Forming an expression

Rules are written as using the Cloudflare Firewall Rules language - a DSL intended to mimic Wireshark semantics. See the documentation for more details: https://developers.cloudflare.com/firewall/cf-firewall-languageOpen external link

To start with a simple case, here's how you'd match a source IP:

ip.src == 192.0.2.0

Expressions can be more complex by joining multiple clauses via a logical operator:

ip.src == 192.0.2.1 && (tcp.flags.push || tcp.flags.reset)

Restrictions

Wirefilter comparisons support CIDR notation, but only inside sets. For example:

ip.src == 192.0.2.0/24  # badip.src in { 192.0.2.0/24 }  # good

Expressions have a complexity limit. It is most easily reached when there are many joined or nested clauses in the expression. Here's an example:

(tcp.dstport == 1000 || tcp.dstport == 1001) && (tcp.dstport == 1002 || tcp.dstport == 1003) && (tcp.dstport == 1004 || tcp.dstport == 1005) && (tcp.dstport == 1006 || tcp.dstport == 1007) && (tcp.dstport == 1008 || tcp.dstport == 1009) && (tcp.dstport == 1010 || tcp.dstport == 1011) && (tcp.dstport == 1012 || tcp.dstport == 1013) && (tcp.dstport == 1014 || tcp.dstport == 1015) && (tcp.dstport == 1016 || tcp.dstport == 1017)

If the limit is reached, the response will have a 400 status code and an error message of "ruleset exceeds complexity constraints". Split the expression into multiple rules and try again.