Custom Layer 4 rules are available to all customers with eligible services. These can be created from the Filtering page at the service level.

Match Options

Below the available matching options are detailed.

BPF Match Expression

An expression in cBPF format (libpcap compatible) that matches the packets desired. This is always the first expression evaluated. For *nix users any expression that you would use in tcpdump is compatible here. For more information on BPF see the below BPF cheatsheet.

Please try and be efficient with your deployed rules. Poorly designed rules may be removed.

IP List

A list of IPv4 addresses that the rule will match. Addresses should be inserted one per line. CIDRs are supported for the NEW connection chain however should be avoided where possible.


Conditions that match on TCP options e.g MSS

Rate Limit

Match if rate exceeds or, is under a certain limit. Can match based on the total rule hits, or on a hash based on Source IP, Source Port and/or Destination Port.


Restrict the created rule to a single Region.

Match On

Should the rule be evaluated on a new connection (recommended) or on every packet (required for example for non-syn packets for TCP). Evaluating rules per connection is recommended for low importance / priority rules.

Target Options

The following targets (action performed) are currently supported.


DROP the packet. Do not forward it to your backend. Perform no further action.


Verify each TCP connection protecting against spoofed connections. Must be applied as a "All Traffic" rule.


Two match hooks are available to customers:

  • New Connection
  • All traffic (unavailable on Budget services)

BPF Cheatsheet

tcp or udpTCP or UDP
tcp dst port 80TCP port 80 (HTTP)
udp port 80UDP with either src or dst port being 53 (DNS)
tcp[tcpflags]==(tcp-syn)TCP SYN
tcp[tcpflags]==(tcp-syn|tcp-ack)TCP SYN-ACK
src host packet from
src net packet from
tcp src portrange 0-1023TCP priveledged ports, i.e 0-1023
udp[8:4]==0x53414D50 and (udp[18:1]==0x70 or udp[18:1]==0x69 or udp[18:1]==0x63)Specific UDP packet
gt 1000IP Packet Length > 1000 bytes
less 1000IP Packet Length < 1000 bytes
ip[0] & 0xf !=5IP packets with options