On Sat, May 25, 2019 at 07:23:56PM -0000, Joshua Kramer wrote:
I could never get the --set-log-denied=all to work, so instead I
used
the "iptables -vnL FORWARD" command. I found that there is a rule
that essentially says, "If the destination is 192.168.4.0/24 and the
out interface is virbr2, pass it through" as well as "if the source
network is 192.168.4.0/24 and the in interface is virbr2 pass it
through".
These rules are added by libvirt. libvirt uses firewalld's direct
passthrough interfaces to add them.
However, there were no such rules for the 192.168.8.0/24
network. So I need to duplicate those rules except using
192.168.8.0/24 in place of 192.168.4.0/24.
Probably because libvirt doesn't manage the 192.168.8.0/24 network.
No big deal, right? I'll just add a Direct rule with the
correct
parameters. I did that... and the rule is at the BOTTOM of the chain.
So the packets never hit that rule because they're dropped farther up
the chain. (I did this by using firewall-config GUI, going to Direct
Configuration, and entering a Direct rule as "ipv4 / mangle / FORWARD
/ -1 / -d 192.168.8.0/24 -o virbr2 -j ACCEPT")
Did you mean "filter" instead of "mangle"? I don't think mangle
makes
sense in this scenario.
I thought that setting it to -1 (or even -65535) would put this rule
at the top.
How can I get this Direct rule to go to the top?
firewalld creates an empty FORWARD_direct which is jumped to before the
rest of firewalld rules. You probably want that.