| Keyword | Description |
| fragoffset |
The fragoffset keyword allows one to compare the IP fragment offset field against a decimal value. |
| ttl |
The ttl keyword is used to check the IP time-to-live value. |
| tos |
The tos keyword is used to check the IP TOS field for a specific value. |
| id |
The id keyword is used to check the IP ID field for a specific value. |
| ipopts |
The ipopts keyword is used to check if a specific IP option is present. |
| fragbits |
The fragbits keyword is used to check if fragmentation and reserved bits are set in the IP header. |
| dsize |
The dsize keyword is used to test the packet payload size. |
| flags |
The flags keyword is used to check if specific TCP flag bits are present. |
| flow |
The flow keyword allows rules to only apply to certain directions of the traffic flow. |
| flowbits |
The flowbits keyword allows rules to track states during a transport protocol session. |
| seq |
The seq keyword is used to check for a specific TCP sequence number. |
| ack |
The ack keyword is used to check for a specific TCP acknowledge number. |
| window |
The window keyword is used to check for a specific TCP window size. |
| itype |
The itype keyword is used to check for a specific ICMP type value. |
| icode |
The icode keyword is used to check for a specific ICMP code value. |
| icmp_id |
The icmp_id keyword is used to check for a specific ICMP ID value. |
| icmp_seq |
The icmp_seq keyword is used to check for a specific ICMP sequence value. |
| rpc |
The rpc keyword is used to check for a RPC application, version, and procedure numbers in SUNRPC CALL requests. |
| ip_proto |
The ip_proto keyword allows checks against the IP protocol header. |
| sameip |
The sameip keyword allows rules to check if the source ip is the same as the destination IP. |