I have a hard time understanding how to add the correct direct rule.
First of all, the manual states that direct rules are depreciated and that I should use policies instead. But policies are applied after the
ct state invalid drop
rule. So I go for a direct rule anyways. The manual also says that with
FirewallBackend=nftables
direct rules were given a higher precedence than all other firewalld rules. Thats fine. Then I have to choose the right value for ipv, table, chain and priority. Because I want a nftables rule to be made, I would like ipv=“inet”, table=“firewalld”, chain=“filter_INPUT”. But the manual says I can only choose between ipv=“ipv4|ipv6|eb”. Additionally, I don’t know which priority I have to choose to get the rule in the right place. Then it wants me to define the rule in terms of arguments for iptables or ip6tables, which confuses me because I’m using nftables as backend. What should I write into the direct.xml file to fix my problem?
How can I get it to work with a systemd-service? That service would run ‘nft add …’ every time after firewalld reloads?