Eric Garver
Eric Garver
What is your use case for custom chains? The options are: 1. Use firewalld's policies 2. Use nftables directly
firewalld will only ever touch the `firewalld` table. Additionally, newer firewalld will "lock" it's own table so other entities cannot modify it, e.g. `nft flush ruleset`. As such, the firewalld...
> Oh, that's unfortunate. It means I can not ensure the tables are in the right order as nft flush ruleset will not work anymore. The "order" in which table/chains...
This may be fixed by #1515. That PR has a commit that offloads the ipset entry adds to the dbus mainloop while it's idle. The testsuite has a scale test...
Indeed. See also RHEL bug: https://issues.redhat.com/browse/RHEL-5795
nftables does support DNAT with only port change just like iptables. So we can match the iptables backend behavior. e.g. `iif "eth0" tcp dport 8080 dnat to :80` That being...
Kernel limit is [IFNAMSIZ](https://www.man7.org/linux/man-pages/man7/netdevice.7.html). I would be great if nftables/iptables supported altname, but I think that's a lot of work. This bug is a can't fix. It has to be...
You're going to have to share your config. I think you may be confusing zone dispatch with policy priority.
Needinfo not provided.
In firewalld most "object" creation requires a `--reload`. That being said, I'm not aware of a reason why creating as `ipset` can't be runtime only. On the plus side, firewalld...