# iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop }
[
    {
        "vmap": {
            "data": {
                "set": [
                    [
                        {
                            "concat": [
                                "eth0",
                                6,
                                22
                            ]
                        },
                        {
                            "accept": null
                        }
                    ],
                    [
                        {
                            "concat": [
                                "eth1",
                                17,
                                67
                            ]
                        },
                        {
                            "drop": null
                        }
                    ]
                ]
            },
            "key": {
                "concat": [
                    {
                        "meta": {
                            "key": "iifname"
                        }
                    },
                    {
                        "payload": {
                            "field": "protocol",
                            "protocol": "ip"
                        }
                    },
                    {
                        "payload": {
                            "field": "dport",
                            "protocol": "th"
                        }
                    }
                ]
            }
        }
    }
]

# ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e }
[
    {
        "match": {
            "left": {
                "concat": [
                    {
                        "payload": {
                            "field": "saddr",
                            "protocol": "ip"
                        }
                    },
                    {
                        "payload": {
                            "base": "ih",
                            "len": 32,
                            "offset": 32
                        }
                    }
                ]
            },
            "op": "==",
            "right": {
                "set": [
                    {
                        "concat": [
                            "1.1.1.1",
                            20
                        ]
                    },
                    {
                        "concat": [
                            "2.2.2.2",
                            30
                        ]
                    }
                ]
            }
        }
    }
]

# udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept }
[
    {
        "vmap": {
            "data": {
                "set": [
                    [
                        {
                            "concat": [
                                {
                                    "range": [
                                        47,
                                        63
                                    ]
                                },
                                "0xe373135363130333131303735353203"
                            ]
                        },
                        {
                            "accept": null
                        }
                    ]
                ]
            },
            "key": {
                "concat": [
                    {
                        "payload": {
                            "field": "length",
                            "protocol": "udp"
                        }
                    },
                    {
                        "payload": {
                            "base": "th",
                            "len": 128,
                            "offset": 160
                        }
                    }
                ]
            }
        }
    }
]