The flow keyword is used in conjunction with session tracking (see Section
#session_section#5377>
This allows rules to only apply to clients or servers. This allows packets related to $HOME_NET clients viewing web pages to be distinguished from servers running in the $HOME_NET.
The established keyword will replace the flags:+A used in many places to show established TCP connections.
| Option | Description | ;SPMnbsp; | ;SPMnbsp; | ;SPMnbsp; |
| to_client | Trigger on server responses from A to B | ;SPMnbsp; | ;SPMnbsp; | ;SPMnbsp; |
| to_server | Trigger on client requests from A to B | ;SPMnbsp; | ;SPMnbsp; | ;SPMnbsp; |
| from_client | Trigger on client requests from A to B | ;SPMnbsp; | ;SPMnbsp; | ;SPMnbsp; |
| from_server | Trigger on server responses from A to B | ;SPMnbsp; | ;SPMnbsp; | ;SPMnbsp; |
| established | Trigger only on established TCP connections | ;SPMnbsp; | ;SPMnbsp; | ;SPMnbsp; |
| not_established | Trigger only when no TCP connection is established | ;SPMnbsp; | ;SPMnbsp; | ;SPMnbsp; |
| stateless | Trigger regardless of the state of the stream processor (useful for packets that are designed to cause machines to crash) | ;SPMnbsp; | ;SPMnbsp; | ;SPMnbsp; |
| no_stream | Do not trigger on rebuilt stream packets (useful for dsize and stream5) | ;SPMnbsp; | ;SPMnbsp; | ;SPMnbsp; |
| only_stream | Only trigger on rebuilt stream packets | ;SPMnbsp; | ;SPMnbsp; | ;SPMnbsp; |
| no_frag | Do not trigger on rebuilt frag packets | ;SPMnbsp; | ;SPMnbsp; | ;SPMnbsp; |
| only_frag | Only trigger on rebuilt frag packets | ;SPMnbsp; | ;SPMnbsp; | ;SPMnbsp; |
verbatim706#
verbatim707#