Owner's Manual
472
To match multiple bit-field values, use the logical operators listed below. The operators are
listed in order, from highest precedence to lowest precedence. Operations are left-associative.
As an example of a logical AND operation, in the following, a match occurs if the packet is the
initial packet on a TCP session:
syn & !ack
As an example of a logical OR operation, in the following, a match occurs if the packet is not
the initial packet on a TCP session:
!syn | ack
As an example of grouping, in the following, a match occurs for any packet that is either a
TCP reset or is not the initial packet in the session:
!(syn & !ack) | rst
When you specify a numeric value that has more than one bit set, the value is treated as a
logical AND of the set bits. For example, the following two values are the same and a match
occurs only if either bit 0x01 or 0x02 is not set:
!0x3
!(0x01 & 0x02)
(enter both in the table)
You can use text synonyms to specify some common bit-field matches. You specify these
matches as a single keyword. For example:
-established
TCP flags
Normally, you specify this match in conjunction with the protocol match statement to
determine which protocol is being used on the port. In place of the numeric value, you can
specify one of the following text synonyms (the field values are also listed): ack (0x10), fin
(0x01), push (0x08), rst (0x04), syn (0x02), or urgent (0x20).
Logical Operator Description
(...) Grouping
! Negation
& or + Logical AND
| or Logical OR
Match Condition Description
Conditions with Variables
fragment-flags number IP fragmentation flags. In place of the numeric
field value, you can specify one of the following
keywords (the field values are also listed): dont-
fragment (0x4000), more-fragments (0x2000), or
reserved (0x8000).
Table 13-1. Bit-Field Firewall Filter Match Conditions