Skip to content

TcpFlowProtectionFilter

Source: src/Cloudflare/DdosProtection/TcpFlowProtectionFilter.ts

An Advanced TCP Protection TCP Flow Protection filter (Magic Transit).

Filters gate which traffic the TCP Flow Protection rules see, per mode: an enabled filter scopes mitigation, a monitoring filter scopes observe-only analysis, and a disabled filter excludes traffic. Both expression and mode are mutable in place.

Requires the Magic Transit / Advanced TCP Protection entitlement; on accounts without it every API call fails with the typed AdvancedTcpProtectionNotEntitled error.

Safety: filters carry no ownership markers. When there is no prior state, read scans for an existing filter with the same expression and reports it as Unowned, so the engine refuses to take it over unless --adopt (or adopt(true)) is set.

Creating a filter

Section titled “Creating a filter”

Scope flow mitigation to HTTPS traffic

const filter = yield* Cloudflare.TcpFlowProtectionFilter("HttpsOnly", {
  expression: "tcp.dstport in {443}",
  mode: "enabled",
});

Exclude a trusted source port

yield* Cloudflare.TcpFlowProtectionFilter("SkipBgp", {
  expression: "tcp.srcport in {179}",
  mode: "disabled",
});