Hi, I am learning how to use firewalld with nft on fedora 32. I have 2 simple questions:
1. is it possible to show counters of packets/bytes for tables/chains/rules as it was for iptables? I did not find anything about this in firewalld.
2. I am confused by the use of jump and goto in the rules created by firewalld: for example in the rules below (generated by firewalld on one of my PCs) in the chain filter_INPUT_ZONES there are 'goto' whereas in the other chains there are 'jump', so what happens to a ct-new packet with 'iifname "eno1"' and not to 'tcp dport 22'? Does it end up to 'policy accept' or to 'reject with icmpx type admin-prohibited' or where?
Thanks!
chain filter_INPUT { type filter hook input priority filter + 10; policy accept; ct state { established, related } accept ct status dnat accept iifname "lo" accept jump filter_INPUT_ZONES ct state { invalid } drop reject with icmpx type admin-prohibited }
chain filter_INPUT_ZONES { iifname "eno1" goto filter_IN_FedoraWorkstation iifname "virbr0" goto filter_IN_libvirt goto filter_IN_FedoraWorkstation }
chain filter_IN_FedoraWorkstation { jump filter_IN_FedoraWorkstation_pre jump filter_IN_FedoraWorkstation_log jump filter_IN_FedoraWorkstation_deny jump filter_IN_FedoraWorkstation_allow jump filter_IN_FedoraWorkstation_post meta l4proto { icmp, ipv6-icmp } accept }
chain filter_IN_FedoraWorkstation_pre { }
chain filter_IN_FedoraWorkstation_log { }
chain filter_IN_FedoraWorkstation_deny { }
chain filter_IN_FedoraWorkstation_allow { tcp dport 22 ct state { new, untracked } accept }
chain filter_IN_FedoraWorkstation_post { }
On Sun, Jul 19, 2020 at 11:24:56AM +0200, Andrea Pasquinucci wrote:
Hi, I am learning how to use firewalld with nft on fedora 32. I have 2 simple questions:
- is it possible to show counters of packets/bytes for
tables/chains/rules as it was for iptables? I did not find anything about this in firewalld.
No. By default nft doesn't use counters - this is for performance. There is an RFE out there for firewalld to allow counters. However, nft offers proper tracing. See "monitor" in the nft man page.
- I am confused by the use of jump and goto in the rules
created by firewalld: for example in the rules below (generated by firewalld on one of my PCs) in the chain filter_INPUT_ZONES there are 'goto' whereas in the other chains there are 'jump',
To understand the difference between "goto" and "jump" see the nft man page. They have the same meaning as "-g" and "-j" in iptables.
so what happens to a ct-new packet with 'iifname "eno1"' and not to 'tcp dport 22'? Does it end up to 'policy accept' or to 'reject with icmpx type admin-prohibited' or where?
"reject with icmpx type admin-prohibited"
firewalld-users@lists.fedorahosted.org