[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalld-users
Subject:    Re: Info on nft rules created by firewalld
From:       Eric Garver <egarver () redhat ! com>
Date:       2020-07-20 12:03:14
Message-ID: 20200720120314.y3ijjofj7uyfewts () egarver
[Download RAW message or body]

On Sun, Jul 19, 2020 at 11:24:56AM +0200, Andrea Pasquinucci wrote:
>Hi,
>I am learning how to use firewalld with nft on fedora 32.
>I have 2 simple questions:
>
>1. is it possible to show counters of packets/bytes for
>tables/chains/rules as it was for iptables?
>I did not find anything about this in firewalld.

No. By default nft doesn't use counters - this is for performance. There 
is an RFE out there for firewalld to allow counters. However, nft offers 
proper tracing. See "monitor" in the nft man page.

>2. I am confused by the use of jump and goto in the rules
>created by firewalld: for example in the rules below (generated
>by firewalld on one of my PCs) in the chain filter_INPUT_ZONES
>there are 'goto' whereas in the other chains there are 'jump',

To understand the difference between "goto" and "jump" see the nft man 
page. They have the same meaning as "-g" and "-j" in iptables.

>so what happens to a ct-new packet with 'iifname "eno1"' and not to
>'tcp dport 22'?
>Does it end up to 'policy accept' or to 'reject with icmpx type admin-prohibited'
>or where?

"reject with icmpx type admin-prohibited"
_______________________________________________
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahosted.org

[prev in list] [next in list] [prev in thread] [next in thread]