# ip dscp cs1
[
{
"match": {
"left": {
"payload": {
"field": "dscp",
"protocol": "ip"
}
},
"op": "==",
"right": "cs1"
}
}
]
# ip dscp != cs1
[
{
"match": {
"left": {
"payload": {
"field": "dscp",
"protocol": "ip"
}
},
"op": "!=",
"right": "cs1"
}
}
]
# ip dscp 0x38
[
{
"match": {
"left": {
"payload": {
"field": "dscp",
"protocol": "ip"
}
},
"op": "==",
"right": "0x38"
}
}
]
# ip dscp != 0x20
[
{
"match": {
"left": {
"payload": {
"field": "dscp",
"protocol": "ip"
}
},
"op": "!=",
"right": "0x20"
}
}
]
# ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}
[
{
"match": {
"left": {
"payload": {
"field": "dscp",
"protocol": "ip"
}
},
"op": "==",
"right": {
"set": [
"cs0",
"cs1",
"cs2",
"cs3",
"cs4",
"cs5",
"cs6",
"cs7",
"af11",
"af12",
"af13",
"af21",
"af22",
"af23",
"af31",
"af32",
"af33",
"af41",
"af42",
"af43",
"ef"
]
}
}
}
]
# ip dscp != {cs0, cs3}
[
{
"match": {
"left": {
"payload": {
"field": "dscp",
"protocol": "ip"
}
},
"op": "!=",
"right": {
"set": [
"cs0",
"cs3"
]
}
}
}
]
# ip dscp vmap { cs1 : continue , cs4 : accept } counter
[
{
"vmap": {
"key": {
"payload": {
"field": "dscp",
"protocol": "ip"
}
},
"data": {
"set": [
[
"cs1",
{
"continue": null
}
],
[
"cs4",
{
"accept": null
}
]
]
}
}
},
{
"counter": null
}
]
# ip length 232
[
{
"match": {
"left": {
"payload": {
"field": "length",
"protocol": "ip"
}
},
"op": "==",
"right": 232
}
}
]
# ip length != 233
[
{
"match": {
"left": {
"payload": {
"field": "length",
"protocol": "ip"
}
},
"op": "!=",
"right": 233
}
}
]
# ip length 333-435
[
{
"match": {
"left": {
"payload": {
"field": "length",
"protocol": "ip"
}
},
"op": "==",
"right": {
"range": [ 333, 435 ]
}
}
}
]
# ip length != 333-453
[
{
"match": {
"left": {
"payload": {
"field": "length",
"protocol": "ip"
}
},
"op": "!=",
"right": {
"range": [ 333, 453 ]
}
}
}
]
# ip length { 333, 553, 673, 838}
[
{
"match": {
"left": {
"payload": {
"field": "length",
"protocol": "ip"
}
},
"op": "==",
"right": {
"set": [
333,
553,
673,
838
]
}
}
}
]
# ip length != { 333, 553, 673, 838}
[
{
"match": {
"left": {
"payload": {
"field": "length",
"protocol": "ip"
}
},
"op": "!=",
"right": {
"set": [
333,
553,
673,
838
]
}
}
}
]
# ip length { 333-535}
[
{
"match": {
"left": {
"payload": {
"field": "length",
"protocol": "ip"
}
},
"op": "==",
"right": {
"set": [
{ "range": [ 333, 535 ] }
]
}
}
}
]
# ip length != { 333-535}
[
{
"match": {
"left": {
"payload": {
"field": "length",
"protocol": "ip"
}
},
"op": "!=",
"right": {
"set": [
{ "range": [ 333, 535 ] }
]
}
}
}
]
# ip id 22
[
{
"match": {
"left": {
"payload": {
"field": "id",
"protocol": "ip"
}
},
"op": "==",
"right": 22
}
}
]
# ip id != 233
[
{
"match": {
"left": {
"payload": {
"field": "id",
"protocol": "ip"
}
},
"op": "!=",
"right": 233
}
}
]
# ip id 33-45
[
{
"match": {
"left": {
"payload": {
"field": "id",
"protocol": "ip"
}
},
"op": "==",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# ip id != 33-45
[
{
"match": {
"left": {
"payload": {
"field": "id",
"protocol": "ip"
}
},
"op": "!=",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# ip id { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "id",
"protocol": "ip"
