I want to create a rule using firewalld that uses criteria username or userID and maybe one other module criteria.
In iptables, I think you can do things like
iptables -A OUTPUT -m owner --uid-owner <UID> -j ACCEPT
(and you can add other -m modules or -p protocols to the same command)
But I read
firewall-cmd manpage and I cannot find how to make same kind of rule. Even “rich rules” don’t seem to have this support. Do I have to use the “direct” feature? I can’t quite understand its syntax. Especially it worries me that these returns nothing!
firewall-cmd --direct --get-chains ipv4 filter firewall-cmd --direct --get-rules ipv4 filter OUTPUT firewall-cmd --direct --get-rules ipv4 filter INPUT
iptables -L shows I have those tables, chains and rules in them.
So how do I add a permanent rule with owner and maybe one more criteria using firewalld?
You don’t need to add or even have custom direct chains (though you can if you want to get really complicated. Just add to your existing chains directly.
After IP version, table, chain and priority, you simply specify the relevant iptables options:
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 \ -m owner --uid-owner $UID -j ACCEPT
Underneath, at iptables, this will actually be added to a firewalld-managed chain named OUTPUT_direct, which is called from the OUTPUT chain.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.