Re: Managing iptables, firewalld and nftables in a way that they don't interfere with each other

Thanks for the clarification, Eric. I created a new RHEL 8 VM and installed firewalld into it. I can see now that a command like: # nft list ruleset will print out *a lot* of tables and chains, most of which are empty, without the nftables service being started. I also noted that, of all the tables listed, the three tables: table ip firewalld table ip6 firewalld table inet firewalld are the tables used by firewalld to store its rules, IIUC. I can also see that within those tables, there are chains corresponding to the active zones in the firewalld configuration which have overloaded names so that tables, chains and zones can all be represented together in the nftables configuration: e.g. for the table of type inet (i.e. ipv4 + ipv6): chain filter_INPUT { // rules for the filter table and the INPUT chain (in iptables lingo) chain filter_INPUT_ZONES_SOURCE // associate sources with zones here chain filter_INPUT_ZONES { // associate interfaces with zones here iifname "eth0" goto filter_IN_public iifname "eth1" goto filter_IN_home } chain filter_IN_public { // rules for the filter table, INPUT chain and "public" zone } chain filter_IN_home { // rules for the filter table, INPUT chain and "home" zone } ... } It takes a bit of time to get used to reading these nftables configurations, and understanding the firewalld organization, but i'm starting to get the hang of it.