On 01/23/2014 12:05 AM, Jorge Fábregas wrote:
On 01/22/2014 03:19 PM, poma wrote:
Say whaaat? :) https://fedoraproject.org/wiki/FirewallD#The_Daemon "With the so called direct interface other services (like for example libvirt) are able to add own rules using iptables arguments and parameters."
Hi poma,
Yes, I know they use the direct interface. What I meant was (now that I know the purpose of the _direct chains), that they should place their rules in the INPUT_direct & FORWARD_direct chains instead of throwing them directly in the built-in chains. Better yet, use custom chains like INPUT_libvirt, FORWARD_libvirt, etc. You see, there's an elegance on how firewalld creates & uses the different custom-chains. Let's keep it organized & manageable I think.
libvirt is using passthrough rules at the moment. These are not added to the _direct chains.
But yes, it would be good to have special chains for libvirt to be able to have some sepratation and to be able to identify easily where it comes from.
BTW, I know I'm not supposed to be looking under the hood (using iptables -L) while using firewalld, but hey, I'm curious :)
You can look at the rule set, sure. The use of "iptables -L" is safe and you can use it without problems. But adding, editing or removing rules is not a good idea while firewalld is active.
BTW: I suggest to use the "iptables-save" command. It is showing rules for all tables and additionally in the iptables format. For IPv6 use "ip6tables-save".
/tw