Thanks for the clarification, Eric.
I created a new RHEL 8 VM and installed firewalld into it.
I can see now that a command like:
# nft list ruleset
will print out *a lot* of tables and chains, most of which are empty, without the nftables
service being started.
I also noted that, of all the tables listed, the three tables:
table ip firewalld
table ip6 firewalld
table inet firewalld
are the tables used by firewalld to store its rules, IIUC.
I can also see that within those tables, there are chains corresponding to the active
zones in the firewalld configuration which have overloaded names so that tables, chains
and zones can all be represented together in the nftables configuration: e.g. for the
table of type inet (i.e. ipv4 + ipv6):
chain filter_INPUT {
// rules for the filter table and the INPUT chain (in iptables lingo)
chain filter_INPUT_ZONES_SOURCE
// associate sources with zones here
chain filter_INPUT_ZONES {
// associate interfaces with zones here
iifname "eth0" goto filter_IN_public
iifname "eth1" goto filter_IN_home
}
chain filter_IN_public {
// rules for the filter table, INPUT chain and "public" zone
}
chain filter_IN_home {
// rules for the filter table, INPUT chain and "home" zone
}
...
}
It takes a bit of time to get used to reading these nftables configurations, and
understanding the firewalld organization, but i'm starting to get the hang of it.