On Monday, March 1, 2021 11:30:03 AM CST Eric Garver wrote:
On Mon, Mar 01, 2021 at 10:48:03AM -0600, Anthony Joseph Messina
wrote:
> On Monday, March 1, 2021 8:19:30 AM CST Eric Garver wrote:
> > On Sat, Feb 27, 2021 at 11:16:04AM -0600, Anthony Joseph Messina wrote:
> > > I see in upcoming versions, firewalld.policy is to replace the
> > > functionality of iptables and firewalld.direct.
> >
> > For 90% of use cases I think they can replace direct rules.
>
> Ok thank you. So direct rule functionality will continue to be available,
> with recommendations to use policies where appropriate?
direct rules are deprecated as of the un-released v1.0.0, but they'll
still be around for a long time (years). They'll eventually be dropped,
presumably in v2.0.0.
Since policy objects are available I'm hoping projects start using them
to have full integration instead of using iptables and partial firewalld
integration.
I think in cases like this one, where the project implements an out-of-tree
kernel module that creates a custom RTPENGINE iptables target and uses
iptables rules to route traffic in to and out of the module, there currently
isn't a way to use firewalld directly.
I've put up a simple issue
https://github.com/sipwise/rtpengine/issues/984 but
externally others have been talking about eBPF, rather than nftables.
Either way, I'm glad to hear firewalld.direct wont be leaving quite yet.
Thank you for your quick responses!