}
},
"op": "==",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# ip id != { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "id",
"protocol": "ip"
}
},
"op": "!=",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# ip id { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "id",
"protocol": "ip"
}
},
"op": "==",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# ip id != { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "id",
"protocol": "ip"
}
},
"op": "!=",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# ip frag-off 222 accept
[
{
"match": {
"left": {
"payload": {
"field": "frag-off",
"protocol": "ip"
}
},
"op": "==",
"right": 222
}
},
{
"accept": null
}
]
# ip frag-off != 233
[
{
"match": {
"left": {
"payload": {
"field": "frag-off",
"protocol": "ip"
}
},
"op": "!=",
"right": 233
}
}
]
# ip frag-off 33-45
[
{
"match": {
"left": {
"payload": {
"field": "frag-off",
"protocol": "ip"
}
},
"op": "==",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# ip frag-off != 33-45
[
{
"match": {
"left": {
"payload": {
"field": "frag-off",
"protocol": "ip"
}
},
"op": "!=",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# ip frag-off { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "frag-off",
"protocol": "ip"
}
},
"op": "==",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# ip frag-off != { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "frag-off",
"protocol": "ip"
}
},
"op": "!=",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# ip frag-off { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "frag-off",
"protocol": "ip"
}
},
"op": "==",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# ip frag-off != { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "frag-off",
"protocol": "ip"
}
},
"op": "!=",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# ip ttl 0 drop
[
{
"match": {
"left": {
"payload": {
"field": "ttl",
"protocol": "ip"
}
},
"op": "==",
"right": 0
}
},
{
"drop": null
}
]
# ip ttl 233
[
{
"match": {
"left": {
"payload": {
"field": "ttl",
"protocol": "ip"
}
},
"op": "==",
"right": 233
}
}
]
# ip ttl 33-55
[
{
"match": {
"left": {
"payload": {
"field": "ttl",
"protocol": "ip"
}
},
"op": "==",
"right": {
"range": [ 33, 55 ]
}
}
}
]
# ip ttl != 45-50
[
{
"match": {
"left": {
"payload": {
"field": "ttl",
"protocol": "ip"
}
},
"op": "!=",
"right": {
"range": [ 45, 50 ]
}
}
}
]
# ip ttl {43, 53, 45 }
[
{
"match": {
"left": {
"payload": {
"field": "ttl",
"protocol": "ip"
}
},
"op": "==",
"right": {
"set": [
43,
45,
53
]
}
}
}
]
# ip ttl != {43, 53, 45 }
[
{
"match": {
"left": {
"payload": {
"field": "ttl",
"protocol": "ip"
}
},
"op": "!=",
"right": {
"set": [
43,
45,
53
]
}
}
}
]
# ip ttl { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "ttl",
"protocol": "ip"
}
},
"op": "==",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# ip ttl != { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "ttl",
"protocol": "ip"
}
},
"op": "!=",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# ip protocol tcp
[
{
"match": {
"left": {
"payload": {
"field": "protocol",
"protocol": "ip"
}
},
"op": "==",
"right": "tcp"
