Skip to content
Firewall
Visit Firewall on GitHub
Set theme to dark (⇧+D)

Operators & grouping symbols

The Cloudflare Firewall Rules language supports comparison and logical operators:

  • Comparison operators specify how values defined in an expression must relate to the actual HTTP request value for the expression to return true.
  • Logical operators combine two expressions to form a compound expression and use order of precedence to determine how an evaluation is evaluated.

Grouping symbols allow you to organize expressions, enforce precedence, and nest expressions.

Comparison operators

Comparison operators return true when a value from an HTTP request matches a value defined in an expression.

This is the general pattern for using comparison operators:

<field> <comparison operator> <value>

The Cloudflare Firewall Rules language supports these comparison operators:

NameOperator NotationSupported Data Types
EnglishC-likeStringIPNumberExample (operator in bold)
Equaleq==http.request.uri.path eq "/articles/2008/"
Not equalne!=ip.src ne 93.184.216.0
Less thanlt<cf.threat_score lt 10
Less than
or equal
le<=cf.threat_score le 20
Greater thangt>cf.threat_score gt 25
Greater than
or equal
ge>=cf.threat_score ge 60
Exactly
contains
containshttp.request.uri.path contains "/articles/"
Matches
RE2 regex
matches~http.request.uri.path matches "^/articles/200[7-8]/$"
Value is in
a set of values
inip.src in { 93.184.216.0 93.184.216.1 }

Logical operators

Logical operators combine two or more expressions into a single compound expression. A compound expression has this general syntax:

<expression> <logical operator> <expression>

Supported logical operators

Each logical operator has an order of precedence. The order of precedence (along with grouping symbols) determines the order in which Cloudflare evaluates logical operators in an expression. The not operator ranks first in order of precedence.

NameEnglish
Notation
C-like
Notation
ExampleOrder of Precedence
Logical NOTnot!not ( http.host eq "www.cloudflare.com" and ip.src in 93.184.216.0/24 )1
Logical ANDand&&http.host eq "www.cloudflare.com" and ip.src in 93.184.216.0/242
Logical XOR
(exclusive OR)
xor^^http.host eq "www.cloudflare.com" xor ip.src in 93.184.216.0/243
Logical ORor||http.host eq "www.cloudflare.com" or ip.src in 93.184.216.0/244

Order of precedence

When writing compound expressions, it is important to be aware of the precedence of logical operators so that your expression is evaluated the way you expect.

For example, consider the following generic expression, which uses and and or operators:

Expression1 and Expression2 or Expression3

If these operators had no order of precedence, it would not be clear which of two interpretations is correct:

  1. Match when Expression 1 and Expression 2 are both true or when Expression 3 is true.
  2. Match when Expression 1 is true and either Expression 2 or Expression 3 is true.

Since the logical and operator has precedence over logical or, the and operator must be evaluated first. Interpretation 1 is correct.

Grouping symbols

The Firewall Rules language supports parentheses ((,)) as grouping symbols. Grouping symbols allow you to organize expressions, enforce precedence, and nest expressions.

Group expressions

Use parentheses to explicitly group expressions that should be evaluated together. In this example, the parentheses do not alter the evaluation of the expression, but they unambiguously call out which logical operators to evaluate first.

(Expression1 and Expression2) or Expression3

Because grouping symbols are so explicit, you are less likely to make errors when you use them to write compound expressions.

Enforce precedence

Grouping symbols are a powerful tool to enforce precedence for grouped elements of a compound expression. In this example, parentheses force the logical or operator to be evaluated before the logical and:

Expression1 and (Expression2 or Expression3)

Without parentheses, the logical and operator would take precedence.

Nest expressions

You can nest expressions grouped by parentheses inside other groups to create very precise, sophisticated expressions, such as this example for a rule designed to block access to a domain:

( (http.host eq "api.example.com" and http.request.uri.path eq "/api/v2/auth") or (http.host matches "^(www|store|blog)\.example.com" and http.request.uri.path contains "wp-login.php") or ip.geoip.country in {"CN" "TH" "US" "ID" "KR" "MY" "IT" "SG" "GB"} or ip.geoip.asnum in {12345 54321 11111}) and not ip.src in {11.22.33.0/24}

Note that when evaluating the precedence of logical operators, parentheses inside strings delimited by quotes are ignored, such as those in the following regular expression, drawn from the example above:

"^(www|store|blog)\.example\.com"