If I've missed someone's response, apologies.
As I said, my converted rules seem fine, and I can run the script that
issues a bunch of direct rules for the built-in FORWARD rule... but when I
try firewall-cmd --reload, it tells me error, that FORWARD is a built-in.
Now, today, what I've been looking at is to run iptables-save, and what I
see is this (in part):
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
Does this mean that, instead of the format of the entry of the rule being
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD <actual
rule)
that it should, instead, be
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD_direct
<actual rule>
? And if that's what I need to do, that's fine, but I have found *zero*
documentation about that. Everything I have found about adding direct
rules to a built-in chain don't mention it.
Is this so new, it's not documented?
mark