I was trying to allow my docker container to pass DNS requests through my host. As backend
I use nftables.
I have put this into /etc/firewalld/firewalld.conf:
FirewallBackend=nftables
Trying to add a direct rule via command line gave an error message from iptables. Why is
iptables here?
Or is --direct no longer usable with nftables?
firewall-cmd --direct --add-rule ipv4 filter filter_FWDI_FedoraWorkstation_allow 0 -p tcp
--dport 53 -j ACCEPT
Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed:
iptables-restore: line 2 failed
In the past I could put a file /etc/firewalld/direct.xml like this:
<?xml version="1.0" encoding="utf-8"?>
<direct>
[ <rule ipv="ipv6" table="filter"
chain="FWDI_FedoraWorkstation" priority="0"> -p tcp --dport 53 -j
ACCEPT </rule> ]
[ <rule ipv="ipv6" table="filter"
chain="FWDI_FedoraWorkstation" priority="0"> -p udp --dport 53 -j
ACCEPT </rule> ]
[ <rule ipv="ipv4" table="filter"
chain="FWDI_FedoraWorkstation" priority="0"> -p tcp --dport 53 -j
ACCEPT </rule> ]
[ <rule ipv="ipv4" table="filter"
chain="FWDI_FedoraWorkstation" priority="0"> -p udp --dport 53 -j
ACCEPT </rule> ]
</direct>
when I needed forwarding.
But now when I do this I cannot see anything in "nft list ruleset" but I see it
in "iptables -L -n -v" instead.
What is the correct way to configure forward chains in firewalld with nftables backend?