FIREWALLD.DBUS(5) firewalld.dbus FIREWALLD.DBUS(5)
NAME
firewalld.dbus - firewalld D-Bus interface description
OBJECT PATHS
This is the basic firewalld object path structure. The used interfaces are explained below in the INTERFACES section.
/org/fedoraproject/FirewallD1
Interfaces
org.fedoraproject.FirewallD1
org.fedoraproject.FirewallD1.direct
org.fedoraproject.FirewallD1.policies
org.fedoraproject.FirewallD1.zone
org.freedesktop.DBus.Introspectable
org.freedesktop.DBus.Properties
/org/fedoraproject/FirewallD1/config
Interfaces
org.fedoraproject.FirewallD1.config
org.fedoraproject.FirewallD1.config.direct
org.fedoraproject.FirewallD1.config.policies
org.freedesktop.DBus.Introspectable
org.freedesktop.DBus.Properties
/org/fedoraproject/FirewallD1/config/icmptype/i
Interfaces
org.fedoraproject.FirewallD1.config.icmptype
org.freedesktop.DBus.Introspectable
org.freedesktop.DBus.Properties
/org/fedoraproject/FirewallD1/config/service/i
Interfaces:
org.fedoraproject.FirewallD1.config.service
org.freedesktop.DBus.Introspectable
org.freedesktop.DBus.Properties
/org/fedoraproject/FirewallD1/config/zone/i
Interfaces
org.fedoraproject.FirewallD1.config.zone
org.freedesktop.DBus.Introspectable
org.freedesktop.DBus.Properties
INTERFACES
org.fedoraproject.FirewallD1
This interface contains general runtime operations, like: reloading, panic mode, default zone, getting services and icmp types and their
settings.
Methods
completeReload() -> Nothing
Reload firewall completely, even netfilter kernel modules.
disablePanicMode() -> Nothing
Disable panic mode.
enablePanicMode() -> Nothing
Enable panic mode.
getDefaultZone() -> s
Return default zone.
getIcmpTypeSettings(s: icmptype) -> (sssas)
Return icmptype settings in format: version, name, description, array of destinations
getServiceSettings(s: service) -> (sssa(ss)asa{ss})
Return service settings in format: version, name, description, array of ports (port, protocol), array of module names, destinations
{IP family : IP address}
listIcmpTypes() -> as
Return list of icmptype names.
listServices() -> as
Return list of service names.
queryPanicMode() -> b
Return true if panic mode is enabled, false otherwise.
reload() -> Nothing
Reload firewall rules and keep state information.
setDefaultZone(s: zone) -> Nothing
Set default zone to zone.
Signals
DefaultZoneChanged(s: zone)
Emitted when default zone has been changed to zone.
PanicModeDisabled()
Emitted when panic mode has been deactivated.
PanicModeEnabled()
Emitted when panic mode has been activated.
Reloaded()
Emitted when firewalld has been reloaded. Also emitted for a complete reload.
Properties
BRIDGE - b - (ro)
Indicates whether the firewall has ethernet bridge support.
IPv4 - b - (ro)
Indicates whether the firewall has IPv4 support.
IPv6 - b - (ro)
Indicates whether the firewall has IPv6 support.
interface_version - s - (ro)
firewalld D-Bus interface version string.
state - s - (ro)
firewalld state. This can be either INIT or RUNNING. In INIT state, firewalld is starting up and initializing.
version - s - (ro)
firewalld version string.
org.fedoraproject.FirewallD1.direct
This interface enables more direct access to the firewall. It enables runtime manipulation with chains and rules. For permanent
configuration see org.fedoraproject.FirewallD1.config.direct interface.
Methods
addChain(s: ipv, s: table, s: chain) -> Nothing
Add a new chain to table for ipv being either ipv4 or ipv6 or eb.
addRule(s: ipv, s: table, s: chain, i: priority, as: args) -> Nothing
Add a rule with the arguments args to chain in table with priority for ipv being either ipv4 or ipv6 or eb.
getAllChains() -> a(sss)
Get all chains added to all tables in format: ipv, table, chain.
getAllRules() -> a(sssias)
Get all rules added to all chains in all tables in format: ipv, table, chain, priority, rule
getChains(s: ipv, s: table) -> as
Get all chains added to table for ipv being either ipv4 or ipv6 or eb.
getRules(s: ipv, s: table, s: chain) -> a(ias)
Get all rules added to chain in table for ipv being either ipv4 or ipv6 or eb.
passthrough(s: ipv, as: args) -> s
Pass a command through to the firewall. ipv can be either ipv4 or ipv6 or eb. args can be all iptables, ip6tables and ebtables
command line arguments.
queryChain(s: ipv, s: table, s: chain) -> b
Return whether a chain exists in table for ipv being either ipv4 or ipv6.
queryRule(s: ipv, s: table, s: chain, i: priority, as: args) -> b
Return whether a rule with priority and the arguments args exists in chain in table for ipv being either ipv4 or ipv6 or eb.
removeChain(s: ipv, s: table, s: chain) -> Nothing
Remove a chain from table for ipv being either ipv4 or ipv6.
removeRule(s: ipv, s: table, s: chain, i: priority, as: args) -> Nothing
Remove a rule with priority and arguments args from chain in table for ipv being either ipv4 or ipv6.
removeRules(s: ipv, s: table, s: chain) -> Nothing
Remove all rules from chain in table for ipv being either ipv4 or ipv6.
Signals
ChainAdded(s: ipv, s: table, s: chain)
Emitted when chain has been changed into table for ipv being either ipv4 or ipv6.
ChainRemoved(s: ipv, s: table, s: chain)
Emitted when chain has been changed from table for ipv being either ipv4 or ipv6.
RuleAdded(s: ipv, s: table, s: chain, i: priority, as: args)
Emitted when a rule with args has been added to chain in table with priority for ipv being either ipv4 or ipv6 or eb.
RuleRemoved(s: ipv, s: table, s: chain, i: priority, as: args)
Emitted when a rule with args has been removed from chain in table with priority for ipv being either ipv4 or ipv6 or eb.
org.fedoraproject.FirewallD1.policies
Enables firewalld to be able to lock down configuration changes from local applications. Local applications or services are able to change
the firewall configuration if they are running as root (example: libvirt). With these operations administrator can lock the firewall
configuration so that either none or only applications that are in the whitelist are able to request firewall changes. For permanent
configuration see org.fedoraproject.FirewallD1.config.policies interface.
Methods
addLockdownWhitelistCommand(s: command) -> Nothing
Add command to whitelist.
addLockdownWhitelistContext(s: context) -> Nothing
Add context to whitelist.
addLockdownWhitelistUid(i: uid) -> Nothing
Add user id uid to whitelist.
addLockdownWhitelistUser(s: user) -> Nothing
Add user to whitelist.
disableLockdown() -> Nothing
Disable lockdown.
enableLockdown() -> Nothing
Enable lockdown.
getLockdownWhitelistCommands() -> as
List all command lines that are on whitelist.
getLockdownWhitelistContexts() -> as
List all contexts that are on whitelist.
getLockdownWhitelistUids() -> ai
List all user ids that are on whitelist.
getLockdownWhitelistUsers() -> as
List all users that are on whitelist.
queryLockdown() -> b
Query whether lockdown is enabled.
queryLockdownWhitelistCommand(s: command) -> b
Query whether command is on whitelist.
queryLockdownWhitelistContext(s: context) -> b
Query whether context is on whitelist.
queryLockdownWhitelistUid(i: uid) -> b
Query whether user id uid is on whitelist.
queryLockdownWhitelistUser(s: user) -> b
Query whether user is on whitelist.
removeLockdownWhitelistCommand(s: command) -> Nothing
Remove command from whitelist.
removeLockdownWhitelistContext(s: context) -> Nothing
Remove context from whitelist.
removeLockdownWhitelistUid(i: uid) -> Nothing
Remove user id uid from whitelist.
removeLockdownWhitelistUser(s: user) -> Nothing
Remove user from whitelist.
