On 01/22/2014 03:19 PM, poma wrote:
Say whaaat? :) https://fedoraproject.org/wiki/FirewallD#The_Daemon "With the so called direct interface other services (like for example libvirt) are able to add own rules using iptables arguments and parameters."
Hi poma,
Yes, I know they use the direct interface. What I meant was (now that I know the purpose of the _direct chains), that they should place their rules in the INPUT_direct & FORWARD_direct chains instead of throwing them directly in the built-in chains. Better yet, use custom chains like INPUT_libvirt, FORWARD_libvirt, etc. You see, there's an elegance on how firewalld creates & uses the different custom-chains. Let's keep it organized & manageable I think.
BTW, I know I'm not supposed to be looking under the hood (using iptables -L) while using firewalld, but hey, I'm curious :)