On 01/23/2014 01:05 AM, Jorge Fábregas wrote:
On 01/22/2014 03:19 PM, poma wrote:
Say whaaat? :) https://fedoraproject.org/wiki/FirewallD#The_Daemon "With the so called direct interface other services (like for example libvirt) are able to add own rules using iptables arguments and parameters."
Hi poma,
Yes, I know they use the direct interface. What I meant was (now that I know the purpose of the _direct chains), that they should place their rules in the INPUT_direct & FORWARD_direct chains instead of throwing them directly in the built-in chains. Better yet, use custom chains like INPUT_libvirt, FORWARD_libvirt, etc.
libvirt has been using iptables rules since long before the INPUT_direct or FORWARD_direct chains existed (or the idea of firewalld had even occurred) and there is a certain amount of momentum in code that continues to work. (actually, libvirt was one of the projects that lamented early on about the free-for-all in netfilter rule management, and the need for a central authority, which eventually led to firewalld).
I agree that it would be a nice thing to do, though. And actually there is a bug that has been open since, well, forever on libvirt that could likely be fixed by putting libvirt's rules into not one custom chain, but multiple custom chains.
One difficulty is that each time libvirtd is started, it deletes all of its iptables rules and re-inserts them; it does this by using its network config to reconstruct the rules that it thinks are already in the kernel and making iptables commands (or firewalld commands) to delete those rules. Once the change is made to put the rules in custom chains, a newly started libvirtd won't know if the previous run was an older version that put the rules on the built-in chains, or a newer version that put the rules in custom chains; I suppose that could be overcome either with a release note, or by attempting to delete rules in both locations, at least for several releases.
You see, there's an elegance on how firewalld creates & uses the different custom-chains. Let's keep it organized & manageable I think.