Cloudflare Docs
Magic-Firewall
Cloudflare Docs
Magic Firewall
Search icon (depiction of a magnifying glass)
GitHub icon
Visit Magic Firewall on GitHub
Set theme to dark (⇧+D)

Magic Firewall fields

Field NameDescription

cf.colo.name
String

The data center that is handling this traffic.
Example value: sfo06

cf.colo.region
String

Region of the data center that is handling this traffic.
Example value: WNAM

icmp
String

The raw ICMP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.

icmp.type
Number

The ICMP type. Only applies to ICMP packets.
Example value: 8

icmp.code
Number

The ICMP code. Only applies to ICMP packets.
Example value: 2

ip
String

The raw IP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.

ip.dst
IP Address

The destination address as specified in the IP packet.
Example value: 192.0.2.2

ip.geoip.country
String

Represents the 2-letter country code associated with the client IP address in ISO 3166-1 Alpha 2 format.
Example value: GB

For more information on the ISO 3166-1 Alpha 2 format, see ISO 3166-1 Alpha 2 on Wikipedia.

This field matches on both source and destination IP addresses.

ip.hdr_len
Number

The length of the IPv4 header in bytes.
Example value: 5

ip.len
Number

The length of the packet including the header.
Example value: 60

ip.opt.type
Number

The first byte of IP options field, if the options field is set.
Example value: 25

ip.proto
String

The transport layer for the packet, if it can be determined.
Example values: icmp, tcp

ip.src
IP Address

The source address of the IP Packet.

ip.ttl
Number

The time-to-live of the IP Packet.
Example values: 54

sip
Boolean

Determines if packets are valid L7 protocol SIP. Requires UDP packets to operate.
Use a guard clause as shown below to ensure the packet is UDP (wirefilter)
ip.proto == "udp"

tcp
String

The raw TCP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.

tcp.flags
Number

The numeric value of the TCP flags byte.

tcp.flags.ack
Boolean

TCP acknowledgment flag.

tcp.flags.cwr
Boolean

TCP congestion window reduced flag.

tcp.flags.ecn
Boolean

TCP ECN-Echo flag.

tcp.flags.fin
Boolean

TCP flag indicating this is the last packet from sender.

tcp.flags.push
Boolean

TCP push flag.

tcp.flags.reset
Boolean

TCP reset flag.

tcp.flags.syn
Boolean

TCP synchronize flag.

tcp.flags.urg
Boolean

TCP urgent flag.

tcp.srcport
Number

Source port number of the IP packet. Only applies to TCP packets.

tcp.dstport
Number

Destination port number of the IP packet. Only applies to TCP packets.

udp
String

The raw UDP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.

udp.dstport
Number

Destination port number of the IP packet. Only applies to UDP packets.

udp.srcport
Number

Source port number of the IP packet. Only applies to UDP packets.