To assemble primitives into filters, use match statements. flow-nfilter compares each flow against every match statement in a filter, and if a flow fits every match statement, the flow passes through. If the flow does not fit every match statement, the flow is removed from the data stream.

Many match types have names that are similar to their associated primitives. For example, the ip-protocol primitive has a corresponding ip-protocol match. Other primitives have no single matching condition. For example, the ip-port primitive can match either the ip-source-port primitive or the ip-destination-port primitive. If you use an incorrect match statement in your configuration, flow-nfilter exits with an error.

Filter definitions ...