Signals
LockdownDisabled()
Emitted when lockdown has been disabled.
LockdownEnabled()
Emitted when lockdown has been enabled.
LockdownWhitelistCommandAdded(s: command)
Emitted when command has been added to whitelist.
LockdownWhitelistCommandRemoved(s: command)
Emitted when command has been removed from whitelist.
LockdownWhitelistContextAdded(s: context)
Emitted when context has been added to whitelist.
LockdownWhitelistContextRemoved(s: context)
Emitted when context has been removed from whitelist.
LockdownWhitelistUidAdded(i: uid)
Emitted when user id uid has been added to whitelist.
LockdownWhitelistUidRemoved(i: uid)
Emitted when user id uid has been removed from whitelist.
LockdownWhitelistUserAdded(s: user)
Emitted when user has been added to whitelist.
LockdownWhitelistUserRemoved(s: user)
Emitted when user has been removed from whitelist.
org.fedoraproject.FirewallD1.zone
Operations in this interface allows to get, add, remove and query runtime zone's settings. For permanent configuration see
org.fedoraproject.FirewallD1.config.zone interface.
Methods
addForwardPort(s: zone, s: port, s: protocol, s: toport, s: toaddr, i: timeout) -> s
Add the IPv4 forward port for zone. If zone is empty, use default zone. The port can either be a single port number portid or a
port range portid-portid. The protocol can either be tcp or udp. The destination address is a simple IP address. If timeout is
non-zero, the operation will be active only for the amount of seconds.
Returns name of zone to which the forward port was added.
addIcmpBlock(s: zone, s: icmp, i: timeout) -> s
Add an ICMP block icmp for zone. If zone is empty, use default zone. If timeout is non-zero, the operation will be active only for
the amount of seconds.
Returns name of zone to which the ICMP block was added.
addInterface(s: zone, s: interface) -> s
Bind interface to zone. If zone is empty, use default zone.
Returns name of zone to which the interface was bound.
addMasquerade(s: zone, i: timeout) -> s
Enable IPv4 masquerade for zone. If zone is empty, use default zone. If timeout is non-zero, masquerading will be active for the
amount of seconds.
Returns name of zone in which the masquerade was enabled.
addPort(s: zone, s: port, s: protocol, i: timeout) -> s
Add port for zone. If zone is empty, use default zone. The port can either be a single port number or a port range portid-portid.
The protocol can either be tcp or udp. If timeout is non-zero, the operation will be active only for the amount of seconds.
Returns name of zone to which the port was added.
addRichRule(s: zone, s: rule, i: timeout) -> s
Add rich language rule for zone. If zone is empty, use default zone. If timeout is non-zero, the operation will be active only for
the amount of seconds.
Returns name of zone to which the rich language rule was added.
addService(s: zone, s: service, i: timeout) -> s
Add service for zone. If zone is empty, use default zone. If timeout is non-zero, the operation will be active only for the amount
of seconds.
Returns name of zone to which the service was added.
addSource(s: zone, s: source) -> s
Bind source to zone. If zone is empty, use default zone.
Returns name of zone to which the source was bound.
changeZone(s: zone, s: interface) -> s
This function is deprecated, use changeZoneOfInterface instead.
changeZoneOfInterface(s: zone, s: interface) -> s
Change a zone an interface is part of to zone. If zone is empty, use default zone.
Returns name of zone.
changeZoneOfSource(s: zone, s: source) -> s
Change a zone an source is part of to zone. If zone is empty, use default zone.
