Class: Aws::NetworkFirewall::Types::RuleDefinition

Inherits:
Struct
  • Object
show all
Defined in:
gems/aws-sdk-networkfirewall/lib/aws-sdk-networkfirewall/types.rb

Overview

Note:

When making an API call, you may pass RuleDefinition data as a hash:

{
  match_attributes: { # required
    sources: [
      {
        address_definition: "AddressDefinition", # required
      },
    ],
    destinations: [
      {
        address_definition: "AddressDefinition", # required
      },
    ],
    source_ports: [
      {
        from_port: 1, # required
        to_port: 1, # required
      },
    ],
    destination_ports: [
      {
        from_port: 1, # required
        to_port: 1, # required
      },
    ],
    protocols: [1],
    tcp_flags: [
      {
        flags: ["FIN"], # required, accepts FIN, SYN, RST, PSH, ACK, URG, ECE, CWR
        masks: ["FIN"], # accepts FIN, SYN, RST, PSH, ACK, URG, ECE, CWR
      },
    ],
  },
  actions: ["CollectionMember_String"], # required
}

The inspection criteria and action for a single stateless rule. AWS Network Firewall inspects each packet for the specified matching criteria. When a packet matches the criteria, Network Firewall performs the rule's actions on the packet.

Constant Summary collapse

SENSITIVE =
[]

Instance Attribute Summary collapse

Instance Attribute Details

#actionsArray<String>

The actions to take on a packet that matches one of the stateless rule definition's match attributes. You must specify a standard action and you can add custom actions.

Network Firewall only forwards a packet for stateful rule inspection if you specify aws:forward_to_sfe for a rule that the packet matches, or if the packet doesn't match any stateless rule and you specify aws:forward_to_sfe for the StatelessDefaultActions setting for the FirewallPolicy.

For every rule, you must specify exactly one of the following standard actions.

  • aws:pass - Discontinues all inspection of the packet and permits it to go to its intended destination.

  • aws:drop - Discontinues all inspection of the packet and blocks it from going to its intended destination.

  • aws:forward_to_sfe - Discontinues stateless inspection of the packet and forwards it to the stateful rule engine for inspection.

Additionally, you can specify a custom action. To do this, you define a custom action by name and type, then provide the name you've assigned to the action in this Actions setting. For information about the options, see CustomAction.

To provide more than one action in this setting, separate the settings with a comma. For example, if you have a custom PublishMetrics action that you've named MyMetricsAction, then you could specify the standard action aws:pass and the custom action with [“aws:pass”, “MyMetricsAction”].

Returns:

  • (Array<String>)


2840
2841
2842
2843
2844
2845
# File 'gems/aws-sdk-networkfirewall/lib/aws-sdk-networkfirewall/types.rb', line 2840

class RuleDefinition < Struct.new(
  :match_attributes,
  :actions)
  SENSITIVE = []
  include Aws::Structure
end

#match_attributesTypes::MatchAttributes

Criteria for Network Firewall to use to inspect an individual packet in stateless rule inspection. Each match attributes set can include one or more items such as IP address, CIDR range, port number, protocol, and TCP flags.



2840
2841
2842
2843
2844
2845
# File 'gems/aws-sdk-networkfirewall/lib/aws-sdk-networkfirewall/types.rb', line 2840

class RuleDefinition < Struct.new(
  :match_attributes,
  :actions)
  SENSITIVE = []
  include Aws::Structure
end