First, the kernel in RHEL 8 has nf-tables. (Actually, RHEL 7 kernel has it too, since ~7.4.)
Therefore, the tool 'iptables' is not the legacy iptables that talks to netfilter in the kernel, but a
wrapper/translator that accompanies tool 'nft' that talks to nf-tables. The translation does not cover 100%.
You can see all the rules that are in the kernel with: nft list ruleset
The RHEL 8 and 9 have two mutually exclusive services: firewalld.service and nftables.service,
just like RHEL 7 had firewalld.service and iptables.service (and now also nftables.service).
merveyil wrote: ↑
we have complex rules in our system
You are new to FirewallD and nf-tables, so you could choose either one. The nftables.service
is like iptables.service; it loads ruleset at boot; no daemon that runs in the background.
There should be a translator script that takes your iptables ruleset and attempts to write
equivalent nftables rules. See https://access.redhat.com/documentation ... networking
- Do as Trevor recommends and pick one of the rebuilds
- Check whether the nftables is less confusing than the FirewallD
(I do assume that you know why
you have what you have in iptables, so picking equivalent bits with nftables
should be doable -- starting to think the "FirewallD way" and to get it do all the things you need is what it is.)