firewalld direct rules with ACCEPT not working on RHEL 8, 9 and 10

Solution Verified - Updated -

Issue

  • Direct rules with ACCEPT verdict not working with nftables backend

  • Even though httpd.service and firewalld.service are running, allowing port 80 through direct rules does not provide access to the webserver:

    systemctl start httpd.service
systemctl start firewalld.service 
firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -p tcp --dport 80 -j ACCEPT

  • Client can't accesss, gets No route to host error.

  • Changing from FirewallBackend=nftables to FirewallBackend=iptables the direct rule works.
  • Connectivity not working between servers when firewall getting started in RHEL8
  • firewalld direct.xml from RHEL 7 no longer works on RHEL 8
  • How do direct rules work with firewalld when firewalld uses nftables?

Environment

  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • Red Hat Enterprise Linux 10
  • firewalld (with default nftables backend)
  • Direct firewall rule with -j ACCEPT to allow traffic

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content