# meta nfproto ipv4 [ { "match": { "left": { "meta": { "key": "nfproto" } }, "op": "==", "right": "ipv4" } } ] # meta nfproto ipv6 [ { "match": { "left": { "meta": { "key": "nfproto" } }, "op": "==", "right": "ipv6" } } ] # meta nfproto {ipv4, ipv6} [ { "match": { "left": { "meta": { "key": "nfproto" } }, "op": "==", "right": { "set": [ "ipv4", "ipv6" ] } } } ] # meta nfproto != {ipv4, ipv6} [ { "match": { "left": { "meta": { "key": "nfproto" } }, "op": "!=", "right": { "set": [ "ipv4", "ipv6" ] } } } ] # meta nfproto ipv6 tcp dport 22 [ { "match": { "left": { "meta": { "key": "nfproto" } }, "op": "==", "right": "ipv6" } }, { "match": { "left": { "payload": { "field": "dport", "protocol": "tcp" } }, "op": "==", "right": 22 } } ] # meta nfproto ipv4 tcp dport 22 [ { "match": { "left": { "meta": { "key": "nfproto" } }, "op": "==", "right": "ipv4" } }, { "match": { "left": { "payload": { "field": "dport", "protocol": "tcp" } }, "op": "==", "right": 22 } } ] # meta nfproto ipv4 ip saddr 1.2.3.4 [ { "match": { "left": { "meta": { "key": "nfproto" } }, "op": "==", "right": "ipv4" } }, { "match": { "left": { "payload": { "field": "saddr", "protocol": "ip" } }, "op": "==", "right": "1.2.3.4" } } ] # meta nfproto ipv6 meta l4proto tcp [ { "match": { "left": { "meta": { "key": "nfproto" } }, "op": "==", "right": "ipv6" } }, { "match": { "left": { "meta": { "key": "l4proto" } }, "op": "==", "right": "tcp" } } ] # meta nfproto ipv4 counter ip saddr 1.2.3.4 [ { "match": { "left": { "meta": { "key": "nfproto" } }, "op": "==", "right": "ipv4" } }, { "counter": null }, { "match": { "left": { "payload": { "field": "saddr", "protocol": "ip" } }, "op": "==", "right": "1.2.3.4" } } ] # meta ipsec exists [ { "match": { "left": { "meta": { "key": "ipsec" } }, "op": "==", "right": true } } ] # meta secpath missing [ { "match": { "left": { "meta": { "key": "secpath" } }, "op": "==", "right": false } } ] # meta mark set ct mark >> 8 [ { "mangle": { "key": { "meta": { "key": "mark" } }, "value": { ">>": [ { "ct": { "key": "mark" } }, 8 ] } } } ] # meta protocol ip udp dport 67 [ { "match": { "left": { "meta": { "key": "protocol" } }, "op": "==", "right": "ip" } }, { "match": { "left": { "payload": { "field": "dport", "protocol": "udp" } }, "op": "==", "right": 67 } } ] # meta protocol ip6 udp dport 67 [ { "match": { "left": { "meta": { "key": "protocol" } }, "op": "==", "right": "ip6" } }, { "match": { "left": { "payload": { "field": "dport", "protocol": "udp" } }, "op": "==", "right": 67 } } ] # meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 } [ { "match": { "left": { "concat": [ { "meta": { "key": "mark" } }, { "payload": { "field": "dport", "protocol": "tcp" } } ] }, "op": "==", "right": { "set": [ { "concat": [ { "range": [ 10, 20 ] }, { "range": [ 80, 90 ] } ] }, { "concat": [ { "range": [ 1048576, 1048867 ] }, { "range": [ 100, 120 ] } ] } ] } } } ] # ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 } [ { "match": { "left": { "concat": [ { "payload": { "field": "saddr", "protocol": "ip" } }, { "meta": { "key": "mark" } } ] }, "op": "==", "right": { "set": [ { "concat": [ "1.2.3.4", 256 ] }, { "concat": [ { "range": [ "1.2.3.6", "1.2.3.8" ] }, { "range": [ 512, 768 ] } ] } ] } } } ] # ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 } [ { "match": { "left": { "concat": [ { "payload": { "field": "saddr", "protocol": "ip" } }, { "meta": { "key": "mark" } } ] }, "op": "==", "right": { "set": [ { "concat": [ "1.2.3.4", 256 ] }, { "concat": [ "5.6.7.8", 512 ] } ] } } } ]