Results 1 to 9 of 9

Thread: firewall-cmd rules permanent to nftables

  1. #1

    Default firewall-cmd rules permanent to nftables

    Hello,

    I added this rule:
    firewall-cmd --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

    after
    firewall-cmd --runtime-to-permanent

    It works fine, until firewalld restart. Then I must add the rule again.

    How can I add the rule permanent?

    Thank's

  2. #2
    Join Date
    Sep 2012
    Posts
    8,212

    Default Re: firewall-cmd rules permanent to nftables

    Quote Originally Posted by Zsiraf View Post
    How can I add the rule permanent?
    Did you try to read the manual page?
    Code:
               If you want to make a change in runtime and permanent
               configuration, use the same call with and without the --permanent
               option.

  3. #3

    Default Re: firewall-cmd rules permanent to nftables

    Quote Originally Posted by arvidjaar View Post
    Did you try to read the manual page?
    Yes, I did and tried to follow that.

    Code:
    firewall-cmd --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE --permanent
    Error: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE --permanent' failed: iptables v1.8.7 (legacy): unknown option "--permanent"

  4. #4
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    24,422
    Blog Entries
    1

    Default Re: firewall-cmd rules permanent to nftables

    Quote Originally Posted by Zsiraf View Post
    Yes, I did and tried to follow that.

    Code:
    firewall-cmd --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE --permanent
    Error: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE --permanent' failed: iptables v1.8.7 (legacy): unknown option "--permanent"
    Do this...
    Code:
    sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -
    j MASQUERADE


    openSUSE Leap 15.4; KDE Plasma 5

  5. #5
    Join Date
    Sep 2012
    Posts
    8,212

    Default Re: firewall-cmd rules permanent to nftables

    Or one can simply execute again "firewall-cmd --runtime-to-permanent" to save complete current configuration including newly added rules as permanent configuration.

  6. #6

    Default Re: firewall-cmd rules permanent to nftables

    Quote Originally Posted by deano_ferrari View Post
    Do this...
    Code:
    sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

    It works! I have no idea why didn't try this method.

    Thank You so much!
    openSUSE Leap 15.3 / 5.3.18 / KDE SC 22.08 / LibreOffice 7.4.1

  7. #7

    Default Re: firewall-cmd rules permanent to nftables

    Quote Originally Posted by arvidjaar View Post
    Or one can simply execute again "firewall-cmd --runtime-to-permanent" to save complete current configuration including newly added rules as permanent configuration.
    Unfortunately it didn't work. The rules lost after firewalld restart.

    Thank's for help.
    openSUSE Leap 15.3 / 5.3.18 / KDE SC 22.08 / LibreOffice 7.4.1

  8. #8
    Join Date
    Sep 2012
    Posts
    8,212

    Default Re: firewall-cmd rules permanent to nftables

    Quote Originally Posted by Zsiraf View Post
    Unfortunately it didn't work. The rules lost after firewalld restart.
    Works as designed As I was pointed out, firewalld does not track rules added with --passthrough option and it is even documented:
    Code:
    --direct --passthrough { ipv4 | ipv6 | eb } args
    Pass a command through to the firewall. args can be all iptables, ip6tables and ebtables command line arguments. This command is untracked, which means that firewalld is not able to provide information about this command later on, also not a listing of the untracked passthoughs.
    To add rules to firewalld configuration that can be saved and restored one should use --add-passthrough, not --passthrough.

  9. #9

    Default Re: firewall-cmd rules permanent to nftables

    Quote Originally Posted by arvidjaar View Post
    Works as designed As I was pointed out, firewalld does not track rules added with --passthrough option and it is even documented:
    Code:
    --direct --passthrough { ipv4 | ipv6 | eb } args
    Pass a command through to the firewall. args can be all iptables, ip6tables and ebtables command line arguments. This command is untracked, which means that firewalld is not able to provide information about this command later on, also not a listing of the untracked passthoughs.
    To add rules to firewalld configuration that can be saved and restored one should use --add-passthrough, not --passthrough.
    I missed this section in the manual somehow.
    I've been learned again something new today.

    Thank's a lot.
    openSUSE Leap 15.3 / 5.3.18 / KDE SC 22.08 / LibreOffice 7.4.1

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •