# ct state new,established, related, untracked [ { "match": { "left": { "ct": { "key": "state" } }, "op": "in", "right": [ "new", "established", "related", "untracked" ] } } ] # ct state != related [ { "match": { "left": { "ct": { "key": "state" } }, "op": "!=", "right": "related" } } ] # ct state {new,established, related, untracked} [ { "match": { "left": { "ct": { "key": "state" } }, "op": "in", "right": { "set": [ "new", "established", "related", "untracked" ] } } } ] # ct state != {new,established, related, untracked} [ { "match": { "left": { "ct": { "key": "state" } }, "op": "!=", "right": { "set": [ "new", "established", "related", "untracked" ] } } } ] # ct state invalid drop [ { "match": { "left": { "ct": { "key": "state" } }, "op": "in", "right": "invalid" } }, { "drop": null } ] # ct state established accept [ { "match": { "left": { "ct": { "key": "state" } }, "op": "in", "right": "established" } }, { "accept": null } ] # ct state 8 [ { "match": { "left": { "ct": { "key": "state" } }, "op": "in", "right": 8 } } ] # ct direction original [ { "match": { "left": { "ct": { "key": "direction" } }, "op": "==", "right": "original" } } ] # ct direction != original [ { "match": { "left": { "ct": { "key": "direction" } }, "op": "!=", "right": "original" } } ] # ct direction reply [ { "match": { "left": { "ct": { "key": "direction" } }, "op": "==", "right": "reply" } } ] # ct direction != reply [ { "match": { "left": { "ct": { "key": "direction" } }, "op": "!=", "right": "reply" } } ] # ct direction {reply, original} [ { "match": { "left": { "ct": { "key": "direction" } }, "op": "in", "right": { "set": [ "reply", "original" ] } } } ] # ct direction != {reply, original} [ { "match": { "left": { "ct": { "key": "direction" } }, "op": "!=", "right": { "set": [ "reply", "original" ] } } } ] # ct status expected [ { "match": { "left": { "ct": { "key": "status" } }, "op": "in", "right": "expected" } } ] # ct status != expected [ { "match": { "left": { "ct": { "key": "status" } }, "op": "!=", "right": "expected" } } ] # ct status seen-reply [ { "match": { "left": { "ct": { "key": "status" } }, "op": "in", "right": "seen-reply" } } ] # ct status != seen-reply [ { "match": { "left": { "ct": { "key": "status" } }, "op": "!=", "right": "seen-reply" } } ] # ct status {expected, seen-reply, assured, confirmed, dying} [ { "match": { "left": { "ct": { "key": "status" } }, "op": "==", "right": { "set": [ "expected", "seen-reply", "assured", "confirmed", "dying" ] } } } ] # ct status != {expected, seen-reply, assured, confirmed, dying} [ { "match": { "left": { "ct": { "key": "status" } }, "op": "!=", "right": { "set": [ "expected", "seen-reply", "assured", "confirmed", "dying" ] } } } ] # ct status expected,seen-reply,assured,confirmed,snat,dnat,dying [ { "match": { "left": { "ct": { "key": "status" } }, "op": "in", "right": [ "expected", "seen-reply", "assured", "confirmed", "snat", "dnat", "dying" ] } } ] # ct status snat [ { "match": { "left": { "ct": { "key": "status" } }, "op": "in", "right": "snat" } } ] # ct status dnat [ { "match": { "left": { "ct": { "key": "status" } }, "op": "in", "right": "dnat" } } ] # ct status ! dnat [ { "match": { "left": { "ct": { "key": "status" } }, "op": "!", "right": "dnat" } } ] # ct mark 0 [ { "match": { "left": { "ct": { "key": "mark" } }, "op": "==", "right": 0 } } ] # ct mark or 0x23 == 0x11 [ { "match": { "left": { "|": [ { "ct": { "key": "mark" } }, "0x23" ] }, "op": "==", "right": "0x11" } } ] # ct mark or 0x3 != 0x1 [ { "match": { "left": { "|": [ { "ct": { "key": "mark" } }, "0x3" ] }, "op": "!=", "right": "0x1" } } ] # ct mark and 0x23 == 0x11 [ { "match": { "left": { "&": [ { "ct": { "key": "mark" } }, "0x23" ] }, "op": "==", "right": "0x11" } } ] # ct mark and 0x3 != 0x1 [ { "match": { "left": { "&": [ { "ct": { "key": "mark" } }, "0x3" ] }, "op": "!