Problem to add interface to firewalld zone
It is not possible to add an interface to firewalld zone.
For example:
sudo firewall-cmd --zone=internal --add-interface=eth0
Error: COMMAND_FAILED: 'python-nftables' failed:
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_internal", "index": 6, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "filter_IN_internal"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "nat_POST_internal"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "filter_FWD_internal"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "nat_PRE_internal"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "mangle_PRE_internal"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWD_internal_allow", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "eth0"}}, {"accept": null}]}}}]}
It is not possible to add inteface with nmcli either (sudo nmcli connection modify Wired01 connection.zone internal
)
confirmation:
sudo firewall-cmd --info-zone=internal
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
on PinePhone (Linux hostname 5.18.0-1-MANJARO-ARM #1 SMP PREEMPT Sat May 28 21:06:18 UTC 2022 aarch64 GNU/Linux
) with:
nftables 1:1.0.2-1
networkmanager 1.34.0-1
firewalld 1.1.1-1
python 3.10.4-1