firewall-cmd --add-passthrough without effect

Dear openSUSE community,

this might be a bug in “–add-passthrough” (firewall-cmd version 0.9.3).

Fresh Tumbleweed DVD installation Snapshot20210302.

The following non-permanent direct pass-through rule works as expected:

firewall-cmd --direct --passthrough ipv4 -t filter -P OUTPUT DROP

Thus iptables-save now shows:

*filter
: OUTPUT DROP

Nevertheless when using ‘–add-passthrough’, nothing is set
and the policy change is ignored entirely:

firewall-cmd --permanent --direct --add-passthrough ipv4 -t filter -P OUTPUT DROP
firewall-cmd --reload

After this command the new passthrough rule has been stored:

firewall-cmd --permanent --direct --get-all-passthroughs

ipv4 -t filter -P OUTPUT DROP

Nevertheless when restarting firewalld (service firewalld restart),
the default iptables filter OUTPUT policy is still always ACCEPT:

*filter
: OUTPUT ACCEPT

Thus it seems, that the --add-passthrough rule is just ignored.

Can you please tell me what I’m doing wrong?

Thank you very much.

PS: Yes, I am aware, that a direct rule with target -j DROP
basically has the same effect as setting the policy to -P DROP.
Nevertheless when re-loading the firewall rules fails (and
yes, it can fail, i.e. due to a defective new rule), then
the -j DROP rule is not in effect, but the policy still is.
Thus only the policy makes sure that the firewall
never let’s packages slip.

If you looked in logs you would have seen

Mar 09 08:25:35 tw.0.2.15 firewalld[4601]: WARNING: INVALID_PASSTHROUGH: arg '-P' is not allowed

Can you please tell me what I’m doing wrong?

Nothing. Actually it looks more like a bug in firewall-cmd that allows to define (and apply at run-time) invalid rules. And of course it is missing documentation. Open issue on firewalld bug tracker.

P.S. your post is near to unreadable. Always use [noparse]

...

[/noparse] tags around computer texts.

Thank you for pointing towards the logs. And thanks for the CODE advice.

It was/is quiet confusing, that

firewall-cmd --direct --passthrough ipv4 -t filter -P OUTPUT  DROP

does work, but

firewall-cmd --permanent --direct --add-passthrough ipv4 -t filter -P OUTPUT DROP

does not work. Thus in any case this is not very consistent.

Is there any reliable method to set the equivalent of

iptables -t filter -P OUTPUT DROP

permanently (reilably) in firewalld?

Or (alternatively) is there another way to make sure that some line like

firewall-cmd --permament --direct --add-rule ipv4 filter OUTPUT 999 -j DROP

is reliably loaded even when other lines

firewall-cmd --permament --direct --add-rule ipv4 filter OUTPUT .... failure ...

contain mistakes - and thus make reloading the rules

firewall-cmd --reload

in total to fail?

I just saw the unfortunate situation, that the failure lead to an empty
OUTPUT table and thus OUTPUT filtering failed entirely.

No. You can set firewalld OUTPUT policy target to DROP, but this still configures “last” rule in set of chains firewalld creates, netfilter policy remains ACCEPT. I am not sure I see the practical difference though.