I'm writing a L7 firewall in golang using go-nfqueue.
For each packets (from a src client to a dst server) that is crossing my L7 firewall, I check the applicative content of the packet and I've to set one of the following verdicts:
- Accept: When the content is as expected.
- Drop: If the content is not as expected and if my configuration is in "silent" mode. In that case, the src client doesn't know that its packet has been rejected, it only never receives the ack (it's TCP packets).
- Reject: If the content is not as expected and if my configuration is in "disconnect" mode. In that case, the src client has to be disconnected.
For the first two verdicts (accept and drop), it works fine with respectively "NfAccept" and "NfDrop"
But, in the libnetfilter_queue/go-nfqueue the verdict "reject" doesn't exist.
How can I reject a packet (ie. disconnect a src client) ?
Regards