一. 服务器

1. create rule

  1. /bin/firewall-cmd --direct --passthrough ipv4  -A FWKNOP_INPUT -t filter -p 6 -s 172.16.1.99 -d 0.0.0.0/0 --dport 22 -m comment --comment _exp_1644484478 -j ACCEPT
  2. /bin/firewall-cmd --direct --passthrough ipv4  -A FWKNOP_INPUT -t filter -p 6 -s 172.16.1.99 -d 0.0.0.0/0 --dport 50152 -m comment --comment _exp_1644810764 -j ACCEPT
  3. /bin/firewall-cmd --direct --passthrough ipv4  -A FWKNOP_INPUT -t filter -p 17 -s 172.16.1.99 -d 0.0.0.0/0 --dport 4567 -m comment --comment _exp_1644810764 -j ACCEPT
  6. #0  create_rule (srcip=0x7ffdda7a7738 "172.16.1.99", fw_rule=0x7ffdda7a69d0 "-t filter -p 6 -s 172.16.1.99 -d 0.0.0.0/0 --dport 22 -m comment --comment _exp_1644811639 -j ACCEPT", fw_chain=0x556103cd1ac8 <fwc+200> "FWKNOP_INPUT", opts=0x7ffdda7a9ee0) at fw_util_firewalld.c:1222
  7. #1  firewd_rule (opts=opts@entry=0x7ffdda7a9ee0, complete_rule_buf=complete_rule_buf@entry=0x0, fw_rule_macro=fw_rule_macro@entry=0x556103acbc80 "-t %s -p %i -s %s -d %s --dport %i -m comment --comment _exp_%u -j %s", srcip=0x7ffdda7a7738 "172.16.1.99", dstip=0x556103acb076 "0.0.0.0/0", proto=<optimized out>, port=22, nat_ip=0x0, nat_port=0, chain=0x556103cd1a00 <fwc>, exp_ts=1644811639, now=1644811609, msg=0x556103acb1cb "access", access_msg=0x7ffdda7a7778 "tcp/22,tcp/50152,udp/4567") at fw_util_firewalld.c:1307
  8. #2  0x0000556103ac1719 in process_spa_request (opts=opts@entry=0x7ffdda7a9ee0, acc=acc@entry=0x5561046d21e0, spadat=spadat@entry=0x7ffdda7a7710) at fw_util_firewalld.c:1712
  9. #3  0x0000556103ab83ae in incoming_spa (opts=0x7ffdda7a9ee0) at incoming_spa.c:1206
  10. #4  0x00007fa9dd75de55 in pcap_handle_packet_mmap () from /usr/lib64/libpcap.so.1
  11. #5  0x00007fa9dd75e2e1 in pcap_read_linux_mmap_v3 () from /usr/lib64/libpcap.so.1
  12. #6  0x0000556103ab8a6c in pcap_capture (opts=0x7ffdda7a9ee0) at pcap_capture.c:227
  13. #7  0x0000556103ab46e8 in main (argc=1, argv=0x7ffdda7aac38) at fwknopd.c:322

2. rm rule

  1. /bin/firewall-cmd --direct --passthrough ipv4  -t filter -D FWKNOP_INPUT 1
  2. /bin/firewall-cmd --direct --passthrough ipv4  -t filter -D FWKNOP_INPUT 1
  3. /bin/firewall-cmd --direct --passthrough ipv4  -t filter -D FWKNOP_INPUT 1
  6. #0  rm_expired_rules (now=1644811643, cpos=0, ch=<optimized out>, ndx=0x7ffdda7a847b "1644811639 */\n2    ACCEPT     tcp  --  172.16.1.99          0.0.0.0/0", ' ' <repeats 12 times>, "tcp dpt:50152 /* _exp_1644811639 */\n3    ACCEPT     udp  --  172.16.1.99          0.0.0.0/0", ' ' <repeats 12 times>, "udp dpt:4567 /* "..., fw_output_buf=0x7ffdda7a83c0 "Chain FWKNOP_INPUT (1 references)\nnum  target     prot opt source", ' ' <repeats 15 times>, "destination         \n1    ACCEPT     tcp  --  172.16.1.99          0.0.0.0/0", ' ' <repeats 12 times>, "tcp dpt:22 /* _exp_1644811639 */"..., opts=0x7ffdda7a9ee0) at fw_util_firewalld.c:1846
  7. #1  check_firewall_rules (opts=opts@entry=0x7ffdda7a9ee0, chk_rm_all=0) at fw_util_firewalld.c:1971
  8. #2  0x0000556103ab8ae4 in pcap_capture (opts=0x7ffdda7a9ee0) at pcap_capture.c:305
  9. #3  0x0000556103ab46e8 in main (argc=1, argv=0x7ffdda7aac38) at fwknopd.c:322