}
}
]
# ip protocol != tcp
[
{
"match": {
"left": {
"payload": {
"field": "protocol",
"protocol": "ip"
}
},
"op": "!=",
"right": "tcp"
}
}
]
# ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept
[
{
"match": {
"left": {
"payload": {
"field": "protocol",
"protocol": "ip"
}
},
"op": "==",
"right": {
"set": [
"icmp",
"esp",
"ah",
"comp",
"udp",
"udplite",
"tcp",
"dccp",
"sctp"
]
}
}
},
{
"accept": null
}
]
# ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept
[
{
"match": {
"left": {
"payload": {
"field": "protocol",
"protocol": "ip"
}
},
"op": "!=",
"right": {
"set": [
"icmp",
"esp",
"ah",
"comp",
"udp",
"udplite",
"tcp",
"dccp",
"sctp"
]
}
}
},
{
"accept": null
}
]
# ip protocol 255
[
{
"match": {
"left": {
"payload": {
"field": "protocol",
"protocol": "ip"
}
},
"op": "==",
"right": 255
}
}
]
# ip checksum 13172 drop
[
{
"match": {
"left": {
"payload": {
"field": "checksum",
"protocol": "ip"
}
},
"op": "==",
"right": 13172
}
},
{
"drop": null
}
]
# ip checksum 22
[
{
"match": {
"left": {
"payload": {
"field": "checksum",
"protocol": "ip"
}
},
"op": "==",
"right": 22
}
}
]
# ip checksum != 233
[
{
"match": {
"left": {
"payload": {
"field": "checksum",
"protocol": "ip"
}
},
"op": "!=",
"right": 233
}
}
]
# ip checksum 33-45
[
{
"match": {
"left": {
"payload": {
"field": "checksum",
"protocol": "ip"
}
},
"op": "==",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# ip checksum != 33-45
[
{
"match": {
"left": {
"payload": {
"field": "checksum",
"protocol": "ip"
}
},
"op": "!=",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# ip checksum { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "checksum",
"protocol": "ip"
}
},
"op": "==",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# ip checksum != { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "checksum",
"protocol": "ip"
}
},
"op": "!=",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# ip checksum { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "checksum",
"protocol": "ip"
}
},
"op": "==",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# ip checksum != { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "checksum",
"protocol": "ip"
}
},
"op": "!=",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# ip saddr 192.168.2.0/24
[
{
"match": {
"left": {
"payload": {
"field": "saddr",
"protocol": "ip"
}
},
"op": "==",
"right": {
"prefix": {
"addr": "192.168.2.0",
"len": 24
}
}
}
}
]
# ip saddr != 192.168.2.0/24
[
{
"match": {
"left": {
"payload": {
"field": "saddr",
"protocol": "ip"
}
},
"op": "!=",
"right": {
"prefix": {
"addr": "192.168.2.0",
"len": 24
}
}
}
}
]
# ip saddr 192.168.3.1 ip daddr 192.168.3.100
[
{
"match": {
"left": {
"payload": {
"field": "saddr",
"protocol": "ip"
}
},
"op": "==",
"right": "192.168.3.1"
}
},
{
"match": {
"left": {
"payload": {
"field": "daddr",
"protocol": "ip"
}
},
"op": "==",
"right": "192.168.3.100"
}
}
]
# ip saddr != 1.1.1.1
[
{
"match": {
"left": {
"payload": {
"field": "saddr",
"protocol": "ip"
}
},
"op": "!=",
"right": "1.1.1.1"
}
}
]
# ip saddr 1.1.1.1
[
{
"match": {
"left": {
"payload": {
"field": "saddr",
"protocol": "ip"
}
},
