class firewalld::direct

Class: firewalld::direct¶ ↑

This defines a direct configuration. It should be used only as a last resort when it's not possible to use firewalld::zone. You need to know the iptables internals, like tables and command line arguments. Result is a /etc/firewalld/direct.xml file, see firewalld.direct (5) man page.

Parameters¶ ↑

chains

list of chains

ipv   - string, mandatory. IP family where the chain will be created.
        Can be either "ipv4" or "ipv6".
table - string, optional (defaults to 'filter').
        Name of table where the chain will be created.
chain - string, mandatory. Name of the chain, that will be created.

rules

list of rules

ipv   - string, mandatory. IP family where the rule will be added.
        Can be either "ipv4" or "ipv6".
table - string, optional (defaults to 'filter').
        Name of table where the rule will be added.
chain - string, mandatory. Name of chain where the rule will be added.
        If the chain name is a built-in chain, then the rule will be
        added to <chain>_direct, else the supplied chain name is used.
priority - string, optional (defaults to '0'). Used to order rules.
        Priority '0' means add rule on top of the chain, with a higher
        priority the rule will be added further down. Rules with the
        same priority are on the same level and the order of these
        rules is not fixed and may change. If you want to make sure
        that a rule will be added after another one, use a low priority
        for the first and a higher for the following.
args  - string, mandatory.  iptables or ip6tables arguments.

passthroughs

list of passthroughs

ipv   - string, mandatory. IP family where the rule will be added.
        Can be either "ipv4" or "ipv6".
args  - string, mandatory.  iptables or ip6tables arguments.

Examples¶ ↑

class {'firewalld::direct':
      chains  => [{
              ipv   => 'ipv4',
              table => 'filter',
              chain => 'mine',},],

      rules   => [{
              ipv      => 'ipv4',
              table    => 'filter',
              chain    => 'mine',
              priority => '1',
              args     => "-j LOG --log-prefix 'my prefix'",},
                  {
              ipv      => 'ipv4',
              table    => 'mangle',
              chain    => 'PREROUTING',
              args     => "-p tcp -m tcp --dport 123 -j MARK --set-mark 1",},],}