firewalld and nftables

[alcir]

I was playing with Fedora Linux 36 and ipt_geofence. Fedora Linux uses firewalld and nftables as its default backend (not iptables).

Please note: I'm not an expert of such topics (I'm not an expert in anything TBH). The possibilities to configure firewalld are powerful, but still pretty basic. I was looking for a way to preserve the default firewalld configuration (rules) and to add the rules required by ipt_geofence (forwarding packets to NFQUEUE, right?) using rich language. However (but I can be wrong) also rich language is limited as well. There is also a direct option, but it is deprecated since it still expect iptables as the backend (you will end up with a mix of nfs and iptables rules).

So. Loading the example iptables script, dumping these iptables rules to a file, then issuing iptables-restore-translate -f /root/iptables.dump > /etc/nftables/ipt_geofence.nft it is possible to translate iptables rules to nftables syntax.

ipt_geofence.nft.txt

Then, it is possible to load these rules without flushing the current firewall configuration with nft -f /etc/nftables/ipt_geofence.nft It seems that packets are passed to ipt_geofence and expected IP addresses are blocked.

It is also possible to remove such nftables rules using a file containing these lines:

table ip mangle
delete table ip mangle

And read it again with nft -f /etc/nftables/stop-ipt_geofence.nft In this way the other rules are preserved.

ipt_geofence.nft.txt

[lucaderi]

Sorry for the delay. if you want to have your own rules loader, then disable the script used by ipt_geofence to load rules and load them in your script. What matters to ipt_geofence is that rules are configured inside netfilter as expected.