On 01/23/2014 12:05 AM, Jorge Fábregas wrote:
On 01/22/2014 03:19 PM, poma wrote:
> Say whaaat? :)
>
https://fedoraproject.org/wiki/FirewallD#The_Daemon
> "With the so called direct interface other services (like for example
> libvirt) are able to add own rules using iptables arguments and parameters."
Hi poma,
Yes, I know they use the direct interface. What I meant was (now that I
know the purpose of the _direct chains), that they should place their
rules in the INPUT_direct & FORWARD_direct chains instead of throwing
them directly in the built-in chains. Better yet, use custom chains
like INPUT_libvirt, FORWARD_libvirt, etc. You see, there's an elegance
on how firewalld creates & uses the different custom-chains. Let's keep
it organized & manageable I think.
libvirt is using passthrough rules at the moment. These are not added to
the _direct chains.
But yes, it would be good to have special chains for libvirt to be able
to have some sepratation and to be able to identify easily where it
comes from.
BTW, I know I'm not supposed to be looking under the hood (using
iptables -L) while using firewalld, but hey, I'm curious :)
You can look at the rule set, sure. The use of "iptables -L" is safe and
you can use it without problems. But adding, editing or removing rules
is not a good idea while firewalld is active.
BTW: I suggest to use the "iptables-save" command. It is showing rules
for all tables and additionally in the iptables format. For IPv6 use
"ip6tables-save".
/tw