class Aws::NetworkFirewall::Types::RuleDefinition

The inspection criteria and action for a single stateless rule. AWS Network Firewall inspects each packet for the specified matching criteria. When a packet matches the criteria, Network Firewall performs the rule's actions on the packet.

@note When making an API call, you may pass RuleDefinition

data as a hash:

    {
      match_attributes: { # required
        sources: [
          {
            address_definition: "AddressDefinition", # required
          },
        ],
        destinations: [
          {
            address_definition: "AddressDefinition", # required
          },
        ],
        source_ports: [
          {
            from_port: 1, # required
            to_port: 1, # required
          },
        ],
        destination_ports: [
          {
            from_port: 1, # required
            to_port: 1, # required
          },
        ],
        protocols: [1],
        tcp_flags: [
          {
            flags: ["FIN"], # required, accepts FIN, SYN, RST, PSH, ACK, URG, ECE, CWR
            masks: ["FIN"], # accepts FIN, SYN, RST, PSH, ACK, URG, ECE, CWR
          },
        ],
      },
      actions: ["CollectionMember_String"], # required
    }

@!attribute [rw] match_attributes

Criteria for Network Firewall to use to inspect an individual packet
in stateless rule inspection. Each match attributes set can include
one or more items such as IP address, CIDR range, port number,
protocol, and TCP flags.
@return [Types::MatchAttributes]

@!attribute [rw] actions

The actions to take on a packet that matches one of the stateless
rule definition's match attributes. You must specify a standard
action and you can add custom actions.

<note markdown="1"> Network Firewall only forwards a packet for stateful rule inspection
if you specify `aws:forward_to_sfe` for a rule that the packet
matches, or if the packet doesn't match any stateless rule and you
specify `aws:forward_to_sfe` for the `StatelessDefaultActions`
setting for the FirewallPolicy.

 </note>

For every rule, you must specify exactly one of the following
standard actions.

* **aws:pass** - Discontinues all inspection of the packet and
  permits it to go to its intended destination.

* **aws:drop** - Discontinues all inspection of the packet and
  blocks it from going to its intended destination.

* **aws:forward\_to\_sfe** - Discontinues stateless inspection of
  the packet and forwards it to the stateful rule engine for
  inspection.

Additionally, you can specify a custom action. To do this, you
define a custom action by name and type, then provide the name
you've assigned to the action in this `Actions` setting. For
information about the options, see CustomAction.

To provide more than one action in this setting, separate the
settings with a comma. For example, if you have a custom
`PublishMetrics` action that you've named `MyMetricsAction`, then
you could specify the standard action `aws:pass` and the custom
action with `[“aws:pass”, “MyMetricsAction”]`.
@return [Array<String>]

@see docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/RuleDefinition AWS API Documentation

Constants

SENSITIVE