On Wed, Jun 05, 2019 at 07:33:41PM -0000, Frank Ansari wrote:
I was trying to allow my docker container to pass DNS requests
through my host. As backend I use nftables.
I have put this into /etc/firewalld/firewalld.conf:
FirewallBackend=nftables
Trying to add a direct rule via command line gave an error message from iptables. Why is
iptables here?
Or is --direct no longer usable with nftables?
It is usable. The direct rules are still added to iptables.
firewall-cmd --direct --add-rule ipv4 filter filter_FWDI_FedoraWorkstation_allow 0 -p tcp
--dport 53 -j ACCEPT
Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed:
iptables-restore: line 2 failed
filter_FWDI_FedoraWorkstation_allow is not a valid chain in iptables. It
is an nftables chain, because you're using the nftables backend.
iptables and nftables do not share chains.
In the past I could put a file /etc/firewalld/direct.xml like this:
<?xml version="1.0" encoding="utf-8"?>
<direct>
[ <rule ipv="ipv6" table="filter"
chain="FWDI_FedoraWorkstation" priority="0"> -p tcp --dport 53 -j
ACCEPT </rule> ]
[ <rule ipv="ipv6" table="filter"
chain="FWDI_FedoraWorkstation" priority="0"> -p udp --dport 53 -j
ACCEPT </rule> ]
[ <rule ipv="ipv4" table="filter"
chain="FWDI_FedoraWorkstation" priority="0"> -p tcp --dport 53 -j
ACCEPT </rule> ]
[ <rule ipv="ipv4" table="filter"
chain="FWDI_FedoraWorkstation" priority="0"> -p udp --dport 53 -j
ACCEPT </rule> ]
</direct>
FWIW, adding direct rules to the internal firewalld zone chains has
never really been supported. Instead you should use the "FORWARD" or
"FORWARD_direct" chains (they're equivalent).
when I needed forwarding.
But now when I do this I cannot see anything in "nft list ruleset" but
I see it in "iptables -L -n -v" instead.
Maybe reading this post will help you understand why:
https://firewalld.org/2018/07/nftables-backend
What is the correct way to configure forward chains in firewalld
with
nftables backend?
Since firewalld doesn't natively support forward filtering you do indeed
have to use direct rules. You can do the following:
- add the docker interface to the trusted zone
but that will allow _all_ traffic, so you can also do this
- add a direct rule to allow port 53 as you do above
e.g. firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -p udp --dport 53 -j
ACCEPT
- add a catch-all direct rule to block the rest of the traffic
e.g. firewall-cmd --direct --add-rule ipv4 filter FORWARD 9999 -j DROP