Syntax

Syntax of Filter of a Monitoring port

The monitoring port's filter syntax comprises of single or multiple rules for fast filter and for standard filter. The fast filter is intended to be used for very long lists of subnets, IP addresses, or intervals (for example, filter for abroad traffic). This filter is very fast and allows the monitoring port to process thousands of rules on the fly. Opposingly, the standard filter allows complex rules in small numbers.

If you want to apply negative logic to a fast filter, you can apply it globally on the whole filter by declaring "global fast not":

Negative fast filter

#allow all traffic except networks below
global fast not
fast addr 192.168.3.0/24
fast addr 192.168.4.0/24

You can use comments in filters. They are delimited with # character and end of line. You can use the not keyword to invert the whole rule only (not individual parts).

The monitoring port's filter is evaluated in the same way as firewalls do. Rules of fast and standard filters are processed in descending order and they can not overlap. The fast filter block must be first, followed by the standard filter block (both blocks are optional). If the packet passes through the fast filter it goes to the standard filter. The first matching rule stops the evaluation. The rule beginning with a keyword not is evaluated in the same manner as the firewall rule REJECT; rules without not are evaluated as the rule ACCEPT. If there is no matching rule for a packet, it is not processed. In the firewall logic, a default rule REJECT ALL is applied at the end of the list. This behavior can be changed by adding the keyword any on the end of the standard filter (this can not be used for the fast filter). If this keyword is present, all packets that do not match any rule will be processed. In the firewall logic, a default rule ACCEPT ALL is applied at the end of the list. The result of the whole filter is evaluated as a result of logical AND of fast filter and standard filter results. If the filter is empty or no filter is given to the monitoring port, then no filtering is done and the monitoring port process all packets.

Standard filter examples

src addr 192.168.1.1-192.168.1.255 proto tcp dst port 80}
# blocks packets from 192.168.3.0/24 net to 192.168.6.0/24 net
not src addr 192.168.3.0/24 dst addr 192.168.6.0/24 addr
192.168.2.0/24 proto udp port 1-1024
dst addr 192.168.3.1
not port 80
not dst addr 192.168.3.1 dst port 80 proto icmp
src addr 2001:718::/32 dst port 42
addr 0.0.0.0/0 ipproto ipv4
addr 147.251.0.0/16
dst addr 192.168.0.0-192.168.3.42
not ipproto ipv4 src addr
192.168.3.100-192.168.3.110 proto tcp vlan 64

Fast filter examples

#allow all from networks below
fast addr 192.168.3.0/24
fast addr 192.168.255.0/24
fast addr 192.168.253.0/24
fast addr 192.168.251.0/24
fast addr 192.168.249.0/24
fast addr 192.168.247.0/24
fast addr 192.168.245.0/24
fast addr 192.168.243.0/24
fast addr 192.168.241.0/24
fast addr 192.168.239.0/24
fast addr 192.168.237.0/24
fast addr 192.168.235.0/24
fast addr 192.168.233.0/24
#and process all packets except HTTP}
not proto tcp port 80
any
# process packets from IP 1.2.3.4 except port 80.
not addr 1.2.3.4 port 80
addr 1.2.3.4

Negative filter example

#allow all traffic except networks below
global fast not
fast addr 192.168.3.0/24
fast addr 192.168.4.0/24

Autonomous system list syntax

The autonomous system list is defined as a list of subnet prefixes. The syntax of this filter is as follows:

Autonomous system list syntax

<as_num>-<ip>/<prefix>
...

AS list example

15169-1.0.0.0/24
56203-1.0.4.0/22
2519-1.0.16.0/23
2519-1.0.18.0/23
2519-1.0.20.0/23
2519-1.0.22.0/23
2519-1.0.24.0/23
2519-1.0.26.0/23
2519-1.0.28.0/22
14282-2804:84::/32
28634-2804:128::/33
28634-2804:128::/32
28264-2804:130::/32