# meta l4proto { tcp, udp, sctp} @th,16,16 { 22, 23, 80 }
[
    {
        "match": {
            "left": {
                "meta": { "key": "l4proto" }
            },
	    "op": "==",
            "right": {
                "set": [
                    "tcp",
                    "udp",
                    "sctp"
                ]
            }
        }
    },
    {
        "match": {
            "left": {
                "payload": {
                    "base": "th",
                    "len": 16,
                    "offset": 16
                }
            },
	    "op": "==",
            "right": {
                "set": [
                    22,
                    23,
                    80
                ]
            }
        }
    }
]

# meta l4proto tcp @th,16,16 { 22, 23, 80}
[
    {
        "match": {
	    "left": { "meta": { "key": "l4proto" } },
	    "op": "==",
	    "right": "tcp"
	}
    },
    {
        "match": {
            "left": {
                "payload": {
                    "base": "th",
		    "len": 16,
		    "offset": 16
                }
            },
	    "op": "==",
            "right": {
                "set": [
                    22,
                    23,
                    80
                ]
            }
        }
    }
]

# @nh,8,8 255
[
    {
        "match": {
            "left": {
                "payload": {
                    "base": "nh",
                    "len": 8,
                    "offset": 8
                }
            },
	    "op": "==",
            "right": 255
        }
    }
]

# @nh,8,16 0
[
    {
        "match": {
            "left": {
                "payload": {
                    "base": "nh",
                    "len": 16,
                    "offset": 8
                }
            },
	    "op": "==",
            "right": 0
        }
    }
]

# @ll,0,1 1
[
    {
        "match": {
            "left": {
                "payload": {
                    "base": "ll",
                    "len": 1,
                    "offset": 0
                }
            },
	    "op": "==",
            "right": 1
        }
    }
]

# @ll,0,8 and 0x80 eq 0x80
[
    {
        "match": {
            "left": {
                "&": [
                    {
                        "payload": {
                            "base": "ll",
                            "len": 8,
                            "offset": 0
                        }
                    },
                    "0x80"
                ]
            },
            "op": "==",
            "right": "0x80"
        }
    }
]

# @ll,0,128 0xfedcba987654321001234567890abcde
[
    {
        "match": {
            "left": {
                "payload": {
                    "base": "ll",
                    "len": 128,
                    "offset": 0
                }
            },
	    "op": "==",
            "right": "0xfedcba987654321001234567890abcde"
        }
    }
]