erig0
commented
1 month ago Two options that I can think of:
-
add an
NftablesRuleDebugconfig- would add a comment to generated rules that shows the firewalld rule/config that caused the nftables rule to be generated
- CLI syntax?
- only way to show runtime only rules
- a bit awkward for permanent config rules
-
improve packet tracing
- implement existing RFEs to log packet drops to NFLOG (userspace, ulogd2)
- extend logging to trace all packets instead of just dropped packets
What would you like to be added
Add a way of identifying what parts of the firewalld configuration generated specific nftables (or iptables, if that backend is used) rules to aid in debugging.
Why is this needed
When using firewalld (particularly complicated configurations involving numerous NAT + port forwarding rules, as Podman often creates), it is very difficult to tell why things aren't working. I can trace packets through nftables to identify where things are going wrong, but it's very difficult to correlate an identified problem in the generated nftables rules to the firewalld configuration causing the problem.