=", "right": "0x1" } } ] # ct mark xor 0x23 == 0x11 [ { "match": { "left": { "^": [ { "ct": { "key": "mark" } }, "0x23" ] }, "op": "==", "right": "0x11" } } ] # ct mark xor 0x3 != 0x1 [ { "match": { "left": { "^": [ { "ct": { "key": "mark" } }, "0x3" ] }, "op": "!=", "right": "0x1" } } ] # ct mark set ct mark or 0x00000001 [ { "mangle": { "key": { "ct": { "key": "mark" } }, "value": { "|": [ { "ct": { "key": "mark" } }, 1 ] } } } ] # ct mark 0x00000032 [ { "match": { "left": { "ct": { "key": "mark" } }, "op": "==", "right": "0x00000032" } } ] # ct mark != 0x00000032 [ { "match": { "left": { "ct": { "key": "mark" } }, "op": "!=", "right": "0x00000032" } } ] # ct mark 0x00000032-0x00000045 [ { "match": { "left": { "ct": { "key": "mark" } }, "op": "==", "right": { "range": [ "0x00000032", "0x00000045" ] } } } ] # ct mark != 0x00000032-0x00000045 [ { "match": { "left": { "ct": { "key": "mark" } }, "op": "!=", "right": { "range": [ "0x00000032", "0x00000045" ] } } } ] # ct mark {0x32, 0x2222, 0x42de3} [ { "match": { "left": { "ct": { "key": "mark" } }, "op": "in", "right": { "set": [ "0x32", "0x2222", "0x42de3" ] } } } ] # ct mark {0x32-0x2222, 0x4444-0x42de3} [ { "match": { "left": { "ct": { "key": "mark" } }, "op": "in", "right": { "set": [ { "range": [ "0x32", "0x2222" ] }, { "range": [ "0x4444", "0x42de3" ] } ] } } } ] # ct mark != {0x32, 0x2222, 0x42de3} [ { "match": { "left": { "ct": { "key": "mark" } }, "op": "!=", "right": { "set": [ "0x32", "0x2222", "0x42de3" ] } } } ] # ct mark set 0x11 xor 0x1331 [ { "mangle": { "key": { "ct": { "key": "mark" } }, "value": { "^": [ "0x11", "0x1331" ] } } } ] # ct mark set 0x11333 and 0x11 [ { "mangle": { "key": { "ct": { "key": "mark" } }, "value": { "&": [ "0x11333", "0x11" ] } } } ] # ct mark set 0x12 or 0x11 [ { "mangle": { "key": { "ct": { "key": "mark" } }, "value": { "|": [ "0x12", "0x11" ] } } } ] # ct mark set 0x11 [ { "mangle": { "key": { "ct": { "key": "mark" } }, "value": "0x11" } } ] # ct mark set mark [ { "mangle": { "key": { "ct": { "key": "mark" } }, "value": { "meta": { "key": "mark" } } } } ] # ct mark set (meta mark | 0x10) << 8 [ { "mangle": { "key": { "ct": { "key": "mark" } }, "value": { "<<": [ { "|": [ { "meta": { "key": "mark" } }, 16 ] }, 8 ] } } } ] # ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 } [ { "mangle": { "key": { "ct": { "key": "mark" } }, "value": { "map": { "key": { "meta": { "key": "mark" } }, "data": { "set": [ [ 1, 10 ], [ 2, 20 ], [ 3, 30 ] ] } } } } } ] # ct expiration 30s [ { "match": { "left": { "ct": { "key": "expiration" } }, "op": "==", "right": "30s" } } ] # ct expiration 30000ms [ { "match": { "left": { "ct": { "key": "expiration" } }, "op": "==", "right": "30000ms" } } ] # ct expiration 1m-1h [ { "match": { "left": { "ct": { "key": "expiration" } }, "op": "==", "right": { "range": [ "1m", "1h" ] } } } ] # ct expiration > 4d23h59m59s [ { "match": { "left": { "ct": { "key": "expiration" } }, "op": ">", "right": "4d23h59m59s" } } ] # ct expiration != 233 [ { "match": { "left": { "ct": { "key": "expiration" } }, "op": "!=", "right": 233 } } ] # ct expiration 33-45 [ { "match": { "left": { "ct": { "key": "expiration" } }, "op": "==", "right": { "range": [ 33, 45 ] } } } ] # ct expiration != 33-45 [ { "match": { "left": { "ct": { "key": "expiration" } }, "op": "!=", "right": { "range": [ 33, 45 ] } } } ] # ct expiration {33, 55, 67, 88} [ { "match": { "left": { "ct": { "key": "expiration" } }, "op": "==", "right": { "set": [ 33, 55, 67, 88 ] } } } ] # ct expiration != {33, 55, 67, 88} [ { "match": { "left": { "ct": { "key": "expiration" } }, "op": "!=", "right": { "set": [ 33, 55, 67, 88 ] } } } ] # ct expiration {33-55, 66-88} [ { "match": { "left": { "ct": { "key": "expiration" } }, "op": "==", "right": { "set": [ { "range": [ 33, 55 ] }, { "range": [ 66, 88 ] } ] } } } ] # ct expiration != {33-55, 66-88} [ { "match": { "left": { "ct": { "key": "expiration" } }, "op": "!