Returns name of zone.
getActiveZones() -> a{sa{sas}}
Return dictionary of currently active zones altogether with interfaces and sources used in these zones. Active zones are zones,
that have a binding to an interface or source.
getForwardPorts(s: zone) -> aas
Return list of IPv4 forward ports added for zone. If zone is empty, use default zone.
getIcmpBlocks(s: zone) -> as
Return list of Internet Control Message Protocol (ICMP) type blocks added for zone. If zone is empty, use default zone.
getInterfaces(s: zone) -> as
Return list of interfaces of a zone. If zone is empty, use default zone.
getPorts(s: zone) -> aas
Return list of enabled ports in a zone. If zone is empty, use default zone.
getRichRules(s: zone) -> as
Return list of rich language rules added for zone. If zone is empty, use default zone.
getServices(s: zone) -> as
Return list of enabled services in a zone. If zone is empty, use default zone.
getSources(s: zone) -> as
Return list of sources of a zone. If zone is empty, use default zone.
getZoneOfInterface(s: interface) -> s
Return name of zone the interface is bound to or empty string.
getZoneOfSource(s: source) -> s
Return name of zone the source is bound to or empty string.
getZones() -> as
Return names of predefined zones.
isImmutable(s: zone) -> b
Deprecated.
queryForwardPort(s: zone, s: port, s: protocol, s: toport, s: toaddr) -> b
Return whether the IPv4 forward port has been added for zone. If zone is empty, use default zone.
queryIcmpBlock(s: zone, s: icmp) -> b
Return whether an ICMP block for icmp has been added for zone. If zone is empty, use default zone.
queryInterface(s: zone, s: interface) -> b
Query whether interface has been bound to zone. If zone is empty, use default zone.
queryMasquerade(s: zone) -> b
Return whether IPv4 masquerading has been enabled for zone If zone is empty, use default zone.
queryPort(s: zone, s: port, s: protocol) -> b
Return whether port/protocol has been added for zone. If zone is empty, use default zone.
queryRichRule(s: zone, s: rule) -> b
Return whether rich rule rule has been added for zone. If zone is empty, use default zone.
queryService(s: zone, s: service) -> b
Return whether service has been added for zone. If zone is empty, use default zone.
querySource(s: zone, s: source) -> b
Query whether sourcehas been bound to zone. If zone is empty, use default zone.
removeForwardPort(s: zone, s: port, s: protocol, s: toport, s: toaddr) -> s
Remove IPv4 forward port from zone. If zone is empty, use default zone.
Returns name of zone from which the forward port was removed.
removeIcmpBlock(s: zone, s: icmp) -> s
Remove ICMP block icmp from zone. If zone is empty, use default zone.
Returns name of zone from which the ICMP block was removed.
removeInterface(s: zone, s: interface) -> s
Remove binding of interface from zone. If zone is empty, use default zone.
Returns name of zone.
removeMasquerade(s: zone) -> s
Disable IPv4 masquerade for zone. If zone is empty, use default zone.
Returns name of zone for which the masquerade was disabled.
removePort(s: zone, s: port, s: protocol) -> s
Remove port from zone. If zone is empty, use default zone.
Returns name of zone from which the port was removed.
removeRichRule(s: zone, s: rule) -> s
Remove rich language rule from zone. If zone is empty, use default zone.
Returns name of zone from which the rich language rule was removed.
removeService(s: zone, s: service) -> s
Remove service from zone. If zone is empty, use default zone.
Returns name of zone from which the service was removed.
removeSource(s: zone, s: source) -> s
Remove binding of source from zone. If zone is empty, use default zone.
Returns name of zone.
Signals
ForwardPortAdded(s: zone, s: port, s: protocol, s: toport, s: toaddr, i: timeout)
Emitted when forward port has been added to zone with timeout.
ForwardPortRemoved(s: zone, s: port, s: protocol, s: toport, s: toaddr)
Emitted when forward port has been removed from zone.
IcmpBlockAdded(s: zone, s: icmp, i: timeout)
Emitted when ICMP block for icmp has been added to zone with timeout.
IcmpBlockRemoved(s: zone, s: icmp)
Emitted when ICMP block for icmp has been removed from zone.
InterfaceAdded(s: zone, s: interface)
Emitted when interface has been added to zone.
InterfaceRemoved(s: zone, s: interface)
Emitted when interface has been removed from zone.
