# reject with icmp host-unreachable [ { "reject": { "expr": "host-unreachable", "type": "icmp" } } ] # reject with icmp net-unreachable [ { "reject": { "expr": "net-unreachable", "type": "icmp" } } ] # reject with icmp prot-unreachable [ { "reject": { "expr": "prot-unreachable", "type": "icmp" } } ] # reject with icmp port-unreachable [ { "reject": { "expr": "port-unreachable", "type": "icmp" } } ] # reject with icmp net-prohibited [ { "reject": { "expr": "net-prohibited", "type": "icmp" } } ] # reject with icmp host-prohibited [ { "reject": { "expr": "host-prohibited", "type": "icmp" } } ] # reject with icmp admin-prohibited [ { "reject": { "expr": "admin-prohibited", "type": "icmp" } } ] # reject with icmpv6 no-route [ { "reject": { "expr": "no-route", "type": "icmpv6" } } ] # reject with icmpv6 admin-prohibited [ { "reject": { "expr": "admin-prohibited", "type": "icmpv6" } } ] # reject with icmpv6 addr-unreachable [ { "reject": { "expr": "addr-unreachable", "type": "icmpv6" } } ] # reject with icmpv6 port-unreachable [ { "reject": { "expr": "port-unreachable", "type": "icmpv6" } } ] # mark 12345 reject with tcp reset [ { "match": { "left": { "meta": { "key": "mark" } }, "op": "==", "right": 12345 } }, { "reject": { "type": "tcp reset" } } ] # reject [ { "reject": null } ] # meta nfproto ipv4 reject [ { "match": { "left": { "meta": { "key": "nfproto" } }, "op": "==", "right": "ipv4" } }, { "reject": null } ] # meta nfproto ipv6 reject [ { "match": { "left": { "meta": { "key": "nfproto" } }, "op": "==", "right": "ipv6" } }, { "reject": null } ] # reject with icmpx host-unreachable [ { "reject": { "expr": "host-unreachable", "type": "icmpx" } } ] # reject with icmpx no-route [ { "reject": { "expr": "no-route", "type": "icmpx" } } ] # reject with icmpx admin-prohibited [ { "reject": { "expr": "admin-prohibited", "type": "icmpx" } } ] # reject with icmpx port-unreachable [ { "reject": { "expr": "port-unreachable", "type": "icmpx" } } ] # reject with icmpx 3 [ { "reject": { "expr": "admin-prohibited", "type": "icmpx" } } ] # meta nfproto ipv4 reject with icmp host-unreachable [ { "match": { "left": { "meta": { "key": "nfproto" } }, "op": "==", "right": "ipv4" } }, { "reject": { "expr": "host-unreachable", "type": "icmp" } } ] # meta nfproto ipv6 reject with icmpv6 no-route [ { "match": { "left": { "meta": { "key": "nfproto" } }, "op": "==", "right": "ipv6" } }, { "reject": { "expr": "no-route", "type": "icmpv6" } } ] # meta nfproto ipv4 reject with icmpx admin-prohibited [ { "match": { "left": { "meta": { "key": "nfproto" } }, "op": "==", "right": "ipv4" } }, { "reject": { "expr": "admin-prohibited", "type": "icmpx" } } ] # meta nfproto ipv6 reject with icmpx admin-prohibited [ { "match": { "left": { "meta": { "key": "nfproto" } }, "op": "==", "right": "ipv6" } }, { "reject": { "expr": "admin-prohibited", "type": "icmpx" } } ] # ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject [ { "match": { "left": { "payload": { "field": "saddr", "protocol": "ether" } }, "op": "==", "right": "aa:bb:cc:dd:ee:ff" } }, { "match": { "left": { "payload": { "field": "daddr", "protocol": "ip" } }, "op": "==", "right": "192.168.0.1" } }, { "reject": { "expr": "port-unreachable", "type": "icmp" } } ]