Hello. When I used Centos 7 with firewalld, i use this rule to allow multicast:
firewall-cmd -q --permanent --direct --add-rule ipv4 filter INPUT 1 -m pkttype --pkt-type multicast -j ACCEPT
But in Centos 8 firewalld uses nftables as backend and this rule doen't work.
I tried to create nftables rule to allow multicast:
nft add table inet mytable nft add chain inet mytable INPUT {type filter hook input priority 5; policy accept;} nft add rule inet mytable INPUT pkttype multicast counter accept
but it doen't work too, because firewalld rules, that performs after my table - reject this packets:
chain filter_INPUT { type filter hook input priority 10; policy accept; ct state established,related accept ct status dnat accept iifname "lo" accept jump filter_INPUT_ZONES_SOURCE jump filter_INPUT_ZONES ct state invalid drop reject with icmpx type admin-prohibited <---- this rule rejects my packets }
How can i add permanent rule for multicast traffic via firewall-cmd or via nftables ?
On Wed, May 06, 2020 at 02:48:00PM -0000, Andrey Grigoryev wrote:
Hello. When I used Centos 7 with firewalld, i use this rule to allow multicast:
firewall-cmd -q --permanent --direct --add-rule ipv4 filter INPUT 1 -m pkttype --pkt-type multicast -j ACCEPT
But in Centos 8 firewalld uses nftables as backend and this rule doen't work.
I tried to create nftables rule to allow multicast:
nft add table inet mytable nft add chain inet mytable INPUT {type filter hook input priority 5; policy accept;} nft add rule inet mytable INPUT pkttype multicast counter accept
This will lead to the same symptoms as iptables. This nftables snippet and iptables are a _hook_ in netfilter (kernel). For a packet to be accepted by the system it needs to be accepted by _all_ hooks. Including the firewalld nftables hooks.
iptables + firewalld (nftables) looks like:
hookA --> hookB
nftables (higher precedence) + firewalld (nftables) looks like:
hookC --> hookB
If you examine firewalld rules you'll note that it uses priority values that are base + 10. This is to make sure firewalld rules occur _after_ the users custom rules (iptables and often nftables).
but it doen't work too, because firewalld rules, that performs after my table - reject this packets:
Right.
chain filter_INPUT { type filter hook input priority 10; policy accept; ct state established,related accept ct status dnat accept iifname "lo" accept jump filter_INPUT_ZONES_SOURCE jump filter_INPUT_ZONES ct state invalid drop reject with icmpx type admin-prohibited <---- this rule rejects my packets }
How can i add permanent rule for multicast traffic via firewall-cmd or via nftables ?
You have a few options:
1) add a rich rule to accept the multicast traffic by destination address. e.g. # firewall-cmd --add-rich-rule='rule family=ipv4 destination address="224.0.0.0/16" accept'
2) inject nftables rules in firewalld's ruleset. - you'll have to do this out-of-band of firewalld. There is no --direct support for nftables
3) add the relevant interface to the "trusted" zone - but then you won't have any filtering
firewalld currently doesn't have a way to match pkttype. It'd be a good candidate to add to rich rules. Feel free to file an RFE upstream.
Hope that helps. Eric.
Thank you. Option 1 fit for me: firewall-cmd --add-rich-rule='rule family=ipv4 destination address="224.1.0.0/16" accept'
firewalld-users@lists.fedorahosted.org