On Thu, Jun 06, 2019 at 08:27:24PM -0000, Frank Ansari wrote:
After I updated my system it worked with this direct.xml but only
when I use iptables as backend:
```
<?xml version="1.0" encoding="utf-8"?>
<direct>
[ <rule ipv="ipv6" table="filter" chain="FORWARD_direct"
priority="0"> -p tcp --dport 53 -j ACCEPT </rule> ]
[ <rule ipv="ipv6" table="filter" chain="FORWARD_direct"
priority="0"> -p udp --dport 53 -j ACCEPT </rule> ]
[ <rule ipv="ipv4" table="filter" chain="FORWARD_direct"
priority="0"> -p tcp --dport 53 -j ACCEPT </rule> ]
[ <rule ipv="ipv4" table="filter" chain="FORWARD_direct"
priority="0"> -p udp --dport 53 -j ACCEPT </rule> ]
</direct>
```
It is completely unclear to me why the support of forward chains is so bad. You need this
as soon as you have some KVM or docker scenario - so really standard stuff.
Implementing forward/output support is a high priority item for
firewalld. It's been roughly designed and discussed, but it's a very
large work item. Traditionally firewalld has been an end-station
firewall with minimal support for forwarding (e.g. masquerade,
forward-ports).
Did you try the workaround in my previous email?