IP packets match IP filters based on a number of selection criteria. There are five primary pieces of information that are gathered from the IP packet, commonly referred to as a 5-tuple:
An IP packet can be filtered based on the source address located in the IP header of the packet.
An IP packet can be filtered based on the destination address located in the IP header of the packet. For IPv6 packets that contain a type 0 or type 2 routing header, the stack performs IP filtering using the final destination address of the packet based on the routing header contents, not on the destination address in the IP header.
An IP packet can be filtered based on the protocol in the IP header of the packet.
If the protocol in an IP packet is TCP or UDP, the packet can be filtered based on the source port in the TCP/UDP header of the data portion of the packet.
If the protocol in an IP packet is TCP or UDP, the packet can be filtered based on the destination port in the TCP/UDP header of the data portion of the packet.