How to create advanced rules with firewall-cmd?

user109322 asked:

I want to create a rule using firewalld that uses criteria username or userID and maybe one other module criteria.

In iptables, I think you can do things like

iptables -A OUTPUT -m owner --uid-owner <UID> -j ACCEPT

(and you can add other -m modules or -p protocols to the same command)

But I read firewall-cmd manpage and I cannot find how to make same kind of rule. Even “rich rules” don’t seem to have this support. Do I have to use the “direct” feature? I can’t quite understand its syntax. Especially it worries me that these returns nothing!

firewall-cmd --direct --get-chains ipv4 filter
firewall-cmd --direct --get-rules ipv4 filter OUTPUT
firewall-cmd --direct --get-rules ipv4 filter INPUT

Of course iptables -L shows I have those tables, chains and rules in them.

So how do I add a permanent rule with owner and maybe one more criteria using firewalld?

My answer:

You don’t need to add or even have custom direct chains (though you can if you want to get really complicated. Just add to your existing chains directly.

After IP version, table, chain and priority, you simply specify the relevant iptables options:

firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 \
        -m owner --uid-owner $UID -j ACCEPT

Underneath, at iptables, this will actually be added to a firewalld-managed chain named OUTPUT_direct, which is called from the OUTPUT chain.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.