/** * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. * SPDX-License-Identifier: Apache-2.0. */ #pragma once #include #include #include #include namespace Aws { namespace Utils { namespace Json { class JsonValue; class JsonView; } // namespace Json } // namespace Utils namespace NetworkFirewall { namespace Model { /** *

Configuration settings for the handling of the stateful rule groups in a * firewall policy.

See Also:

AWS * API Reference

*/ class StatefulEngineOptions { public: AWS_NETWORKFIREWALL_API StatefulEngineOptions(); AWS_NETWORKFIREWALL_API StatefulEngineOptions(Aws::Utils::Json::JsonView jsonValue); AWS_NETWORKFIREWALL_API StatefulEngineOptions& operator=(Aws::Utils::Json::JsonView jsonValue); AWS_NETWORKFIREWALL_API Aws::Utils::Json::JsonValue Jsonize() const; /** *

Indicates how to manage the order of stateful rule evaluation for the policy. * DEFAULT_ACTION_ORDER is the default behavior. Stateful rules are * provided to the rule engine as Suricata compatible strings, and Suricata * evaluates them based on certain settings. For more information, see Evaluation * order for stateful rules in the Network Firewall Developer Guide. *

*/ inline const RuleOrder& GetRuleOrder() const{ return m_ruleOrder; } /** *

Indicates how to manage the order of stateful rule evaluation for the policy. * DEFAULT_ACTION_ORDER is the default behavior. Stateful rules are * provided to the rule engine as Suricata compatible strings, and Suricata * evaluates them based on certain settings. For more information, see Evaluation * order for stateful rules in the Network Firewall Developer Guide. *

*/ inline bool RuleOrderHasBeenSet() const { return m_ruleOrderHasBeenSet; } /** *

Indicates how to manage the order of stateful rule evaluation for the policy. * DEFAULT_ACTION_ORDER is the default behavior. Stateful rules are * provided to the rule engine as Suricata compatible strings, and Suricata * evaluates them based on certain settings. For more information, see Evaluation * order for stateful rules in the Network Firewall Developer Guide. *

*/ inline void SetRuleOrder(const RuleOrder& value) { m_ruleOrderHasBeenSet = true; m_ruleOrder = value; } /** *

Indicates how to manage the order of stateful rule evaluation for the policy. * DEFAULT_ACTION_ORDER is the default behavior. Stateful rules are * provided to the rule engine as Suricata compatible strings, and Suricata * evaluates them based on certain settings. For more information, see Evaluation * order for stateful rules in the Network Firewall Developer Guide. *

*/ inline void SetRuleOrder(RuleOrder&& value) { m_ruleOrderHasBeenSet = true; m_ruleOrder = std::move(value); } /** *

Indicates how to manage the order of stateful rule evaluation for the policy. * DEFAULT_ACTION_ORDER is the default behavior. Stateful rules are * provided to the rule engine as Suricata compatible strings, and Suricata * evaluates them based on certain settings. For more information, see Evaluation * order for stateful rules in the Network Firewall Developer Guide. *

*/ inline StatefulEngineOptions& WithRuleOrder(const RuleOrder& value) { SetRuleOrder(value); return *this;} /** *

Indicates how to manage the order of stateful rule evaluation for the policy. * DEFAULT_ACTION_ORDER is the default behavior. Stateful rules are * provided to the rule engine as Suricata compatible strings, and Suricata * evaluates them based on certain settings. For more information, see Evaluation * order for stateful rules in the Network Firewall Developer Guide. *

*/ inline StatefulEngineOptions& WithRuleOrder(RuleOrder&& value) { SetRuleOrder(std::move(value)); return *this;} /** *

Configures how Network Firewall processes traffic when a network connection * breaks midstream. Network connections can break due to disruptions in external * networks or within the firewall itself.

DROP - * Network Firewall fails closed and drops all subsequent traffic going to the * firewall. This is the default behavior.
CONTINUE * - Network Firewall continues to apply rules to the subsequent traffic without * context from traffic before the break. This impacts the behavior of rules that * depend on this context. For example, if you have a stateful rule to drop * http traffic, Network Firewall won't match the traffic for this rule * because the service won't have the context from session initialization defining * the application layer protocol as HTTP. However, this behavior is rule * dependent—a TCP-layer rule using a flow:stateless rule would still * match, as would the aws:drop_strict default action.
*
REJECT - Network Firewall fails closed and drops all subsequent * traffic going to the firewall. Network Firewall also sends a TCP reject packet * back to your client so that the client can immediately establish a new session. * Network Firewall will have context about the new session and will apply rules to * the subsequent traffic.

*/ inline const StreamExceptionPolicy& GetStreamExceptionPolicy() const{ return m_streamExceptionPolicy; } /** *

Configures how Network Firewall processes traffic when a network connection * breaks midstream. Network connections can break due to disruptions in external * networks or within the firewall itself.

DROP - * Network Firewall fails closed and drops all subsequent traffic going to the * firewall. This is the default behavior.
CONTINUE * - Network Firewall continues to apply rules to the subsequent traffic without * context from traffic before the break. This impacts the behavior of rules that * depend on this context. For example, if you have a stateful rule to drop * http traffic, Network Firewall won't match the traffic for this rule * because the service won't have the context from session initialization defining * the application layer protocol as HTTP. However, this behavior is rule * dependent—a TCP-layer rule using a flow:stateless rule would still * match, as would the aws:drop_strict default action.
*
REJECT - Network Firewall fails closed and drops all subsequent * traffic going to the firewall. Network Firewall also sends a TCP reject packet * back to your client so that the client can immediately establish a new session. * Network Firewall will have context about the new session and will apply rules to * the subsequent traffic.

