# reject with icmp type host-unreachable
[
{
"match": {
"left": {
"meta": { "key": "nfproto" }
},
"op": "==",
"right": "ipv4"
}
},
{
"reject": {
"expr": "host-unreachable",
"type": "icmp"
}
}
]
# reject with icmp type net-unreachable
[
{
"match": {
"left": {
"meta": { "key": "nfproto" }
},
"op": "==",
"right": "ipv4"
}
},
{
"reject": {
"expr": "net-unreachable",
"type": "icmp"
}
}
]
# reject with icmp type prot-unreachable
[
{
"match": {
"left": {
"meta": { "key": "nfproto" }
},
"op": "==",
"right": "ipv4"
}
},
{
"reject": {
"expr": "prot-unreachable",
"type": "icmp"
}
}
]
# reject with icmp type port-unreachable
[
{
"match": {
"left": {
"meta": { "key": "nfproto" }
},
"op": "==",
"right": "ipv4"
}
},
{
"reject": null
}
]
# reject with icmp type net-prohibited
[
{
"match": {
"left": {
"meta": { "key": "nfproto" }
},
"op": "==",
"right": "ipv4"
}
},
{
"reject": {
"expr": "net-prohibited",
"type": "icmp"
}
}
]
# reject with icmp type host-prohibited
[
{
"match": {
"left": {
"meta": { "key": "nfproto" }
},
"op": "==",
"right": "ipv4"
}
},
{
"reject": {
"expr": "host-prohibited",
"type": "icmp"
}
}
]
# reject with icmp type admin-prohibited
[
{
"match": {
"left": {
"meta": { "key": "nfproto" }
},
"op": "==",
"right": "ipv4"
}
},
{
"reject": {
"expr": "admin-prohibited",
"type": "icmp"
}
}
]
# reject with icmpv6 type no-route
[
{
"match": {
"left": {
"meta": { "key": "nfproto" }
},
"op": "==",
"right": "ipv6"
}
},
{
"reject": {
"expr": "no-route",
"type": "icmpv6"
}
}
]
# reject with icmpv6 type admin-prohibited
[
{
"match": {
"left": {
"meta": { "key": "nfproto" }
},
"op": "==",
"right": "ipv6"
}
},
{
"reject": {
"expr": "admin-prohibited",
"type": "icmpv6"
}
}
]
# reject with icmpv6 type addr-unreachable
[
{
"match": {
"left": {
"meta": { "key": "nfproto" }
},
"op": "==",
"right": "ipv6"
}
},
{
"reject": {
"expr": "addr-unreachable",
"type": "icmpv6"
}
}
]
# reject with icmpv6 type port-unreachable
[
{
"match": {
"left": {
"meta": { "key": "nfproto" }
},
"op": "==",
"right": "ipv6"
}
},
{
"reject": null
}
]
# mark 12345 reject with tcp reset
[
{
"match": {
"left": {
"meta": { "key": "l4proto" }
},
"op": "==",
"right": 6
}
},
{
"match": {
"left": {
"meta": { "key": "mark" }
},
"op": "==",
"right": 12345
}
},
{
"reject": {
"type": "tcp reset"
}
}
]
# reject with icmpx type port-unreachable
[
{
"reject": null
}
]