Red Hat Summit1.14. Configuring zone priorities for traffic classification by using firewalld
With zone priorities, you can control the packet classification order by specifying priorities for ingress and egress traffic. The benefit is that you can specify the traffic classification order in a zone.
So zone A may be considered before zone B regardless of the source address or interfaces. A zone of a lower priority value has higher precedence over a zone with a higher priority value. This classification has a pair of ingress priority value and egress priority value.
1.14.1. Setting same priority value for both traffic types in a zone
By using the --set-priority option, you can set a common value for both ingress and egress traffic classification without explicit specification.
Prerequisites
Create a new zone:
# firewall-cmd --permanent --new-zone=example-zoneSet a common zone priority value for the
example-zonezone with--set-priority:# firewall-cmd --permanent --zone example-zone --set-priority -10By setting a lower value ensures the higher precedence. This ensures that all configured operations for both traffic types in this zone will take precedence over operations from other zones.
Apply permanent configuration to runtime:
# firewall-cmd --reload
Verification
Display the priority value for both traffic types:
# firewall-cmd --permanent --info-zone example-zone example-zone target: default ingress-priority: -10 egress-priority: -10 ... icmp-block-inversion: no ... services: dhcpv6-client mdns samba-client ssh ... forward: yes masquerade: no ...This setting ensures that the traffic will be considered for classification into the
example-zonebefore other zones.
1.14.2. Setting different priority value for each traffic type in a zone
By setting distinct values for ingress and egress traffic, you can set priorities for the traffic classification in a zone.
Procedure
Create a new zone:
# firewall-cmd --permanent --new-zone=example-zoneSet a zone priority value for
ingresstraffic in theexample-zonezone with--set-ingress-priority:# firewall-cmd --permanent --zone example-zone --set-ingress-priority -10Set a zone priority value for
egresstraffic in theexample-zonezone with--set-egress-priority:# firewall-cmd --permanent --zone example-zone --set-egress-priority 100Apply permanent configuration to runtime:
# firewall-cmd --reload
Verification
Display the priority value for both traffic types:
# firewall-cmd --permanent --info-zone example-zone example-zone (active) target: default ingress-priority: -10 egress-priority: 100 icmp-block-inversion: no interfaces: eth0 ... services: dhcpv6-client mdns samba-client ssh ... forward: yes masquerade: no ...These values indicate that the
ingresstraffic has priority over theegresstraffic in theexample-zonezone before other zones.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}