rule: name(params) WHEN activation_condition
[LET bindings]
THEN actions
[EXPIRES trigger]
[PRIORITY val]
activation_condition: bool_exp
binding : variable = expression ...
expression : variable | header_fields | arithm_op ...
action: DROP, PASS, PASS_IF bool_exp //traffic related
ADD_RULE label: rule_id(params)
REMOVE_RULE self | label | rule_id
trigger: counter(num_packets)| time(interval)| at(time) | bool_exp
If a rule carries params, it cannot be removed using a rule_id due to possible conflicts.
-
Drop based on destination port
drop_dst_port(port_number) WHEN IN.TCP.DST_PORT == port_number THEN DROP -
IP source gets rewritten
rewrite() WHEN true THEN (PASS_IF IN.IP.SRC != OUT.IP.SRC)WHEN truemeans the rule applies to all traffic -
IP source gets rewritten consistently for a TCP connection
rewrite(old_address, new_address) WHEN IN.IP.SRC == old_address THEN (PASS_IF OUT.IP.SRC == new_address) EXPIRES OUT.TCP.FLAGS == FIN ACK or time(2 mins) PRIORITY 1 nat() WHEN true LET new_ip = OUT.IP.SRC old_ip = IN.IP.SRC THEN PASS_IF old_ip != new_ip; ADD_RULE rewrite(old_ip, new_ip) PRIORITY 0