class Action

Accept the packet.

This is a terminal action for the current *installed* routine, i.e. no

further rules will be evaluated for this packet in the installed routine

(or any subroutines) in which this rule is installed. Subsequent

routines installed on the same hook will still be evaluated.

Accept the packet.

This is a terminal action for the current *installed* routine, i.e. no

further rules will be evaluated for this packet in the installed routine

(or any subroutines) in which this rule is installed. Subsequent

routines installed on the same hook will still be evaluated.

Drop the packet.

This is a terminal action, i.e. no further rules will be evaluated for

this packet, even in other routines on the same hook.

Drop the packet.

This is a terminal action, i.e. no further rules will be evaluated for

this packet, even in other routines on the same hook.

Jump from the current routine to the routine identified by the provided

name.

The target routine must be in the same namespace as the calling routine,

and it cannot be installed on a hook; it must be an uninstalled routine.

Jump from the current routine to the routine identified by the provided

name.

The target routine must be in the same namespace as the calling routine,

and it cannot be installed on a hook; it must be an uninstalled routine.

Stop evaluation of the current routine and return to the calling routine

(the routine from which the current routine was jumped), continuing

evaluation at the next rule.

If invoked in an installed routine, equivalent to `accept`, given packets

are accepted by default in the absence of any matching rules.

Stop evaluation of the current routine and return to the calling routine

(the routine from which the current routine was jumped), continuing

evaluation at the next rule.

If invoked in an installed routine, equivalent to `accept`, given packets

are accepted by default in the absence of any matching rules.

Redirect the packet to a local socket without changing the packet header

in any way.

This is a terminal action for the current hook, i.e. no further rules

will be evaluated for this packet, even in other routines on the same

hook. However, note that this does not preclude actions on *other* hooks

from having an effect on this packet; for example, a packet that hits

TransparentProxy in INGRESS could still be dropped in LOCAL_INGRESS.

This action is only valid in the INGRESS hook. This action is also only

valid in a rule that ensures the presence of a TCP or UDP header by

matching on the transport protocol, so that the packet can be properly

dispatched.

Also note that transparently proxied packets will only be delivered to

sockets with the transparent socket option enabled. If no such socket

exists, the packet will be dropped.

This is analogous to the `tproxy` statement in Netfilter.

Redirect the packet to a local socket without changing the packet header

in any way.

This is a terminal action for the current hook, i.e. no further rules

will be evaluated for this packet, even in other routines on the same

hook. However, note that this does not preclude actions on *other* hooks

from having an effect on this packet; for example, a packet that hits

TransparentProxy in INGRESS could still be dropped in LOCAL_INGRESS.

This action is only valid in the INGRESS hook. This action is also only

valid in a rule that ensures the presence of a TCP or UDP header by

matching on the transport protocol, so that the packet can be properly

dispatched.

Also note that transparently proxied packets will only be delivered to

sockets with the transparent socket option enabled. If no such socket

exists, the packet will be dropped.

This is analogous to the `tproxy` statement in Netfilter.

A special case of destination NAT (DNAT) that redirects the packet to

the local host.

This is a terminal action for all NAT routines on the current hook. The

packet is redirected by rewriting the destination IP address to one

owned by the ingress interface (if operating on incoming traffic in

INGRESS) or the loopback address (if operating on locally-generated

traffic in LOCAL_EGRESS). If this rule is installed on INGRESS and no IP

address is assigned to the incoming interface, the packet is dropped.

As with all DNAT actions, this action is only valid in the INGRESS and

LOCAL_EGRESS hooks. If a destination port is specified, this action is

only valid in a rule that ensures the presence of a TCP or UDP header by

matching on the transport protocol, so that the destination port can be

rewritten.

This is analogous to the `redirect` statement in Netfilter.

A special case of destination NAT (DNAT) that redirects the packet to

the local host.

This is a terminal action for all NAT routines on the current hook. The

packet is redirected by rewriting the destination IP address to one

owned by the ingress interface (if operating on incoming traffic in

INGRESS) or the loopback address (if operating on locally-generated

traffic in LOCAL_EGRESS). If this rule is installed on INGRESS and no IP

address is assigned to the incoming interface, the packet is dropped.

As with all DNAT actions, this action is only valid in the INGRESS and

LOCAL_EGRESS hooks. If a destination port is specified, this action is

only valid in a rule that ensures the presence of a TCP or UDP header by

matching on the transport protocol, so that the destination port can be

rewritten.

This is analogous to the `redirect` statement in Netfilter.

A special case of source NAT (SNAT) that reassigns the source IP address

of the packet to an address that is assigned to the outgoing interface.

This is a terminal action for all NAT routines on the current hook. If

no address is assigned to the outgoing interface, the packet will be

dropped.

This action is only valid in the EGRESS hook. If a source port range is

specified, this action is only valid in a rule that ensures the presence

of a TCP or UDP header by matching on the transport protocol, so that

the source port can be rewritten.

This is analogous to the `masquerade` statement in Netfilter.

A special case of source NAT (SNAT) that reassigns the source IP address

of the packet to an address that is assigned to the outgoing interface.

This is a terminal action for all NAT routines on the current hook. If

no address is assigned to the outgoing interface, the packet will be

dropped.

This action is only valid in the EGRESS hook. If a source port range is

specified, this action is only valid in a rule that ensures the presence

of a TCP or UDP header by matching on the transport protocol, so that

the source port can be rewritten.

This is analogous to the `masquerade` statement in Netfilter.

Applies the mark action to the given mark domain.

This is a non-terminal action for both routines and hooks. This is also

only available in [`IpRoutines`] because [`NatRoutines`] only runs on

the first packet in a connection and it is likely a misconfiguration

that packets after the first are marked differently or unmarked.

Note: If we find use cases that justify this being in [`NatRoutines`] we

should relax this limitation and support it.

This is analogous to the `mark` statement in Netfilter.

Applies the mark action to the given mark domain.

This is a non-terminal action for both routines and hooks. This is also

only available in [`IpRoutines`] because [`NatRoutines`] only runs on

the first packet in a connection and it is likely a misconfiguration

that packets after the first are marked differently or unmarked.

Note: If we find use cases that justify this being in [`NatRoutines`] we

should relax this limitation and support it.

This is analogous to the `mark` statement in Netfilter.

A non-terminal action that does nothing. Useful to run matchers that may

have side-effects, particularly eBPF matchers.

A non-terminal action that does nothing. Useful to run matchers that may

have side-effects, particularly eBPF matchers.

You probably want to use Which() method instead of Ordinal(). Use Ordinal() only when you need

access to the raw integral ordinal value.