Struct aws_sdk_networkfirewall::types::FirewallPolicy
source · #[non_exhaustive]pub struct FirewallPolicy {
pub stateless_rule_group_references: Option<Vec<StatelessRuleGroupReference>>,
pub stateless_default_actions: Vec<String>,
pub stateless_fragment_default_actions: Vec<String>,
pub stateless_custom_actions: Option<Vec<CustomAction>>,
pub stateful_rule_group_references: Option<Vec<StatefulRuleGroupReference>>,
pub stateful_default_actions: Option<Vec<String>>,
pub stateful_engine_options: Option<StatefulEngineOptions>,
pub tls_inspection_configuration_arn: Option<String>,
pub policy_variables: Option<PolicyVariables>,
}
Expand description
The firewall policy defines the behavior of a firewall using a collection of stateless and stateful rule groups and other settings. You can use one firewall policy for multiple firewalls.
This, along with FirewallPolicyResponse
, define the policy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy
.
Fields (Non-exhaustive)§
This struct is marked as non-exhaustive
Struct { .. }
syntax; cannot be matched against without a wildcard ..
; and struct update syntax will not work.stateless_rule_group_references: Option<Vec<StatelessRuleGroupReference>>
References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.
stateless_default_actions: Vec<String>
The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe
.
You must specify one of the standard actions: aws:pass
, aws:drop
, or aws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.
For example, you could specify ["aws:pass"]
or you could specify ["aws:pass", “customActionName”]
. For information about compatibility, see the custom action descriptions under CustomAction
.
stateless_fragment_default_actions: Vec<String>
The actions to take on a fragmented UDP packet if it doesn't match any of the stateless rules in the policy. Network Firewall only manages UDP packet fragments and silently drops packet fragments for other protocols. If you want non-matching fragmented UDP packets to be forwarded for stateful inspection, specify aws:forward_to_sfe
.
You must specify one of the standard actions: aws:pass
, aws:drop
, or aws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.
For example, you could specify ["aws:pass"]
or you could specify ["aws:pass", “customActionName”]
. For information about compatibility, see the custom action descriptions under CustomAction
.
stateless_custom_actions: Option<Vec<CustomAction>>
The custom action definitions that are available for use in the firewall policy's StatelessDefaultActions
setting. You name each custom action that you define, and then you can use it by name in your default actions specifications.
stateful_rule_group_references: Option<Vec<StatefulRuleGroupReference>>
References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.
stateful_default_actions: Option<Vec<String>>
The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.
Valid values of the stateful default action:
-
aws:drop_strict
-
aws:drop_established
-
aws:alert_strict
-
aws:alert_established
For more information, see Strict evaluation order in the Network Firewall Developer Guide.
stateful_engine_options: Option<StatefulEngineOptions>
Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
tls_inspection_configuration_arn: Option<String>
The Amazon Resource Name (ARN) of the TLS inspection configuration.
policy_variables: Option<PolicyVariables>
Contains variables that you can use to override default Suricata settings in your firewall policy.
Implementations§
source§impl FirewallPolicy
impl FirewallPolicy
sourcepub fn stateless_rule_group_references(&self) -> &[StatelessRuleGroupReference]
pub fn stateless_rule_group_references(&self) -> &[StatelessRuleGroupReference]
References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.
If no value was sent for this field, a default will be set. If you want to determine if no value was sent, use .stateless_rule_group_references.is_none()
.
sourcepub fn stateless_default_actions(&self) -> &[String]
pub fn stateless_default_actions(&self) -> &[String]
The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe
.
You must specify one of the standard actions: aws:pass
, aws:drop
, or aws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.
For example, you could specify ["aws:pass"]
or you could specify ["aws:pass", “customActionName”]
. For information about compatibility, see the custom action descriptions under CustomAction
.
sourcepub fn stateless_fragment_default_actions(&self) -> &[String]
pub fn stateless_fragment_default_actions(&self) -> &[String]
The actions to take on a fragmented UDP packet if it doesn't match any of the stateless rules in the policy. Network Firewall only manages UDP packet fragments and silently drops packet fragments for other protocols. If you want non-matching fragmented UDP packets to be forwarded for stateful inspection, specify aws:forward_to_sfe
.
