# reject with icmp host-unreachable
[
{
"reject": {
"expr": "host-unreachable",
"type": "icmp"
}
}
]
# reject with icmp net-unreachable
[
{
"reject": {
"expr": "net-unreachable",
"type": "icmp"
}
}
]
# reject with icmp prot-unreachable
[
{
"reject": {
"expr": "prot-unreachable",
"type": "icmp"
}
}
]
# reject with icmp port-unreachable
[
{
"reject": {
"expr": "port-unreachable",
"type": "icmp"
}
}
]
# reject with icmp net-prohibited
[
{
"reject": {
"expr": "net-prohibited",
"type": "icmp"
}
}
]
# reject with icmp host-prohibited
[
{
"reject": {
"expr": "host-prohibited",
"type": "icmp"
}
}
]
# reject with icmp admin-prohibited
[
{
"reject": {
"expr": "admin-prohibited",
"type": "icmp"
}
}
]
# reject with icmpv6 no-route
[
{
"reject": {
"expr": "no-route",
"type": "icmpv6"
}
}
]
# reject with icmpv6 admin-prohibited
[
{
"reject": {
"expr": "admin-prohibited",
"type": "icmpv6"
}
}
]
# reject with icmpv6 addr-unreachable
[
{
"reject": {
"expr": "addr-unreachable",
"type": "icmpv6"
}
}
]
# reject with icmpv6 port-unreachable
[
{
"reject": {
"expr": "port-unreachable",
"type": "icmpv6"
}
}
]
# mark 12345 reject with tcp reset
[
{
"match": {
"left": {
"meta": { "key": "mark" }
},
"op": "==",
"right": 12345
}
},
{
"reject": {
"type": "tcp reset"
}
}
]
# reject
[
{
"reject": null
}
]
# meta nfproto ipv4 reject
[
{
"match": {
"left": {
"meta": { "key": "nfproto" }
},
"op": "==",
"right": "ipv4"
}
},
{
"reject": null
}
]
# meta nfproto ipv6 reject
[
{
"match": {
"left": {
"meta": { "key": "nfproto" }
},
"op": "==",
"right": "ipv6"
}
},
{
"reject": null
}
]
# reject with icmpx host-unreachable
[
{
"reject": {
"expr": "host-unreachable",
"type": "icmpx"
}
}
]
# reject with icmpx no-route
[
{
"reject": {
"expr": "no-route",
"type": "icmpx"
}
}
]
# reject with icmpx admin-prohibited
[
{
"reject": {
"expr": "admin-prohibited",
"type": "icmpx"
}
}
]
# reject with icmpx port-unreachable
[
{
"reject": {
"expr": "port-unreachable",
"type": "icmpx"
}
}
]
# reject with icmpx 3
[
{
"reject": {
"expr": "admin-prohibited",
"type": "icmpx"
}
}
]
# meta nfproto ipv4 reject with icmp host-unreachable
[
{
"match": {
"left": {
"meta": { "key": "nfproto" }
},
"op": "==",
"right": "ipv4"
}
},
{
"reject": {
"expr": "host-unreachable",
"type": "icmp"
}
}
]
# meta nfproto ipv6 reject with icmpv6 no-route
[
{
"match": {
"left": {
"meta": { "key": "nfproto" }
},
"op": "==",
"right": "ipv6"
}
},
{
"reject": {
"expr": "no-route",
"type": "icmpv6"
}
}
]
# meta nfproto ipv4 reject with icmpx admin-prohibited
[
{
"match": {
"left": {
"meta": {
"key": "nfproto"
}
},
"op": "==",
"right": "ipv4"
}
},
{
"reject": {
"expr": "admin-prohibited",
"type": "icmpx"
}
}
]
# meta nfproto ipv6 reject with icmpx admin-prohibited
[
{
"match": {
"left": {
"meta": {
"key": "nfproto"
}
},
"op": "==",
"right": "ipv6"
}
},
{
"reject": {
"expr": "admin-prohibited",
"type": "icmpx"
}
}
]
# ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject
[
{
"match": {
"left": {
"payload": {
"field": "saddr",
"protocol": "ether"
}
},
"op": "==",
"right": "aa:bb:cc:dd:ee:ff"
}
},
{
"match": {
"left": {
"payload": {
"field": "daddr",
"protocol": "ip"
}
},
"op": "==",
"right": "192.168.0.1"
}
},
{
"reject": {
"expr": "port-unreachable",
"type": "icmp"
}
}
]