"op": "==",
"right": "1.1.1.1"
}
}
]
# ip daddr 192.168.0.1-192.168.0.250
[
{
"match": {
"left": {
"payload": {
"field": "daddr",
"protocol": "ip"
}
},
"op": "==",
"right": {
"range": [ "192.168.0.1", "192.168.0.250" ]
}
}
}
]
# ip daddr 10.0.0.0-10.255.255.255
[
{
"match": {
"left": {
"payload": {
"field": "daddr",
"protocol": "ip"
}
},
"op": "==",
"right": {
"range": [ "10.0.0.0", "10.255.255.255" ]
}
}
}
]
# ip daddr 172.16.0.0-172.31.255.255
[
{
"match": {
"left": {
"payload": {
"field": "daddr",
"protocol": "ip"
}
},
"op": "==",
"right": {
"range": [ "172.16.0.0", "172.31.255.255" ]
}
}
}
]
# ip daddr 192.168.3.1-192.168.4.250
[
{
"match": {
"left": {
"payload": {
"field": "daddr",
"protocol": "ip"
}
},
"op": "==",
"right": {
"range": [ "192.168.3.1", "192.168.4.250" ]
}
}
}
]
# ip daddr != 192.168.0.1-192.168.0.250
[
{
"match": {
"left": {
"payload": {
"field": "daddr",
"protocol": "ip"
}
},
"op": "!=",
"right": {
"range": [ "192.168.0.1", "192.168.0.250" ]
}
}
}
]
# ip daddr { 192.168.0.1-192.168.0.250}
[
{
"match": {
"left": {
"payload": {
"field": "daddr",
"protocol": "ip"
}
},
"op": "==",
"right": {
"set": [
{ "range": [ "192.168.0.1", "192.168.0.250" ] }
]
}
}
}
]
# ip daddr != { 192.168.0.1-192.168.0.250}
[
{
"match": {
"left": {
"payload": {
"field": "daddr",
"protocol": "ip"
}
},
"op": "!=",
"right": {
"set": [
{ "range": [ "192.168.0.1", "192.168.0.250" ] }
]
}
}
}
]
# ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
[
{
"match": {
"left": {
"payload": {
"field": "daddr",
"protocol": "ip"
}
},
"op": "==",
"right": {
"set": [
"192.168.5.1",
"192.168.5.2",
"192.168.5.3"
]
}
}
},
{
"accept": null
}
]
# ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
[
{
"match": {
"left": {
"payload": {
"field": "daddr",
"protocol": "ip"
}
},
"op": "!=",
"right": {
"set": [
"192.168.5.1",
"192.168.5.2",
"192.168.5.3"
]
}
}
},
{
"accept": null
}
]
# ip daddr 192.168.1.2-192.168.1.55
[
{
"match": {
"left": {
"payload": {
"field": "daddr",
"protocol": "ip"
}
},
"op": "==",
"right": {
"range": [ "192.168.1.2", "192.168.1.55" ]
}
}
}
]
# ip daddr != 192.168.1.2-192.168.1.55
[
{
"match": {
"left": {
"payload": {
"field": "daddr",
"protocol": "ip"
}
},
"op": "!=",
"right": {
"range": [ "192.168.1.2", "192.168.1.55" ]
}
}
}
]
# ip saddr 192.168.1.3-192.168.33.55
[
{
"match": {
"left": {
"payload": {
"field": "saddr",
"protocol": "ip"
}
},
"op": "==",
"right": {
"range": [ "192.168.1.3", "192.168.33.55" ]
}
}
}
]
# ip saddr != 192.168.1.3-192.168.33.55
[
{
"match": {
"left": {
"payload": {
"field": "saddr",
"protocol": "ip"
}
},
"op": "!=",
"right": {
"range": [ "192.168.1.3", "192.168.33.55" ]
}
}
}
]
# ip daddr 192.168.0.1
[
{
"match": {
"left": {
"payload": {
"field": "daddr",
"protocol": "ip"
}
},
"op": "==",
"right": "192.168.0.1"
}
}
]
# ip daddr 192.168.0.1 drop
[
{
"match": {
"left": {
"payload": {
"field": "daddr",
"protocol": "ip"
}
},
"op": "==",
"right": "192.168.0.1"
}
},
{
"drop": null
}
]
# ip daddr 192.168.0.2
[
{
"match": {
"left": {
"payload": {
"field": "daddr",
"protocol": "ip"
}
},
"op": "==",
"right": "192.168.0.2"
}
}
]
# ip saddr & 0xff == 1
[
{
"match": {
