I was trying to allow my docker container to pass DNS requests through my host. As backend I use nftables.
I have put this into /etc/firewalld/firewalld.conf:
FirewallBackend=nftables
Trying to add a direct rule via command line gave an error message from iptables. Why is iptables here?
Or is --direct no longer usable with nftables?
firewall-cmd --direct --add-rule ipv4 filter filter_FWDI_FedoraWorkstation_allow 0 -p tcp --dport 53 -j ACCEPT
Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 2 failed
In the past I could put a file /etc/firewalld/direct.xml like this:
<?xml version="1.0" encoding="utf-8"?> <direct> [ <rule ipv="ipv6" table="filter" chain="FWDI_FedoraWorkstation" priority="0"> -p tcp --dport 53 -j ACCEPT </rule> ] [ <rule ipv="ipv6" table="filter" chain="FWDI_FedoraWorkstation" priority="0"> -p udp --dport 53 -j ACCEPT </rule> ] [ <rule ipv="ipv4" table="filter" chain="FWDI_FedoraWorkstation" priority="0"> -p tcp --dport 53 -j ACCEPT </rule> ] [ <rule ipv="ipv4" table="filter" chain="FWDI_FedoraWorkstation" priority="0"> -p udp --dport 53 -j ACCEPT </rule> ] </direct>
when I needed forwarding.
But now when I do this I cannot see anything in "nft list ruleset" but I see it in "iptables -L -n -v" instead.
What is the correct way to configure forward chains in firewalld with nftables backend?
On Wed, Jun 05, 2019 at 07:33:41PM -0000, Frank Ansari wrote:
I was trying to allow my docker container to pass DNS requests through my host. As backend I use nftables.
I have put this into /etc/firewalld/firewalld.conf:
FirewallBackend=nftables
Trying to add a direct rule via command line gave an error message from iptables. Why is iptables here?
Or is --direct no longer usable with nftables?
It is usable. The direct rules are still added to iptables.
firewall-cmd --direct --add-rule ipv4 filter filter_FWDI_FedoraWorkstation_allow 0 -p tcp --dport 53 -j ACCEPT
Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 2 failed
filter_FWDI_FedoraWorkstation_allow is not a valid chain in iptables. It is an nftables chain, because you're using the nftables backend. iptables and nftables do not share chains.
In the past I could put a file /etc/firewalld/direct.xml like this:
<?xml version="1.0" encoding="utf-8"?>
<direct> [ <rule ipv="ipv6" table="filter" chain="FWDI_FedoraWorkstation" priority="0"> -p tcp --dport 53 -j ACCEPT </rule> ] [ <rule ipv="ipv6" table="filter" chain="FWDI_FedoraWorkstation" priority="0"> -p udp --dport 53 -j ACCEPT </rule> ] [ <rule ipv="ipv4" table="filter" chain="FWDI_FedoraWorkstation" priority="0"> -p tcp --dport 53 -j ACCEPT </rule> ] [ <rule ipv="ipv4" table="filter" chain="FWDI_FedoraWorkstation" priority="0"> -p udp --dport 53 -j ACCEPT </rule> ] </direct>
FWIW, adding direct rules to the internal firewalld zone chains has never really been supported. Instead you should use the "FORWARD" or "FORWARD_direct" chains (they're equivalent).
when I needed forwarding.
But now when I do this I cannot see anything in "nft list ruleset" but I see it in "iptables -L -n -v" instead.
Maybe reading this post will help you understand why:
https://firewalld.org/2018/07/nftables-backend
What is the correct way to configure forward chains in firewalld with nftables backend?
Since firewalld doesn't natively support forward filtering you do indeed have to use direct rules. You can do the following:
- add the docker interface to the trusted zone
but that will allow _all_ traffic, so you can also do this
- add a direct rule to allow port 53 as you do above e.g. firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -p udp --dport 53 -j ACCEPT
- add a catch-all direct rule to block the rest of the traffic e.g. firewall-cmd --direct --add-rule ipv4 filter FORWARD 9999 -j DROP
After I updated my system it worked with this direct.xml but only when I use iptables as backend:
``` <?xml version="1.0" encoding="utf-8"?> <direct> [ <rule ipv="ipv6" table="filter" chain="FORWARD_direct" priority="0"> -p tcp --dport 53 -j ACCEPT </rule> ] [ <rule ipv="ipv6" table="filter" chain="FORWARD_direct" priority="0"> -p udp --dport 53 -j ACCEPT </rule> ] [ <rule ipv="ipv4" table="filter" chain="FORWARD_direct" priority="0"> -p tcp --dport 53 -j ACCEPT </rule> ] [ <rule ipv="ipv4" table="filter" chain="FORWARD_direct" priority="0"> -p udp --dport 53 -j ACCEPT </rule> ] </direct> ```
It is completely unclear to me why the support of forward chains is so bad. You need this as soon as you have some KVM or docker scenario - so really standard stuff.
On Thu, Jun 06, 2019 at 08:27:24PM -0000, Frank Ansari wrote:
After I updated my system it worked with this direct.xml but only when I use iptables as backend:
<?xml version="1.0" encoding="utf-8"?> <direct> [ <rule ipv="ipv6" table="filter" chain="FORWARD_direct" priority="0"> -p tcp --dport 53 -j ACCEPT </rule> ] [ <rule ipv="ipv6" table="filter" chain="FORWARD_direct" priority="0"> -p udp --dport 53 -j ACCEPT </rule> ] [ <rule ipv="ipv4" table="filter" chain="FORWARD_direct" priority="0"> -p tcp --dport 53 -j ACCEPT </rule> ] [ <rule ipv="ipv4" table="filter" chain="FORWARD_direct" priority="0"> -p udp --dport 53 -j ACCEPT </rule> ] </direct>
It is completely unclear to me why the support of forward chains is so bad. You need this as soon as you have some KVM or docker scenario - so really standard stuff.
Implementing forward/output support is a high priority item for firewalld. It's been roughly designed and discussed, but it's a very large work item. Traditionally firewalld has been an end-station firewall with minimal support for forwarding (e.g. masquerade, forward-ports).
Did you try the workaround in my previous email?
firewalld-users@lists.fedorahosted.org