=", "right": { "set": [ { "range": [ 33, 55 ] }, { "range": [ 66, 88 ] } ] } } } ] # ct helper "ftp" [ { "match": { "left": { "ct": { "key": "helper" } }, "op": "==", "right": "ftp" } } ] # ct state . ct mark { new . 0x12345678, new . 0x34127856, established . 0x12785634} [ { "match": { "left": { "concat": [ { "ct": { "key": "state" } }, { "ct": { "key": "mark" } } ] }, "op": "==", "right": { "set": [ { "concat": [ "new", "0x12345678" ] }, { "concat": [ "new", "0x34127856" ] }, { "concat": [ "established", "0x12785634" ] } ] } } } ] # ct direction . ct mark { original . 0x12345678, reply . 0x87654321} [ { "match": { "left": { "concat": [ { "ct": { "key": "direction" } }, { "ct": { "key": "mark" } } ] }, "op": "==", "right": { "set": [ { "concat": [ "original", "0x12345678" ] }, { "concat": [ "reply", "0x87654321" ] } ] } } } ] # ct state . ct mark vmap { new . 0x12345678 : drop, established . 0x87654321 : accept} [ { "vmap": { "key": { "concat": [ { "ct": { "key": "state" } }, { "ct": { "key": "mark" } } ] }, "data": { "set": [ [ { "concat": [ "new", "0x12345678" ] }, { "drop": null } ], [ { "concat": [ "established", "0x87654321" ] }, { "accept": null } ] ] } } } ] # ct original bytes > 100000 [ { "match": { "left": { "ct": { "dir": "original", "key": "bytes" } }, "op": ">", "right": 100000 } } ] # ct reply packets < 100 [ { "match": { "left": { "ct": { "dir": "reply", "key": "packets" } }, "op": "<", "right": 100 } } ] # ct bytes > 100000 [ { "match": { "left": { "ct": { "key": "bytes" } }, "op": ">", "right": 100000 } } ] # ct avgpkt > 200 [ { "match": { "left": { "ct": { "key": "avgpkt" } }, "op": ">", "right": 200 } } ] # ct original avgpkt < 500 [ { "match": { "left": { "ct": { "dir": "original", "key": "avgpkt" } }, "op": "<", "right": 500 } } ] # ct event set new [ { "mangle": { "key": { "ct": { "key": "event" } }, "value": "new" } } ] # ct event set new | related | destroy | label [ { "mangle": { "key": { "ct": { "key": "event" } }, "value": [ "new", "related", "destroy", "label" ] } } ] # ct event set new,related,destroy,label [ { "mangle": { "key": { "ct": { "key": "event" } }, "value": [ "new", "related", "destroy", "label" ] } } ] # ct event set new,destroy [ { "mangle": { "key": { "ct": { "key": "event" } }, "value": [ "new", "destroy" ] } } ] # ct event set 1 [ { "mangle": { "key": { "ct": { "key": "event" } }, "value": 1 } } ] # ct event set 0x0 [ { "mangle": { "key": { "ct": { "key": "event" } }, "value": "0x0" } } ] # ct label 127 [ { "match": { "left": { "ct": { "key": "label" } }, "op": "in", "right": 127 } } ] # ct label set 127 [ { "mangle": { "key": { "ct": { "key": "label" } }, "value": 127 } } ] # ct zone 0 [ { "match": { "left": { "ct": { "key": "zone" } }, "op": "==", "right": 0 } } ] # ct zone 23 [ { "match": { "left": { "ct": { "key": "zone" } }, "op": "==", "right": 23 } } ] # ct original zone 1 [ { "match": { "left": { "ct": { "dir": "original", "key": "zone" } }, "op": "==", "right": 1 } } ] # ct reply zone 1 [ { "match": { "left": { "ct": { "dir": "reply", "key": "zone" } }, "op": "==", "right": 1 } } ] # ct zone set 1 [ { "mangle": { "key": { "ct": { "key": "zone" } }, "value": 1 } } ] # ct original zone set 1 [ { "mangle": { "key": { "ct": { "dir": "original", "key": "zone" } }, "value": 1 } } ] # ct reply zone set 1 [ { "mangle": { "key": { "ct": { "dir": "reply", "key": "zone" } }, "value": 1 } } ] # ct id 12345 [ { "match": { "left": { "ct": { "key": "id" } }, "op": "==", "right": 12345 } } ] # ct zone set mark map { 1 : 1, 2 : 2 } [ { "mangle": { "key": { "ct": { "key": "zone" } }, "value": { "map": { "key": { "meta": { "key": "mark" } }, "data": { "set": [ [ 1, 1 ], [ 2, 2 ] ] } } } } } ] # notrack [ { "notrack": null } ]