Re: differences between various --direct commands
Hello,
On Fri, Apr 13, 2018 at 06:44:15PM +0000, alen.alen(a)powdermail.com wrote:
For adding a custom iptables rule using firewall-cmd, I'm having
a difficult
time understanding the difference between these:
firewalld has three levels of custom rules. The offer different levels
of control. In descending order (high level --> low level):
1) rich rules
- abstraction over iptables. This small language is defined by
firewalld and is guaranteed to work between firewalld release
and iptables versions.
2) direct rules
- passes rules directly to iptables. firewalld makes no attempt
to verify the arguments that are sent to iptables.
- usually used to insert rules into the pre-created
<zone>_direct chains.
3) direct passthrough rules
- similar #2 above, but allows you to insert into _any_ chain.
Even the top-level chains of iptables.
- used as a last resort
--direct --add-rule
As described in #2 above.
--direct --passthrough
Allows passing a command to iptables, but it will be untracked. This
means once the command has executed firewalld has no further knowledge
about it's execution. It does not keep runtime state that may have
occurred and it does not cause any configuration changes.
This is almost certainly not what you want. I'm not even sure why it
exists.
--direct --add-passthrough
As described in #3 above.
The manual explanation sounds the same for all three. There must be a reason
to have each one, they have to be different, can you help me know which I am
to use?
If you can use rich rules, then definitely use them over the others.
They're portable even if the firewall backend changes (i.e. when we
switch to nftables).
Hope that helps.
Eric.