On Wed, May 06, 2020 at 02:48:00PM -0000, Andrey Grigoryev wrote:
Hello.
When I used Centos 7 with firewalld, i use this rule to allow multicast:
firewall-cmd -q --permanent --direct --add-rule ipv4 filter INPUT 1 -m pkttype --pkt-type
multicast -j ACCEPT
But in Centos 8 firewalld uses nftables as backend and this rule doen't work.
I tried to create nftables rule to allow multicast:
nft add table inet mytable
nft add chain inet mytable INPUT {type filter hook input priority 5\; policy accept\;}
nft add rule inet mytable INPUT pkttype multicast counter accept
This will lead to the same symptoms as iptables. This nftables snippet
and iptables are a _hook_ in netfilter (kernel). For a packet to be
accepted by the system it needs to be accepted by _all_ hooks. Including
the firewalld nftables hooks.
iptables + firewalld (nftables) looks like:
hookA --> hookB
nftables (higher precedence) + firewalld (nftables) looks like:
hookC --> hookB
If you examine firewalld rules you'll note that it uses priority values
that are base + 10. This is to make sure firewalld rules occur _after_
the users custom rules (iptables and often nftables).
but it doen't work too, because firewalld rules, that performs
after my table - reject this packets:
Right.
chain filter_INPUT {
type filter hook input priority 10; policy accept;
ct state established,related accept
ct status dnat accept
iifname "lo" accept
jump filter_INPUT_ZONES_SOURCE
jump filter_INPUT_ZONES
ct state invalid drop
reject with icmpx type admin-prohibited <---- this rule rejects my packets
}
How can i add permanent rule for multicast traffic via firewall-cmd or via nftables ?
You have a few options:
1) add a rich rule to accept the multicast traffic by destination
address.
e.g.
# firewall-cmd --add-rich-rule='rule family=ipv4 destination
address="224.0.0.0/16" accept'
2) inject nftables rules in firewalld's ruleset.
- you'll have to do this out-of-band of firewalld. There is no
--direct support for nftables
3) add the relevant interface to the "trusted" zone
- but then you won't have any filtering
firewalld currently doesn't have a way to match pkttype. It'd be a good
candidate to add to rich rules. Feel free to file an RFE upstream.
Hope that helps.
Eric.