|
Packit |
c5a612 |
# reject with icmp type host-unreachable
|
|
Packit |
c5a612 |
[
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"match": {
|
|
Packit |
c5a612 |
"left": {
|
|
Packit |
c5a612 |
"meta": { "key": "nfproto" }
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
"op": "==",
|
|
Packit |
c5a612 |
"right": "ipv4"
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"reject": {
|
|
Packit |
c5a612 |
"expr": "host-unreachable",
|
|
Packit |
c5a612 |
"type": "icmp"
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
]
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
# reject with icmp type net-unreachable
|
|
Packit |
c5a612 |
[
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"match": {
|
|
Packit |
c5a612 |
"left": {
|
|
Packit |
c5a612 |
"meta": { "key": "nfproto" }
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
"op": "==",
|
|
Packit |
c5a612 |
"right": "ipv4"
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"reject": {
|
|
Packit |
c5a612 |
"expr": "net-unreachable",
|
|
Packit |
c5a612 |
"type": "icmp"
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
]
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
# reject with icmp type prot-unreachable
|
|
Packit |
c5a612 |
[
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"match": {
|
|
Packit |
c5a612 |
"left": {
|
|
Packit |
c5a612 |
"meta": { "key": "nfproto" }
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
"op": "==",
|
|
Packit |
c5a612 |
"right": "ipv4"
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"reject": {
|
|
Packit |
c5a612 |
"expr": "prot-unreachable",
|
|
Packit |
c5a612 |
"type": "icmp"
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
]
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
# reject with icmp type port-unreachable
|
|
Packit |
c5a612 |
[
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"match": {
|
|
Packit |
c5a612 |
"left": {
|
|
Packit |
c5a612 |
"meta": { "key": "nfproto" }
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
"op": "==",
|
|
Packit |
c5a612 |
"right": "ipv4"
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"reject": null
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
]
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
# reject with icmp type net-prohibited
|
|
Packit |
c5a612 |
[
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"match": {
|
|
Packit |
c5a612 |
"left": {
|
|
Packit |
c5a612 |
"meta": { "key": "nfproto" }
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
"op": "==",
|
|
Packit |
c5a612 |
"right": "ipv4"
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"reject": {
|
|
Packit |
c5a612 |
"expr": "net-prohibited",
|
|
Packit |
c5a612 |
"type": "icmp"
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
]
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
# reject with icmp type host-prohibited
|
|
Packit |
c5a612 |
[
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"match": {
|
|
Packit |
c5a612 |
"left": {
|
|
Packit |
c5a612 |
"meta": { "key": "nfproto" }
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
"op": "==",
|
|
Packit |
c5a612 |
"right": "ipv4"
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"reject": {
|
|
Packit |
c5a612 |
"expr": "host-prohibited",
|
|
Packit |
c5a612 |
"type": "icmp"
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
]
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
# reject with icmp type admin-prohibited
|
|
Packit |
c5a612 |
[
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"match": {
|
|
Packit |
c5a612 |
"left": {
|
|
Packit |
c5a612 |
"meta": { "key": "nfproto" }
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
"op": "==",
|
|
Packit |
c5a612 |
"right": "ipv4"
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"reject": {
|
|
Packit |
c5a612 |
"expr": "admin-prohibited",
|
|
Packit |
c5a612 |
"type": "icmp"
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
]
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
# reject with icmpv6 type no-route
|
|
Packit |
c5a612 |
[
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"match": {
|
|
Packit |
c5a612 |
"left": {
|
|
Packit |
c5a612 |
"meta": { "key": "nfproto" }
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
"op": "==",
|
|
Packit |
c5a612 |
"right": "ipv6"
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"reject": {
|
|
Packit |
c5a612 |
"expr": "no-route",
|
|
Packit |
c5a612 |
"type": "icmpv6"
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
]
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
# reject with icmpv6 type admin-prohibited
|
|
Packit |
c5a612 |
[
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"match": {
|
|
Packit |
c5a612 |
"left": {
|
|
Packit |
c5a612 |
"meta": { "key": "nfproto" }
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
"op": "==",
|
|
Packit |
c5a612 |
"right": "ipv6"
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"reject": {
|
|
Packit |
c5a612 |
"expr": "admin-prohibited",
|
|
Packit |
c5a612 |
"type": "icmpv6"
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
]
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
# reject with icmpv6 type addr-unreachable
|
|
Packit |
c5a612 |
[
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"match": {
|
|
Packit |
c5a612 |
"left": {
|
|
Packit |
c5a612 |
"meta": { "key": "nfproto" }
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
"op": "==",
|
|
Packit |
c5a612 |
"right": "ipv6"
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"reject": {
|
|
Packit |
c5a612 |
"expr": "addr-unreachable",
|
|
Packit |
c5a612 |
"type": "icmpv6"
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
]
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
# reject with icmpv6 type port-unreachable
|
|
Packit |
c5a612 |
[
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"match": {
|
|
Packit |
c5a612 |
"left": {
|
|
Packit |
c5a612 |
"meta": { "key": "nfproto" }
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
"op": "==",
|
|
Packit |
c5a612 |
"right": "ipv6"
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"reject": null
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
]
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
# mark 12345 reject with tcp reset
|
|
Packit |
c5a612 |
[
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"match": {
|
|
Packit |
c5a612 |
"left": {
|
|
Packit |
c5a612 |
"meta": { "key": "l4proto" }
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
"op": "==",
|
|
Packit |
c5a612 |
"right": 6
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"match": {
|
|
Packit |
c5a612 |
"left": {
|
|
Packit |
c5a612 |
"meta": { "key": "mark" }
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
"op": "==",
|
|
Packit |
c5a612 |
"right": 12345
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
},
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"reject": {
|
|
Packit |
c5a612 |
"type": "tcp reset"
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
]
|
|
Packit |
c5a612 |
|
|
Packit |
c5a612 |
# reject with icmpx type port-unreachable
|
|
Packit |
c5a612 |
[
|
|
Packit |
c5a612 |
{
|
|
Packit |
c5a612 |
"reject": null
|
|
Packit |
c5a612 |
}
|
|
Packit |
c5a612 |
]
|
|
Packit |
c5a612 |
|