Back to c7 and firewalld

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



If I've missed someone's response, apologies.

As I said, my converted rules seem fine, and I can run the script that
issues a bunch of direct rules for the built-in FORWARD rule... but when I
try firewall-cmd --reload, it tells me error, that FORWARD is a built-in.

Now, today, what I've been looking at is to run iptables-save, and what I
see is this (in part):
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

Does this mean that, instead of the format of the entry of the rule being
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD <actual
rule)
that it should, instead, be
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD_direct
<actual rule>
? And if that's what I need to do, that's fine, but I have found *zero*
documentation about that. Everything I have found about adding direct
rules to a built-in chain don't mention it.

Is this so new, it's not documented?

      mark

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux