On Sun, 31 Mar 2024, at 12:22 AM, Blaine Elzey wrote: [...] > Now that I know the underlying nftables configuration, I need to > incorporate this configuration into the firewalld configuration. I > understand if this is off-topic and I may need to post in a different > forum. > > I see that firewalld says that direct rules is deprecated, and to use policies. How very helpful of it. > > Unfortunately policies do not support notrack, and the necessary > arguments that I have tried in direct rules are invalid. I have also > come to find that the firewall direct rules only support iptables, > while my firewalld.conf is set to use nftables; thus, unable to see > nftables tables and chains setup by firewalld. Maybe the nftable rules > from firewalld override the iptables rules from firewalld direct? Rocky 9 offers iptables-nft, which uses nftables as a backend while continuing to support xtables extensions. Unfortunately, it cannot be relied upon to translate the syntax of a given iptables(8) rule to a native nft(8) rule, even for those rules where it is technically possible. Consider the following. # nft flush ruleset # iptables -V iptables v1.8.10 (nf_tables) # iptables -t raw -A PREROUTING -j CT --notrack # nft list ruleset # Warning: table ip raw is managed by iptables-nft, do not touch! table ip raw { chain PREROUTING { type filter hook prerouting priority raw; policy accept; counter packets 0 bytes 0 xt target "CT" } } This shows iptables electing to use the CT extension from xtables, rather than produce the native, equivalent nftables rule. Consequently, one ends up with a hybrid ruleset that can no longer be safely managed with nft alone. So, should you wish to try the firewall.direct(5) syntax, be sure to define "FirewallBackend=iptables". Further, in each case that the backend is switched, be sure to stop the service and run "nft flush ruleset" before starting it again. > > At the moment, I created some workaround scripts from the information > in this post, and call the in the systemd ExecStartPre= for DNS > service start. I remove them in ExecStopPost=. I fear that this might prove brittle. Presumably, firewalld can be instructed to interact with the ruleset in such a way that the necessary rules are lost, well after the systemd service has been started. Still, I can think of nothing else, other than to forgo the use of firewalld altogether. -- Kerin Millar