Embodiments provide a TCAM-based access control list that supports disjunction operations in rules. A network frame is received. Embodiments determine set TCP flags of the network frame. Upon determining that the set TCP flags match a first entry in a numeric range table, bits of a search key corresponding to the first entry are updated. The search key accesses a second entry stored in a TCAM. The first entry further comprises an encode field to scan a TCP header of the network frame for set TCP flags, a first mask field to a condition corresponding to unset TCP flags to identify in the network frame, a second mask field to a condition corresponding to set TCP flags to identify in the network frame, and an operation field specifying a disjunction operation for comparing the set TCP flags with the first mask field and the second mask field.