Skip to content
Magic Transit
Visit Magic Transit on GitHub
Set theme to dark (⇧+D)

Forming an expression

Rules are written as using the Cloudflare Firewall Rules language - a DSL intended to mimic Wireshark semantics. See the documentation for more details: https://developers.cloudflare.com/firewall/cf-firewall-language

To start with a simple case, here's how you'd match a source IP:

ip.src == 192.0.2.0

Expressions can be more complex by joining multiple clauses via a logical operator:

ip.src == 192.0.2.1 && (tcp.flags.push || tcp.flags.reset)

Capabilities

You can use Magic Firewall to skip or block packets based on source or destination IP, source or destination port, protocol, packet length, or bit field match.

Restrictions

Wirefilter comparisons support CIDR notation, but only inside sets. For example:

ip.src == 192.0.2.0/24  # badip.src in { 192.0.2.0/24 }  # good

Expressions have a complexity limit. It is most easily reached when there are many joined or nested clauses in the expression. Here's an example:

(tcp.dstport == 1000 || tcp.dstport == 1001) && (tcp.dstport == 1002 || tcp.dstport == 1003) && (tcp.dstport == 1004 || tcp.dstport == 1005) && (tcp.dstport == 1006 || tcp.dstport == 1007) && (tcp.dstport == 1008 || tcp.dstport == 1009) && (tcp.dstport == 1010 || tcp.dstport == 1011) && (tcp.dstport == 1012 || tcp.dstport == 1013) && (tcp.dstport == 1014 || tcp.dstport == 1015) && (tcp.dstport == 1016 || tcp.dstport == 1017)

If the limit is reached, the response will have a 400 status code and an error message of "ruleset exceeds complexity constraints". Split the expression into multiple rules and try again.