*/ inline bool StreamExceptionPolicyHasBeenSet() const { return m_streamExceptionPolicyHasBeenSet; } /** *

Configures how Network Firewall processes traffic when a network connection * breaks midstream. Network connections can break due to disruptions in external * networks or within the firewall itself.

DROP - * Network Firewall fails closed and drops all subsequent traffic going to the * firewall. This is the default behavior.
CONTINUE * - Network Firewall continues to apply rules to the subsequent traffic without * context from traffic before the break. This impacts the behavior of rules that * depend on this context. For example, if you have a stateful rule to drop * http traffic, Network Firewall won't match the traffic for this rule * because the service won't have the context from session initialization defining * the application layer protocol as HTTP. However, this behavior is rule * dependent—a TCP-layer rule using a flow:stateless rule would still * match, as would the aws:drop_strict default action.
*
REJECT - Network Firewall fails closed and drops all subsequent * traffic going to the firewall. Network Firewall also sends a TCP reject packet * back to your client so that the client can immediately establish a new session. * Network Firewall will have context about the new session and will apply rules to * the subsequent traffic.

*/ inline void SetStreamExceptionPolicy(const StreamExceptionPolicy& value) { m_streamExceptionPolicyHasBeenSet = true; m_streamExceptionPolicy = value; } /** *

Configures how Network Firewall processes traffic when a network connection * breaks midstream. Network connections can break due to disruptions in external * networks or within the firewall itself.

DROP - * Network Firewall fails closed and drops all subsequent traffic going to the * firewall. This is the default behavior.
CONTINUE * - Network Firewall continues to apply rules to the subsequent traffic without * context from traffic before the break. This impacts the behavior of rules that * depend on this context. For example, if you have a stateful rule to drop * http traffic, Network Firewall won't match the traffic for this rule * because the service won't have the context from session initialization defining * the application layer protocol as HTTP. However, this behavior is rule * dependent—a TCP-layer rule using a flow:stateless rule would still * match, as would the aws:drop_strict default action.
*
REJECT - Network Firewall fails closed and drops all subsequent * traffic going to the firewall. Network Firewall also sends a TCP reject packet * back to your client so that the client can immediately establish a new session. * Network Firewall will have context about the new session and will apply rules to * the subsequent traffic.

*/ inline void SetStreamExceptionPolicy(StreamExceptionPolicy&& value) { m_streamExceptionPolicyHasBeenSet = true; m_streamExceptionPolicy = std::move(value); } /** *

Configures how Network Firewall processes traffic when a network connection * breaks midstream. Network connections can break due to disruptions in external * networks or within the firewall itself.

DROP - * Network Firewall fails closed and drops all subsequent traffic going to the * firewall. This is the default behavior.
CONTINUE * - Network Firewall continues to apply rules to the subsequent traffic without * context from traffic before the break. This impacts the behavior of rules that * depend on this context. For example, if you have a stateful rule to drop * http traffic, Network Firewall won't match the traffic for this rule * because the service won't have the context from session initialization defining * the application layer protocol as HTTP. However, this behavior is rule * dependent—a TCP-layer rule using a flow:stateless rule would still * match, as would the aws:drop_strict default action.
*
REJECT - Network Firewall fails closed and drops all subsequent * traffic going to the firewall. Network Firewall also sends a TCP reject packet * back to your client so that the client can immediately establish a new session. * Network Firewall will have context about the new session and will apply rules to * the subsequent traffic.

*/ inline StatefulEngineOptions& WithStreamExceptionPolicy(const StreamExceptionPolicy& value) { SetStreamExceptionPolicy(value); return *this;} /** *

Configures how Network Firewall processes traffic when a network connection * breaks midstream. Network connections can break due to disruptions in external * networks or within the firewall itself.

DROP - * Network Firewall fails closed and drops all subsequent traffic going to the * firewall. This is the default behavior.
CONTINUE * - Network Firewall continues to apply rules to the subsequent traffic without * context from traffic before the break. This impacts the behavior of rules that * depend on this context. For example, if you have a stateful rule to drop * http traffic, Network Firewall won't match the traffic for this rule * because the service won't have the context from session initialization defining * the application layer protocol as HTTP. However, this behavior is rule * dependent—a TCP-layer rule using a flow:stateless rule would still * match, as would the aws:drop_strict default action.
*
REJECT - Network Firewall fails closed and drops all subsequent * traffic going to the firewall. Network Firewall also sends a TCP reject packet * back to your client so that the client can immediately establish a new session. * Network Firewall will have context about the new session and will apply rules to * the subsequent traffic.

*/ inline StatefulEngineOptions& WithStreamExceptionPolicy(StreamExceptionPolicy&& value) { SetStreamExceptionPolicy(std::move(value)); return *this;} private: RuleOrder m_ruleOrder; bool m_ruleOrderHasBeenSet = false; StreamExceptionPolicy m_streamExceptionPolicy; bool m_streamExceptionPolicyHasBeenSet = false; }; } // namespace Model } // namespace NetworkFirewall } // namespace Aws