On Mon, Jul 25, 2022 at 07:05:02PM -0000, Samuel Irlapati wrote:
I have been using direct-rules. I just upgraded to fedora 36 and
looks
like I can't use direct-rules anymore. Is this true?
No. It's not true. Direct rules are deprecated, but they still work.
Also from some google searches, I have come to understand that
direct-rules can be replaced with rich-rules. Is this true?
Not completely. iptables has many extensions for which firewalld does
not provide an abstraction.
But in modest use cases, yes.
I have a lot of rules that need to be converted, so will be asking
for
help for them. So I will just start by asking some simple ones. How do
I convert the following rule to a rich-rule?
If you have iptables direct rules for FORWARD/OUTPUT, then firewalld's
native policies may be able to replace them.
Policies allow for forward/output filtering.
https://firewalld.org/2020/09/policy-objects-introduction
firewall-cmd --direct --add-rule ipv4 mangle PREROUTING 0 -p tcp -s
$WEBSAFETY0_PODIP --dport 80 -j MARK --set-mark $WEBMARK
Does it matter which zone "$WEBSAFETY0_PODIP" is located in, if the
$WEBMARK uses a routing table that posroutes the packet onto an
interface on the external zone?
Let us say you you want to apply your rule to traffic flowing from
"websafe_pod" to any other zone.
Create a "websafe_pod" zone:
# firewall-cmd --permanent --new-zone websafe_pod
# firewall-cmd --permanent --zone websafe_pod --add-source $WEBSAFETY0_PODIP
Then you can create a policy that applies to traffic flowing from
"websafe_pod" to any other zone:
# firewall-cmd --permanent --new-policy websafePod
# firewall-cmd --permanent --policy websafePod --add-ingress-zone websafe_pod
# firewall-cmd --permanent --policy websafePod --add-egress-zone ANY
Now you can create your mark rule with a rich rule:
# firewall-cmd --permanent --policy websafePod --add-rich-rule="rule
family=ipv4 port port=80 protocol=tcp mark set=$WEBMARK"
The end result is an nftables rule that looks like this:
# nft list ruleset |grep -i mark
meta nfproto ipv4 tcp dport 80 meta mark set 0x0000029a
All that being said, you may have to tune it to your specific use case
as I was mostly guessing what you're trying to do. :)
Hope that helps.
Eric.