You must specify one of the standard actions: aws:pass
, aws:drop
, or aws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.
For example, you could specify ["aws:pass"]
or you could specify ["aws:pass", “customActionName”]
. For information about compatibility, see the custom action descriptions under CustomAction
.
sourcepub fn stateless_custom_actions(&self) -> &[CustomAction]
pub fn stateless_custom_actions(&self) -> &[CustomAction]
The custom action definitions that are available for use in the firewall policy's StatelessDefaultActions
setting. You name each custom action that you define, and then you can use it by name in your default actions specifications.
If no value was sent for this field, a default will be set. If you want to determine if no value was sent, use .stateless_custom_actions.is_none()
.
sourcepub fn stateful_rule_group_references(&self) -> &[StatefulRuleGroupReference]
pub fn stateful_rule_group_references(&self) -> &[StatefulRuleGroupReference]
References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.
If no value was sent for this field, a default will be set. If you want to determine if no value was sent, use .stateful_rule_group_references.is_none()
.
sourcepub fn stateful_default_actions(&self) -> &[String]
pub fn stateful_default_actions(&self) -> &[String]
The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.
Valid values of the stateful default action:
-
aws:drop_strict
-
aws:drop_established
-
aws:alert_strict
-
aws:alert_established
For more information, see Strict evaluation order in the Network Firewall Developer Guide.
If no value was sent for this field, a default will be set. If you want to determine if no value was sent, use .stateful_default_actions.is_none()
.
sourcepub fn stateful_engine_options(&self) -> Option<&StatefulEngineOptions>
pub fn stateful_engine_options(&self) -> Option<&StatefulEngineOptions>
Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
sourcepub fn tls_inspection_configuration_arn(&self) -> Option<&str>
pub fn tls_inspection_configuration_arn(&self) -> Option<&str>
The Amazon Resource Name (ARN) of the TLS inspection configuration.
sourcepub fn policy_variables(&self) -> Option<&PolicyVariables>
pub fn policy_variables(&self) -> Option<&PolicyVariables>
Contains variables that you can use to override default Suricata settings in your firewall policy.
source§impl FirewallPolicy
impl FirewallPolicy
sourcepub fn builder() -> FirewallPolicyBuilder
pub fn builder() -> FirewallPolicyBuilder
Creates a new builder-style object to manufacture FirewallPolicy
.
Trait Implementations§
source§impl Clone for FirewallPolicy
impl Clone for FirewallPolicy
source§fn clone(&self) -> FirewallPolicy
fn clone(&self) -> FirewallPolicy
1.0.0 · source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source
. Read moresource§impl Debug for FirewallPolicy
impl Debug for FirewallPolicy
source§impl PartialEq for FirewallPolicy
impl PartialEq for FirewallPolicy
source§fn eq(&self, other: &FirewallPolicy) -> bool
fn eq(&self, other: &FirewallPolicy) -> bool
self
and other
values to be equal, and is used
by ==
.impl StructuralPartialEq for FirewallPolicy
Auto Trait Implementations§
impl Freeze for FirewallPolicy
impl RefUnwindSafe for FirewallPolicy
impl Send for FirewallPolicy
impl Sync for FirewallPolicy
impl Unpin for FirewallPolicy
impl UnwindSafe for FirewallPolicy
Blanket Implementations§
source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
source§impl<T> Instrument for T
impl<T> Instrument for T
source§fn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
source§fn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
source§impl<T> IntoEither for T
impl<T> IntoEither for T
source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
self
into a Left
variant of Either<Self, Self>
if into_left
is true
.
Converts self
into a Right
variant of Either<Self, Self>
otherwise. Read moresource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
self
into a Left
variant of Either<Self, Self>
if into_left(&self)
returns true
.
Converts self
into a Right
variant of Either<Self, Self>
otherwise. Read more