| # | IP Field | Normalization Performed |
| 1 | Version | Non-IPv4 packets dropped. |
| 2 | Header Len | Drop if hdr_len too small. |
| 3 | Header Len | Drop if hdr_len too large. |
| 4 | Diffserv | Clear field. |
| 5 | ECT | Clear field. |
| 6 | Total Len | Drop if tot_len > link layer len. |
| 7 | Total Len | Trim if tot_len < link layer len. |
| 8 | IP Identifier | Encrypt ID. |
| 9 | Protocol | Enforce specific protocols. |
| - | Protocol | Pass packet to TCP,UDP,ICMP handlers. |
| 10 | Frag offset | Reassemble fragmented packets. |
| 11 | Frag offset | Drop if offset + len > 64KB. |
| 12 | DF | Clear DF. |
| 13 | DF | Drop if DF set and offset > 0. |
| 14 | Zero flag | Clear. |
| 15 | Src addr | Drop if class D or E. |
| 16 | Src addr | Drop if MSByte=127 or 0. |
| 17 | Src addr | Drop if 255.255.255.255. |
| 18 | Dst addr | Drop if class E. |
| 19 | Dst addr | Drop if MSByte=127 or 0. |
| 20 | Dst addr | Drop if 255.255.255.255. |
| 21 | TTL | Raise TTL to configured value. |
| 22 | Checksum | Verify, drop if incorrect. |
| 23 | IP options | Remove IP options. |
| 24 | IP options | Zero padding bytes. |
Indicates normalizations planned, but either not yet
implemented or not yet tested at the time of writing.
Note that most normalizations are optional, according to local site policy.