Custom Layer 4 rules are available to all customers with eligible services. These can be created from the Filtering page at the service level.
Below the available matching options are detailed.
BPF Match Expression
An expression in cBPF format (libpcap compatible) that matches the packets desired. This is always the first expression evaluated. For *nix users any expression that you would use in tcpdump is compatible here. For more information on BPF see the below BPF cheatsheet.
Please try and be efficient with your deployed rules. Poorly designed rules may be removed.
A list of IPv4 addresses that the rule will match. Addresses should be inserted one per line. CIDRs are supported for the NEW connection chain however should be avoided where possible.
Conditions that match on TCP options e.g MSS
Match if rate exceeds or, is under a certain limit. Can match based on the total rule hits, or on a hash based on Source IP, Source Port and/or Destination Port.
Restrict the created rule to a single Region.
Should the rule be evaluated on a new connection (recommended) or on every packet (required for example for non-syn packets for TCP). Evaluating rules per connection is recommended for low importance / priority rules.
The following targets (action performed) are currently supported.
DROP the packet. Do not forward it to your backend. Perform no further action.
Verify each TCP connection protecting against spoofed connections. Must be applied as a "All Traffic" rule.
Two match hooks are available to customers:
- New Connection
- All traffic (unavailable on Budget services)
|tcp or udp||TCP or UDP|
|tcp dst port 80||TCP port 80 (HTTP)|
|udp port 80||UDP with either src or dst port being 53 (DNS)|
|src host 220.127.116.11||incoming packet from 18.104.22.168|
|src net 22.214.171.124/24||incoming packet from 126.96.36.199/24|
|tcp src portrange 0-1023||TCP priveledged ports, i.e 0-1023|
|udp[8:4]==0x53414D50 and (udp[18:1]==0x70 or udp[18:1]==0x69 or udp[18:1]==0x63)||Specific UDP packet|
|gt 1000||IP Packet Length > 1000 bytes|
|less 1000||IP Packet Length < 1000 bytes|
|ip & 0xf !=5||IP packets with options|