MasqueradeAdded(s: zone, i: timeout)
Emitted when IPv4 masquerade has been enabled for zone.
MasqueradeRemoved(s: zone)
Emitted when IPv4 masquerade has been disabled for zone.
PortAdded(s: zone, s: port, s: protocol, i: timeout)
Emitted when port/protocol has been added to zone with timeout.
PortRemoved(s: zone, s: port, s: protocol)
Emitted when port/protocol has been removed from zone.
RichRuleAdded(s: zone, s: rule, i: timeout)
Emitted when rich language rule has been added to zone with timeout.
RichRuleRemoved(s: zone, s: rule)
Emitted when rich language rule has been removed from zone.
ServiceAdded(s: zone, s: service, i: timeout)
Emitted when service has been added to zone with timeout.
ServiceRemoved(s: zone, s: service)
Emitted when service has been removed from zone.
SourceAdded(s: zone, s: source)
Emitted when source has been added to zone.
SourceRemoved(s: zone, s: source)
Emitted when source has been removed from zone.
ZoneChanged(s: zone, s: interface)
Deprecated
ZoneOfInterfaceChanged(s: zone, s: interface)
Emitted when a zone an interface is part of has been changed to zone.
ZoneOfSourceChanged(s: zone, s: source)
Emitted when a zone an source is part of has been changed to zone.
org.fedoraproject.FirewallD1.config
Allows to permanently add, remove and query zones, services and icmp types.
Methods
addIcmpType(s: icmptype, (sssas): settings) -> o
Add icmptype with given settings.
addService(s: service, (sssa(ss)asa{ss}): settings) -> o
Add service with given settings.
addZone(s: zone, (sssbsasa(ss)asba(ssss)asasas): settings) -> o
Add zone with given settings.
getIcmpTypeByName(s: icmptype) -> o
Return object path of icmptype.
getServiceByName(s: service) -> o
Return object path of service.
getZoneByName(s: zone) -> o
Return object path of zone.
getZoneOfInterface(s: iface) -> s
Return name of zone the iface is bound to or empty string.
getZoneOfSource(s: source) -> s
Return name of zone the source is bound to or empty string.
listIcmpTypes() -> ao
List icmptypes objects paths.
listServices() -> ao
List services objects paths.
listZones() -> ao
List zones object paths.
Signals
IcmpTypeAdded(s: icmptype)
Emitted when icmptype has been added.
ServiceAdded(s: service)
Emitted when service has been added.
ZoneAdded(s: zone)
Emitted when zone has been added.
Properties
CleanupOnExit - s - (rw)
If firewalld stops, it cleans up all firewall rules. Setting this option to no or false leaves the current firewall rules
untouched.
DefaultZone - s - (ro)
Default zone for connections or interfaces if the zone is not selected or specified by NetworkManager, initscripts or command line
tool.
Lockdown - s - (ro)
If this property is enabled, firewall changes with the D-Bus interface will be limited to applications that are listed in the
lockdown whitelist.
MinimalMark - i - (rw)
For some firewall settings several rules are needed in different tables to be able to handle packets in the correct way. To achieve
that these packets are marked using the MARK target. With the MinimalMark property a block of marks can be reserved for private
use; only marks over this value are used.
org.fedoraproject.FirewallD1.config.direct
Interface for permanent direct configuration firewalld.direct(5). For runtime direct configuration see org.fedoraproject.FirewallD1.direct
interface.
Methods
getSettings() -> (a(sss)a(sssias)a(sas))
Get settings of permanent direct configuration.
update((a(sss)a(sssias)a(sas)): settings) -> Nothing
Update permanent direct configuration with given settings.
Signals
Updated()
Emitted when configuration has been updated.
org.fedoraproject.FirewallD1.config.policies
Interface for permanent lockdown-whitelist configuration firewalld.lockdown(5). For runtime configuration see
org.fedoraproject.FirewallD1.policies interface.
Methods
getLockdownWhitelist() -> (asasasai)
Get settings of permanent lockdown-whitelist configuration.
setLockdownWhitelist((asasasai): settings) -> Nothing
Set permanent lockdown-whitelist configuration to settings.
