Hello,
On 02/24/2015 10:17 AM, Peter Vrabec wrote:
Hi,
I have found out recently that fwknop claims firewalld support since
fwknop-2.6.4 (11/16/2014).
https://github.com/mrash/fwknop/blob/master/ChangeLog
We have fwknop-2.6.3 in F21 and before we continue with upgrade I'd like
to ask what are your thoughts about the integration? Is it done correctly?
the fwknop code for firewalld is very similar to the the iptables code.
It is using untracked direct passthrough in firewalld with the
firewall-cmd command. It is not using the firewalld D-Bus interface at
all. The result is, that a service reload or restart of firewalld will
not be seen and the rules added by fwknop are gone afterwards.
Solutions:
1) Use the D-Bus interface to add, query and remove rules and also
register to get the reload and restart signals.
The use of untracked direct rules is good as long as reload and restart
signals are honored to restore the untracked rules again in fwknop.
Using the D-Bus interface will also speed up the addition of rules
especially if there are more to add.
Please have a look at man firewalld.dbus for the firewalld D-Bus
interface documentation.
2) Use tracked direct passthrough:
[--permanent] --direct --get-all-passthroughs
[--permanent] --direct --get-passthroughs { ipv4 | ipv6 | eb }
[--permanent] --direct --add-passthrough { ipv4 | ipv6 | eb } args
[--permanent] --direct --remove-passthrough { ipv4 | ipv6 | eb } args
[--permanent] --direct --query-passthrough { ipv4 | ipv6 | eb } args
This way it is much simpler to query if a rule exists.
Rules can be added in runtime and with an extra call (with added
--permanent option) also in permanent environment.
Tracked direct rules in the runtime environment are automatically
restored after a firewalld reload.
Permanent rules are automatically restored after a restart (service or
system), but runtime only rules are lost. This is the difference between
runtime and permanent settings.
Tracked passthrough rules are available in firewalld since 0.3.12.
3) Use the D-Bus interface and also the tracked direct passthrough interface
Additionally the handling of chains can also be done with firewalld
directly:
[--permanent] --direct --get-all-chains
[--permanent] --direct --get-chains { ipv4 | ipv6 | eb } table
[--permanent] --direct --add-chain { ipv4 | ipv6 | eb } table chain
[--permanent] --direct --remove-chain { ipv4 | ipv6 | eb } table chain
[--permanent] --direct --query-chain { ipv4 | ipv6 | eb } table chain
This way it is much simpler to query if the chain exists.
There is an advantage though by using untracked direct passthrough: All
these calls are handled within iptables and netfilter directly. The
absence of rules after a destructive iptables -F call for example will
be directly visible. With netfilter it is not possible to get notified
about changes in the ruleset.
Thanks,
Peter.
PS: Please CC me for replies
Regards,
Thomas