Re: Info on nft rules created by firewalld
On Sun, Jul 19, 2020 at 11:24:56AM +0200, Andrea Pasquinucci wrote:
Hi,
I am learning how to use firewalld with nft on fedora 32.
I have 2 simple questions:
1. is it possible to show counters of packets/bytes for
tables/chains/rules as it was for iptables?
I did not find anything about this in firewalld.
No. By default nft doesn't use counters - this is for performance. There
is an RFE out there for firewalld to allow counters. However, nft offers
proper tracing. See "monitor" in the nft man page.
2. I am confused by the use of jump and goto in the rules
created by firewalld: for example in the rules below (generated
by firewalld on one of my PCs) in the chain filter_INPUT_ZONES
there are 'goto' whereas in the other chains there are 'jump',
To understand the difference between "goto" and "jump" see the nft man
page. They have the same meaning as "-g" and "-j" in iptables.
so what happens to a ct-new packet with 'iifname
"eno1"' and not to
'tcp dport 22'?
Does it end up to 'policy accept' or to 'reject with icmpx type
admin-prohibited'
or where?
"reject with icmpx type admin-prohibited"