Struct aws_sdk_networkfirewall::types::FirewallPolicy

source · 
#[non_exhaustive]
pub struct FirewallPolicy {
    pub stateless_rule_group_references: Option<Vec<StatelessRuleGroupReference>>,
    pub stateless_default_actions: Vec<String>,
    pub stateless_fragment_default_actions: Vec<String>,
    pub stateless_custom_actions: Option<Vec<CustomAction>>,
    pub stateful_rule_group_references: Option<Vec<StatefulRuleGroupReference>>,
    pub stateful_default_actions: Option<Vec<String>>,
    pub stateful_engine_options: Option<StatefulEngineOptions>,
    pub tls_inspection_configuration_arn: Option<String>,
    pub policy_variables: Option<PolicyVariables>,
}
Expand description

The firewall policy defines the behavior of a firewall using a collection of stateless and stateful rule groups and other settings. You can use one firewall policy for multiple firewalls.

This, along with FirewallPolicyResponse, define the policy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy.

Fields (Non-exhaustive)§

This struct is marked as non-exhaustive
Non-exhaustive structs could have additional fields added in future. Therefore, non-exhaustive structs cannot be constructed in external crates using the traditional Struct { .. } syntax; cannot be matched against without a wildcard ..; and struct update syntax will not work.
§stateless_rule_group_references: Option<Vec<StatelessRuleGroupReference>>

References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.

§stateless_default_actions: Vec<String>

The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe.

You must specify one of the standard actions: aws:pass, aws:drop, or aws:forward_to_sfe. In addition, you can specify custom actions that are compatible with your standard section choice.

For example, you could specify ["aws:pass"] or you could specify ["aws:pass", “customActionName”]. For information about compatibility, see the custom action descriptions under CustomAction.

§stateless_fragment_default_actions: Vec<String>

The actions to take on a fragmented UDP packet if it doesn't match any of the stateless rules in the policy. Network Firewall only manages UDP packet fragments and silently drops packet fragments for other protocols. If you want non-matching fragmented UDP packets to be forwarded for stateful inspection, specify aws:forward_to_sfe.

You must specify one of the standard actions: aws:pass, aws:drop, or aws:forward_to_sfe. In addition, you can specify custom actions that are compatible with your standard section choice.

For example, you could specify ["aws:pass"] or you could specify ["aws:pass", “customActionName”]. For information about compatibility, see the custom action descriptions under CustomAction.

§stateless_custom_actions: Option<Vec<CustomAction>>

The custom action definitions that are available for use in the firewall policy's StatelessDefaultActions setting. You name each custom action that you define, and then you can use it by name in your default actions specifications.

§stateful_rule_group_references: Option<Vec<StatefulRuleGroupReference>>

References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.

§stateful_default_actions: Option<Vec<String>>

The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.

Valid values of the stateful default action:

  • aws:drop_strict

  • aws:drop_established

  • aws:alert_strict

  • aws:alert_established

For more information, see Strict evaluation order in the Network Firewall Developer Guide.

§stateful_engine_options: Option<StatefulEngineOptions>

Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.

§tls_inspection_configuration_arn: Option<String>

The Amazon Resource Name (ARN) of the TLS inspection configuration.

§policy_variables: Option<PolicyVariables>

Contains variables that you can use to override default Suricata settings in your firewall policy.

Implementations§

source§

impl FirewallPolicy

source

pub fn stateless_rule_group_references(&self) -> &[StatelessRuleGroupReference]

References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.

If no value was sent for this field, a default will be set. If you want to determine if no value was sent, use .stateless_rule_group_references.is_none().

source

pub fn stateless_default_actions(&self) -> &[String]

The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe.

You must specify one of the standard actions: aws:pass, aws:drop, or aws:forward_to_sfe. In addition, you can specify custom actions that are compatible with your standard section choice.

For example, you could specify ["aws:pass"] or you could specify ["aws:pass", “customActionName”]. For information about compatibility, see the custom action descriptions under CustomAction.

source

pub fn stateless_fragment_default_actions(&self) -> &[String]

The actions to take on a fragmented UDP packet if it doesn't match any of the stateless rules in the policy. Network Firewall only manages UDP packet fragments and silently drops packet fragments for other protocols. If you want non-matching fragmented UDP packets to be forwarded for stateful inspection, specify aws:forward_to_sfe.

You must specify one of the standard actions: aws:pass, aws:drop, or aws:forward_to_sfe. In addition, you can specify custom actions that are compatible with your standard section choice.

For example, you could specify ["aws:pass"] or you could specify ["aws:pass", “customActionName”]. For information about compatibility, see the custom action descriptions under CustomAction.

source

pub fn stateless_custom_actions(&self) -> &[CustomAction]

The custom action definitions that are available for use in the firewall policy's StatelessDefaultActions setting. You name each custom action that you define, and then you can use it by name in your default actions specifications.

If no value was sent for this field, a default will be set. If you want to determine if no value was sent, use .stateless_custom_actions.is_none().

source

pub fn stateful_rule_group_references(&self) -> &[StatefulRuleGroupReference]

References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.

If no value was sent for this field, a default will be set. If you want to determine if no value was sent, use .stateful_rule_group_references.is_none().

source

pub fn stateful_default_actions(&self) -> &[String]

The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.

Valid values of the stateful default action:

  • aws:drop_strict

  • aws:drop_established

  • aws:alert_strict

  • aws:alert_established

For more information, see Strict evaluation order in the Network Firewall Developer Guide.

If no value was sent for this field, a default will be set. If you want to determine if no value was sent, use .stateful_default_actions.is_none().

source

pub fn stateful_engine_options(&self) -> Option<&StatefulEngineOptions>

Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.

source

pub fn tls_inspection_configuration_arn(&self) -> Option<&str>

The Amazon Resource Name (ARN) of the TLS inspection configuration.

source

pub fn policy_variables(&self) -> Option<&PolicyVariables>

Contains variables that you can use to override default Suricata settings in your firewall policy.

source§

impl FirewallPolicy

source

pub fn builder() -> FirewallPolicyBuilder

Creates a new builder-style object to manufacture FirewallPolicy.

Trait Implementations§

source§

impl Clone for FirewallPolicy

source§

fn clone(&self) -> FirewallPolicy

Returns a copy of the value. Read more
1.0.0 · source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
source§

impl Debug for FirewallPolicy

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
source§

impl PartialEq for FirewallPolicy

source§

fn eq(&self, other: &FirewallPolicy) -> bool

This method tests for self and other values to be equal, and is used by ==.
1.0.0 · source§

fn ne(&self, other: &Rhs) -> bool

This method tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
source§

impl StructuralPartialEq for FirewallPolicy

Auto Trait Implementations§

Blanket Implementations§

source§

impl<T> Any for T
where T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for T
where T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T> Instrument for T

source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
source§

impl<T, U> Into<U> for T
where U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> IntoEither for T

source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
source§

impl<Unshared, Shared> IntoShared<Shared> for Unshared
where Shared: FromUnshared<Unshared>,

source§

fn into_shared(self) -> Shared

Creates a shared type from an unshared type.
source§

impl<T> Same for T

§

type Output = T

Should always be Self
source§

impl<T> ToOwned for T
where T: Clone,

§

type Owned = T

The resulting type after obtaining ownership.
source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
source§

impl<T> WithSubscriber for T

source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more