diff --git a/controller/EmbeddedNetworkController.cpp b/controller/EmbeddedNetworkController.cpp
index d656bad33..7fa66224f 100644
--- a/controller/EmbeddedNetworkController.cpp
+++ b/controller/EmbeddedNetworkController.cpp
@@ -249,10 +249,8 @@ static json _renderRule(ZT_VirtualNetworkRule &rule)
 		case ZT_NETWORK_RULE_MATCH_CHARACTERISTICS:
 			r["type"] = "MATCH_CHARACTERISTICS";
 			r["not"] = ((rule.t & 0x80) != 0);
-			Utils::snprintf(tmp,sizeof(tmp),"%.16llx",rule.v.characteristics[0]);
+			Utils::snprintf(tmp,sizeof(tmp),"%.16llx",rule.v.characteristics);
 			r["mask"] = tmp;
-			Utils::snprintf(tmp,sizeof(tmp),"%.16llx",rule.v.characteristics[1]);
-			r["value"] = tmp;
 			break;
 		case ZT_NETWORK_RULE_MATCH_FRAME_SIZE_RANGE:
 			r["type"] = "MATCH_FRAME_SIZE_RANGE";
@@ -423,21 +421,12 @@ static bool _parseRule(json &r,ZT_VirtualNetworkRule &rule)
 	} else if (t == "MATCH_CHARACTERISTICS") {
 		rule.t |= ZT_NETWORK_RULE_MATCH_CHARACTERISTICS;
 		if (r.count("mask")) {
-			auto v = r["mask"];
+			json &v = r["mask"];
 			if (v.is_number()) {
-				rule.v.characteristics[0] = v;
+				rule.v.characteristics = v;
 			} else {
 				std::string tmp = v;
-				rule.v.characteristics[0] = Utils::hexStrToU64(tmp.c_str());
-			}
-		}
-		if (r.count("value")) {
-			auto v = r["value"];
-			if (v.is_number()) {
-				rule.v.characteristics[1] = v;
-			} else {
-				std::string tmp = v;
-				rule.v.characteristics[1] = Utils::hexStrToU64(tmp.c_str());
+				rule.v.characteristics = Utils::hexStrToU64(tmp.c_str());
 			}
 		}
 		return true;
diff --git a/include/ZeroTierOne.h b/include/ZeroTierOne.h
index ee03c3b18..e231ae62d 100644
--- a/include/ZeroTierOne.h
+++ b/include/ZeroTierOne.h
@@ -713,7 +713,7 @@ typedef struct
 		/**
 		 * Packet characteristic flags being matched
 		 */
-		uint64_t characteristics[2];
+		uint64_t characteristics;
 
 		/**
 		 * IP port range -- start-end inclusive -- host byte order
diff --git a/node/Capability.hpp b/node/Capability.hpp
index e808ad40f..f757639dd 100644
--- a/node/Capability.hpp
+++ b/node/Capability.hpp
@@ -240,9 +240,8 @@ public:
 					b.append((uint16_t)rules[i].v.port[1]);
 					break;
 				case ZT_NETWORK_RULE_MATCH_CHARACTERISTICS:
-					b.append((uint8_t)16);
-					b.append((uint64_t)rules[i].v.characteristics[0]);
-					b.append((uint64_t)rules[i].v.characteristics[1]);
+					b.append((uint8_t)8);
+					b.append((uint64_t)rules[i].v.characteristics);
 					break;
 				case ZT_NETWORK_RULE_MATCH_FRAME_SIZE_RANGE:
 					b.append((uint8_t)4);
@@ -328,8 +327,7 @@ public:
 					rules[ruleCount].v.port[1] = b.template at<uint16_t>(p + 2);
 					break;
 				case ZT_NETWORK_RULE_MATCH_CHARACTERISTICS:
-					rules[ruleCount].v.characteristics[0] = b.template at<uint64_t>(p);
-					rules[ruleCount].v.characteristics[1] = b.template at<uint64_t>(p + 8);
+					rules[ruleCount].v.characteristics = b.template at<uint64_t>(p);
 					break;
 				case ZT_NETWORK_RULE_MATCH_FRAME_SIZE_RANGE:
 					rules[ruleCount].v.frameSize[0] = b.template at<uint16_t>(p);
diff --git a/node/Network.cpp b/node/Network.cpp
index fe899dccc..8b9f6e3db 100644
--- a/node/Network.cpp
+++ b/node/Network.cpp
@@ -497,7 +497,7 @@ static _doZtFilterResult _doZtFilter(
 						}
 					}
 				}
-				thisRuleMatches = (uint8_t)((cf & rules[rn].v.characteristics[0]) == rules[rn].v.characteristics[1]);
+				thisRuleMatches = (uint8_t)((cf | rules[rn].v.characteristics) != 0);
 				FILTER_TRACE("%u %s %c (%.16llx & %.16llx)==%.16llx -> %u",rn,_rtn(rt),(((rules[rn].t & 0x80) != 0) ? '!' : '='),cf,rules[rn].v.characteristics[0],rules[rn].v.characteristics[1],(unsigned int)thisRuleMatches);
 			}	break;
 			case ZT_NETWORK_RULE_MATCH_FRAME_SIZE_RANGE: