Firewalld DBUS interface usage guide

firewalld, A dynamic area based iptables/nftables A daemon , since 2009 It began to develop ,CentOS7 be based on firewalld-0.6.3 , Published on 2018 year 10 month 11 Japan . The main developer is Thomas · Warner , He currently works for red hat company . This is because of Federal 18 Default firewall mechanism , Later on Rhel7 and Centos 7 Use in .

Firewalls are older than iptable The mechanism has many advantages . It is worth noting that , It solves iptable The problem of requiring the firewall to restart every time it is changed , This interrupts any state connection . It also provides a wealth of thoughtful D-Bus Method 、 Signals and attributes .

This is not from firewalld Operation and use methods to introduce firewalld Change of name of , Think against , It's the introduction firewalld D-Bus API To retrieve information or change settings .

firewalld Is configured as a system D-Bus service , Look for the systemd file Medium "``Type=dbus`" Parameters .

# cat /usr/lib/systemd/system/firewalld.service
[Unit]
Description=firewalld - dynamic firewall daemon
Before=network-pre.target
Wants=network-pre.target
After=dbus.service
After=polkit.service
Conflicts=iptables.service ip6tables.service ebtables.service ipset.service
Documentation=man:firewalld(1)

[Service]
EnvironmentFile=-/etc/sysconfig/firewalld
ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS
ExecReload=/bin/kill -HUP $MAINPID
# supress to log debug and error output also to /var/log/messages
StandardOutput=null
StandardError=null
Type=dbus
BusName=org.fedoraproject.FirewallD1
KillMode=mixed

[Install]
WantedBy=multi-user.target
Alias=dbus-org.fedoraproject.FirewallD1.service

actually , Manual operation /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid --debug The effect is the same , Registration here is through dbus senior API Operation of the .

At this time, because we have learned ,firewalld service Is based on D-Bus Interface , So we need to find the corresponding dbus interface

dbus-send --system --dest=org.freedesktop.DBus \
	--type=method_call --print-reply \
	/org/freedesktop/DBus org.freedesktop.DBus.ListNames | grep FirewallD

org.fedoraproject.FirewallD1 This is firewalld Registered dbus interface 了 .

dbus-send Commands can be sent to D-Bus The message bus sends a message and displays the return result of the message . There are two well-known message buses ：system bus（Option -System） And each user session bus（ -session）. Use firewall-cmd through dbus interface interactive . In the use of dbus-send when , Its corresponding message interface must be specified -dest, This parameter is the name of the interface connected to the corresponding bus , To send the message to the corresponding dbus firewalld-server Make a correspondence iptables Translation of rules .

There is now a dbus Interface , You need to know how to change the interface support methods, attribute properties, The signal signals Etc .

dbus-send --system --dest=org.fedoraproject.FirewallD1 --print-reply \
	/org/fedoraproject/FirewallD1 \
	org.freedesktop.DBus.Introspectable.Introspect

The firewall is listed through the above output D-Bus All the methods provided by the interface 、 Single and attribute . This is based on D-Bus DTD The output format of . all dbus All services need to be implemented org.freedesktop.DBus.Introspectable.Introspect Method .

got it Method attribute The signal , You can go straight to firewalld An operation has been performed . Let's start with the first example . Get the default zone.

# firewall-cmd --get-default-zone

dbus-send --system --dest=org.fedoraproject.FirewallD1 \
	--print-reply --type=method_call \ 
	/org/fedoraproject/FirewallD1 \
	org.fedoraproject.FirewallD1.getDefaultZone

adopt dbus Interface to retrieve the list of areas

# firewall-cmd --get-zones

dbus-send --system \
	--dest=org.fedoraproject.FirewallD1 \
	--print-reply --type=method_call \ 
	/org/fedoraproject/FirewallD1 \
	org.fedoraproject.FirewallD1.zone.getZones

The most common command ： View the current zone All strategies

# firewall-cmd --zone=public --list-all

dbus-send --system \
	--dest=org.fedoraproject.FirewallD1 \
	--print-reply --type=method_call \
	/org/fedoraproject/FirewallD1 \
	org.fedoraproject.FirewallD1.getZoneSettings string:"public"

get inerface Of properties

In fact, you can't use it on the command line , But it can be used in packaging .

dbus-send --system \
	--print-reply --dest=org.fedoraproject.FirewallD1 \
	/org/fedoraproject/FirewallD1 \
	org.freedesktop.DBus.Properties.GetAll string:"org.fedoraproject.FirewallD1"

You can also view the corresponding attribute values through other interfaces

dbus-send --system --print-reply 
--dest=org.fedoraproject.FirewallD1 \
   /org/fedoraproject/FirewallD1 \
   org.freedesktop.DBus.Properties.Get \
   string:"org.fedoraproject.FirewallD1" \
   string:"version"


# dbus-send --system --print-reply \
   --dest=org.fedoraproject.FirewallD1 \
   /org/fedoraproject/FirewallD1 org.freedesktop.DBus.Properties.Get \
   string:"org.fedoraproject.FirewallD1" \
   string:"interface_version"


# dbus-send --system --print-reply \
   --dest=org.fedoraproject.FirewallD1 \
   /org/fedoraproject/FirewallD1 \
   org.freedesktop.DBus.Properties.Get \
   string:"org.fedoraproject.FirewallD1" \
   string:"state"

# dbus-send --system --print-reply=literal \
   --dest=org.fedoraproject.FirewallD1 \
   /org/fedoraproject/FirewallD1 \
   org.freedesktop.DBus.Properties.Get \
   string:"org.fedoraproject.FirewallD1" \
   string:"state"

Query rules

Query interface

dbus-send --system \
    --dest=org.fedoraproject.FirewallD1 \
    --print-reply \
    --type=method_call \
    /org/fedoraproject/FirewallD1 \
    org.fedoraproject.FirewallD1.zone.getZoneOfInterface \
    string:"eth0"

Create a new zone

dbus-send --session \
    --dest=org.freedesktop.DBus \
    --type=method_call \
    --print-reply /org/freedesktop/DBus  \
    org.fedoraproject.FirewallD1.config.addZone \
    string:"testapi"

To obtain a zone All the rules of （zonesettings）

dbus-send --system \
    --dest=org.fedoraproject.FirewallD1  \
    --type=method_call \
    --print-reply /org/fedoraproject/FirewallD1  \
    org.fedoraproject.FirewallD1.getZoneSettings \
    string:"public"

Add one port

dbus-send --system \
    --dest=org.fedoraproject.FirewallD1 \
    --print-reply --type=method_call \
    /org/fedoraproject/FirewallD1 \
    org.fedoraproject.FirewallD1.zone.addPort \
    string:"public" \
    string:"81" \
    string:"tcp" \
    uint64:300 

Corresponding settings firewalld Panel commands for all properties

firewall-cmd --zone=public --change-interface=eth0

firewall-cmd --zone=public --add-masquerade
firewall-cmd --zone=public --add-forward-port=port=1122:proto=tcp:toport=22:toaddr=192.168.100.3
firewall-cmd --zone=public --add-forward-port=port=1122:proto=tcp:toport=22:toaddr=10.0.0.3

firewall-cmd --add-protocol=tcp
firewall-cmd --add-protocol=udp

firewall-cmd --add-icmp-blocks=icmp
firewall-cmd --set-target=DROP

firewall-cmd --add-icmp-block=redirect
firewall-cmd --add-icmp-block=network-unknown

firewall-cmd --add-source-port=80/tcp
firewall-cmd --add-source-port=100/tcp

firewall-cmd --add-source=10.0.0.1
firewall-cmd --add-source=10.0.0.2

firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.1.101/32 service name=telnet limit value=1/m accept'

firewall-cmd --add-icmp-block-inversion

firewall-cmd --new-zone=123 --permanen

Execute remote command

dbus The interface supports remote commands , adopt dbus-send When sending , According to the configuration dbus Monitor to complete remote operation

DBUS_SESSION_BUS_ADDRESS=tcp:host=10.0.0.3,port=55557 

Based on the above , Reference plus official documentation , Learn how to pass through D-Bus Interface operation FirewallD, Although it is used here dbus-send, But it can also be done through qt perhaps Others to manage be based on dbus api The application of .