Match Conditions
You can specify multiple, single, or zero match conditions. If you do not specify a match condition, all packets match the rule entry. Commonly used match conditions are:
- ethernet-source-address [mac-address | pre-defined-mac ] mask—Ethernet source address
- ethernet-destination-address [mac-address | pre-defined-mac ] mask—Ethernet destination address and mask
- ethernet-type value {mask value}—Ethernet type, accepts an optional mask.
- source-address prefix—IP source address and mask
- destination-address prefix—IP destination address and mask
- destination-port value {mask value}—IP destination port, accepts optional mask
- source-port [value {mask value}|range]—TCP or UDP source port with optional mask or TCP or UDP source port range
- destination-port [port {mask value} |range]—TCP or UDP destination port with optional mask or TCP or UDP destination port range
- ttl value {mask value}—condition with optional mask that matches IPv4 Time-To-Live and IPv6 Hop Limit.
- ip-tos value {mask value}—this condition accepts optional masks
- vlan-format—matches packets based on their VLAN format. Can be one of the following values:
- untagged—all untagged packets
- single-tagged—all packets with only a single tag
- double-tagged—all packets with a double tag
- outer-tagged—all packets with at least one tag; for example, single tag or double tag
- fragments—matches any fragment of fragmented packet, including the first fragment
- first-fragments—matches only the first fragment of a fragmented packet.
-
l4-match value
offset
offset
mask
mask
value—generic bit-matching pattern starting at the Layer 4 header of
four separate chunks of 32-bits, each fully bit-maskable with a unique offset.
Unlike others, this match criteria can appear up to four times in a single rule,
each specified as a logical AND, to match up to four separate chunks of 32-bits.
Each chunk is fully bit-maskable with a unique offset. The matching data must be
within the first 128 bytes of the packet. This match criteria is intended for
advanced users only.
- value—32-bit value
- offset—number of bytes from the start of the Layer 4 header (for example, TCP header)
- mask—32-bit mask value applied to value for matching. Mask is optional. The default is 0xffffffff.
ACL Match Conditions describes all the possible match conditions.