Hi,
I am learning how to use firewalld with nft on fedora 32.
I have 2 simple questions:
1. is it possible to show counters of packets/bytes for
tables/chains/rules as it was for iptables?
I did not find anything about this in firewalld.
2. I am confused by the use of jump and goto in the rules
created by firewalld: for example in the rules below (generated
by firewalld on one of my PCs) in the chain filter_INPUT_ZONES
there are 'goto' whereas in the other chains there are 'jump',
so what happens to a ct-new packet with 'iifname "eno1"' and not to
'tcp dport 22'?
Does it end up to 'policy accept' or to 'reject with icmpx type
admin-prohibited'
or where?
Thanks!
chain filter_INPUT {
type filter hook input priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
jump filter_INPUT_ZONES
ct state { invalid } drop
reject with icmpx type admin-prohibited
}
chain filter_INPUT_ZONES {
iifname "eno1" goto filter_IN_FedoraWorkstation
iifname "virbr0" goto filter_IN_libvirt
goto filter_IN_FedoraWorkstation
}
chain filter_IN_FedoraWorkstation {
jump filter_IN_FedoraWorkstation_pre
jump filter_IN_FedoraWorkstation_log
jump filter_IN_FedoraWorkstation_deny
jump filter_IN_FedoraWorkstation_allow
jump filter_IN_FedoraWorkstation_post
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_IN_FedoraWorkstation_pre {
}
chain filter_IN_FedoraWorkstation_log {
}
chain filter_IN_FedoraWorkstation_deny {
}
chain filter_IN_FedoraWorkstation_allow {
tcp dport 22 ct state { new, untracked } accept
}
chain filter_IN_FedoraWorkstation_post {
}