Signals
LockdownWhitelistUpdated()
Emitted when permanent lockdown-whitelist configuration has been updated.
org.fedoraproject.FirewallD1.config.zone
Interface for permanent zone configuration firewalld.zone(5).
Methods
getSettings() -> (sssbsasa(ss)asba(ssss)asasas)
Return permanent settings of a zone.
loadDefaults() -> Nothing
Load default settings for built-in zone.
remove() -> Nothing
Remove not built-in zone.
rename(s: name) -> Nothing
Rename not built-in zone to name.
update((sssbsasa(ss)asba(ssss)asasas): settings) -> Nothing
Update settings of zone to settings.
Signals
Removed(s: name)
Emitted when zone with name has been removed.
Renamed(s: name)
Emitted when zone has been renamed to name.
Updated(s: name)
Emitted when zone with name has been updated.
Properties
default - b - (ro)
True if build-in zone has default settings. False if it has been modified. Always False for not build-in zones.
filename - s - (ro)
Name (including .xml extension) of file where the configuration is stored.
name - s - (ro)
Name of zone.
path - s - (ro)
Path to directory where the zone configuration is stored. Should be either /usr/lib/firewalld/zones or /etc/firewalld/zones.
org.fedoraproject.FirewallD1.config.service
Interface for permanent service configuration firewalld.service(5).
Methods
getSettings() -> (sssa(ss)asa{ss})
Return permanent settings of a service.
loadDefaults() -> Nothing
Load default settings for built-in service.
remove() -> Nothing
Remove not built-in zone.
rename(s: name) -> Nothing
Rename not built-in service to name.
update((sssa(ss)asa{ss}): settings) -> Nothing
Update settings of service to settings.
Signals
Removed(s: name)
Emitted when service with name has been removed.
Renamed(s: name)
Emitted when service has been renamed to name.
Updated(s: name)
Emitted when service with name has been updated.
Properties
default - b - (ro)
True if build-in service has default settings. False if it has been modified. Always False for not build-in services.
filename - s - (ro)
Name (including .xml extension) of file where the configuration is stored.
name - s - (ro)
Name of service.
path - s - (ro)
Path to directory where the configuration is stored. Should be either /usr/lib/firewalld/services or /etc/firewalld/services.
org.fedoraproject.FirewallD1.config.icmptype
Interface for permanent icmp type configuration firewalld.icmptype(5).
Methods
getSettings() -> (sssas)
Return permanent settings of a icmp type.
loadDefaults() -> Nothing
Load default settings for built-in icmp type.
remove() -> Nothing
Remove not built-in icmp type.
rename(s: name) -> Nothing
Rename not built-in icmp type to name.
update((sssas): settings) -> Nothing
Update settings of icmp type to settings.
Signals
Removed(s: name)
Emitted when icmp type with name has been removed.
Renamed(s: name)
Emitted when icmp type has been renamed to name.
Updated(s: name)
Emitted when icmp type with name has been updated.
Properties
default - b - (ro)
True if build-in icmp type has default settings. False if it has been modified. Always False for not build-in zones.
filename - s - (ro)
Name (including .xml extension) of file where the configuration is stored.
name - s - (ro)
Name of icmp type.
path - s - (ro)
Path to directory where the icmp type configuration is stored. Should be either /usr/lib/firewalld/icmptypes or
/etc/firewalld/icmptypes.
SEE ALSO
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.direct(5), firewalld.icmptype(5),
firewalld.lockdown-whitelist(5), firewall-offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5), firewalld.zone(5),
firewalld.zones(5)
NOTES
firewalld home page at fedorahosted.org:
http://fedorahosted.org/firewalld/
More documentation with examples:
http://fedoraproject.org/wiki/FirewallD
AUTHORS
Thomas Woerner <twoerner@redhat.com>
Developer
Jiri Popelka <jpopelka@redhat.com>
Developer
firewalld 0.3.9 FIREWALLD.DBUS(5)