"left": {
"&": [
{
"payload": {
"field": "saddr",
"protocol": "ip"
}
},
"0xff"
]
},
"op": "==",
"right": 1
}
}
]
# ip saddr & 0.0.0.255 < 0.0.0.127
[
{
"match": {
"left": {
"&": [
{
"payload": {
"field": "saddr",
"protocol": "ip"
}
},
"0.0.0.255"
]
},
"op": "<",
"right": "0.0.0.127"
}
}
]
# ip saddr & 0xffff0000 == 0xffff0000
[
{
"match": {
"left": {
"&": [
{
"payload": {
"field": "saddr",
"protocol": "ip"
}
},
"0xffff0000"
]
},
"op": "==",
"right": "0xffff0000"
}
}
]
# ip version 4 ip hdrlength 5
[
{
"match": {
"left": {
"payload": {
"field": "version",
"protocol": "ip"
}
},
"op": "==",
"right": 4
}
},
{
"match": {
"left": {
"payload": {
"field": "hdrlength",
"protocol": "ip"
}
},
"op": "==",
"right": 5
}
}
]
# ip hdrlength 0
[
{
"match": {
"left": {
"payload": {
"field": "hdrlength",
"protocol": "ip"
}
},
"op": "==",
"right": 0
}
}
]
# ip hdrlength 15
[
{
"match": {
"left": {
"payload": {
"field": "hdrlength",
"protocol": "ip"
}
},
"op": "==",
"right": 15
}
}
]
# ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter
[
{
"vmap": {
"key": {
"payload": {
"field": "hdrlength",
"protocol": "ip"
}
},
"data": {
"set": [
[
{ "range": [ 0, 4 ] },
{ "drop": null }
],
[
5,
{ "accept": null }
],
[
6,
{ "continue": null }
]
]
}
}
},
{
"counter": null
}
]
# iif "lo" ip daddr set 127.0.0.1
[
{
"match": {
"left": {
"meta": { "key": "iif" }
},
"op": "==",
"right": "lo"
}
},
{
"mangle": {
"key": {
"payload": {
"field": "daddr",
"protocol": "ip"
}
},
"value": "127.0.0.1"
}
}
]
# iif "lo" ip checksum set 0
[
{
"match": {
"left": {
"meta": { "key": "iif" }
},
"op": "==",
"right": "lo"
}
},
{
"mangle": {
"key": {
"payload": {
"field": "checksum",
"protocol": "ip"
}
},
"value": 0
}
}
]
# iif "lo" ip id set 0
[
{
"match": {
"left": {
"meta": { "key": "iif" }
},
"op": "==",
"right": "lo"
}
},
{
"mangle": {
"key": {
"payload": {
"field": "id",
"protocol": "ip"
}
},
"value": 0
}
}
]
# iif "lo" ip ecn set 1
[
{
"match": {
"left": {
"meta": { "key": "iif" }
},
"op": "==",
"right": "lo"
}
},
{
"mangle": {
"key": {
"payload": {
"field": "ecn",
"protocol": "ip"
}
},
"value": 1
}
}
]
# iif "lo" ip ecn set ce
[
{
"match": {
"left": {
"meta": { "key": "iif" }
},
"op": "==",
"right": "lo"
}
},
{
"mangle": {
"key": {
"payload": {
"field": "ecn",
"protocol": "ip"
}
},
"value": "ce"
}
}
]
# iif "lo" ip ttl set 23
[
{
"match": {
"left": {
"meta": { "key": "iif" }
},
"op": "==",
"right": "lo"
}
},
{
"mangle": {
"key": {
"payload": {
"field": "ttl",
"protocol": "ip"
}
},
"value": 23
}
}
]
# iif "lo" ip protocol set 1
[
{
"match": {
"left": {
"meta": { "key": "iif" }
},
"op": "==",
"right": "lo"
}
},
{
"mangle": {
"key": {
"payload": {
"field": "protocol",
"protocol": "ip"
}
},
"value": 1
}
}
]
# iif "lo" ip dscp set af23
[
{
"match": {
"left": {
"meta": { "key": "iif" }
},
"op": "==",
"right": "lo"
}
},
{
"mangle": {
"key": {
"payload": {
"field": "dscp",
"protocol": "ip"
}
},
"value": "af23"
}
}
]
# iif "lo" ip dscp set cs0
[
{
"match": {
"left": {
"meta": { "key": "iif" }
},
"op": "==",
"right": "lo"
}
},
{
"mangle": {
"key": {
"payload": {
"field": "dscp",
"protocol": "ip"
}
},
"value": "cs0"
}
}
]