Direct configuration should be used only as a last resort when it's not possible to use firewalld.zone(5)
I have a Debian 10 (buster) router, with firewalld 0.8.2 and kernel 5.9.15-1~bpo10+1 installed from buster-backports. I installed fwknop-server (fwknopd 2.6.10), which currently is only configured to use iptables. I rebuilt fwknopd using the Debian source package, and now fwknopd --version reports the following:
fwknopd server 2.6.10, compiled for firewall bin: /usr/bin/firewall-cmd
I've been trying to set up a port forward with a SPA, and the port never comes open. I've posted my fwknopd logs detailing my attempts. Down around 18:00 is when I tried these SPAs.
It doesn't appear to work, mainly because it's trying to use iptables syntax for its direct rules. According to the log output, the iptables syntax is incompatible with this kernel (probably because it uses the nftables framework instead to manage the netfilter subsystem). As mentioned from the firewalld.direct manual, direct rules should only be used as a last resort, when rich rules or some of the higher order features of firewalld cannot be used.
I don't know C very well, but my goal here is to fork fwknopd and replace the firewalld.h and firewalld.c with proper firewall-cmd commands, and not use direct rules. For most of it simple --add-port, --add-forward-port, with appropriate --timeout settings should be enough to get started. Let firewalld keep track of the timeouts, and everything else, and don't try to use the archaic iptables direct rules to manage the firewall.
Ideally I'd replace the firewall-cmd incantations with proper dbus calls (as mentioned in #165), but that's currently above my pay grade and skillset.
From the
firewalld.direct(5)man page:I have a Debian 10 (buster) router, with firewalld 0.8.2 and kernel 5.9.15-1~bpo10+1 installed from buster-backports. I installed fwknop-server (fwknopd 2.6.10), which currently is only configured to use iptables. I rebuilt fwknopd using the Debian source package, and now
fwknopd --versionreports the following:I've been trying to set up a port forward with a SPA, and the port never comes open. I've posted my fwknopd logs detailing my attempts. Down around 18:00 is when I tried these SPAs.
It doesn't appear to work, mainly because it's trying to use iptables syntax for its direct rules. According to the log output, the iptables syntax is incompatible with this kernel (probably because it uses the nftables framework instead to manage the netfilter subsystem). As mentioned from the firewalld.direct manual, direct rules should only be used as a last resort, when rich rules or some of the higher order features of firewalld cannot be used.
I don't know C very well, but my goal here is to fork fwknopd and replace the firewalld.h and firewalld.c with proper firewall-cmd commands, and not use direct rules. For most of it simple --add-port, --add-forward-port, with appropriate --timeout settings should be enough to get started. Let firewalld keep track of the timeouts, and everything else, and don't try to use the archaic iptables direct rules to manage the firewall.
Ideally I'd replace the firewall-cmd incantations with proper dbus calls (as mentioned in #165), but that's currently above my pay grade and skillset.