct mark 0x00000032-0x00000045
[
{
"match": {
"left": {
"ct": {
"key": "mark"
}
},
"op": "==",
"right": {
"range": [ 50, 69 ]
}
}
}
]
# ct mark != 0x00000032-0x00000045
[
{
"match": {
"left": {
"ct": {
"key": "mark"
}
},
"op": "!=",
"right": {
"range": [ 50, 69 ]
}
}
}
]
# ct mark {0x32, 0x2222, 0x42de3}
[
{
"match": {
"left": {
"ct": {
"key": "mark"
}
},
"op": "==",
"right": {
"set": [
50,
8738,
273891
]
}
}
}
]
# ct mark {0x32-0x2222, 0x4444-0x42de3}
[
{
"match": {
"left": {
"ct": {
"key": "mark"
}
},
"op": "==",
"right": {
"set": [
{ "range": [ 50, 8738 ] },
{ "range": [ 17476, 273891 ] }
]
}
}
}
]
# ct mark != {0x32, 0x2222, 0x42de3}
[
{
"match": {
"left": {
"ct": {
"key": "mark"
}
},
"op": "!=",
"right": {
"set": [
50,
8738,
273891
]
}
}
}
]
# ct mark set 0x11 xor 0x1331
[
{
"mangle": {
"key": {
"ct": {
"key": "mark"
}
},
"value": 4896
}
}
]
# ct mark set 0x11333 and 0x11
[
{
"mangle": {
"key": {
"ct": {
"key": "mark"
}
},
"value": 17
}
}
]
# ct mark set 0x12 or 0x11
[
{
"mangle": {
"key": {
"ct": {
"key": "mark"
}
},
"value": 19
}
}
]
# ct mark set 0x11
[
{
"mangle": {
"key": {
"ct": {
"key": "mark"
}
},
"value": 17
}
}
]
# ct expiration 30s
[
{
"match": {
"left": {
"ct": {
"key": "expiration"
}
},
"op": "==",
"right": 30
}
}
]
# ct expiration 30000ms
[
{
"match": {
"left": {
"ct": {
"key": "expiration"
}
},
"op": "==",
"right": 30
}
}
]
# ct expiration 1m-1h
[
{
"match": {
"left": {
"ct": {
"key": "expiration"
}
},
"op": "==",
"right": {
"range": [ 60, 3600 ]
}
}
}
]
# ct expiration > 4d23h59m59s
[
{
"match": {
"left": {
"ct": {
"key": "expiration"
}
},
"op": ">",
"right": 431999
}
}
]
# ct state . ct mark { new . 0x12345678}
[
{
"match": {
"left": {
"concat": [
{
"ct": {
"key": "state"
}
},
{
"ct": {
"key": "mark"
}
}
]
},
"op": "==",
"right": {
"set": [
{
"concat": [
"new",
305419896
]
}
]
}
}
}
]
# ct state . ct mark { new . 0x12345678, new . 0x34127856, established . 0x12785634}
[
{
"match": {
"left": {
"concat": [
{
"ct": {
"key": "state"
}
},
{
"ct": {
"key": "mark"
}
}
]
},
"op": "==",
"right": {
"set": [
{
"concat": [
"established",
309876276
]
},
{
"concat": [
"new",
305419896
]
},
{
"concat": [
"new",
873625686
]
}
]
}
}
}
]
# ct direction . ct mark { original . 0x12345678, reply . 0x87654321}
[
{
"match": {
"left": {
"concat": [
{
"ct": {
"key": "direction"
}
},
{
"ct": {
"key": "mark"
}
}
]
},
"op": "==",
"right": {
"set": [
{
"concat": [
"original",
305419896
]
},
{
"concat": [
"reply",
2271560481
]
}
]
}
}
}
]
# ct state . ct mark vmap { new . 0x12345678 : drop, established . 0x87654321 : accept}
[
{
"vmap": {
"key": {
"concat": [
{
"ct": {
"key": "state"
}
},
{
"ct": {
"key": "mark"
}
}
]
},
"data": {
"set": [
[
{
"concat": [
"established",
2271560481
]
},
{
"accept": null
}
],
[
{
"concat": [
"new",
305419896
]
},
{
"drop": null
}
]
]
}
}
}
]
# ct event set 1
[
{
"mangle": {
"key": {
"ct": {
"key": "event"
}
},
"value": "new"
}
}
]
# ct event set 0x0
[
{
"mangle": {
"key": {
"ct": {
"key": "event"
}
},
"value": 0
}
}
]