diff --git a/cdist/conf/type/__firewalld_rule/explorer/rule b/cdist/conf/type/__firewalld_rule/explorer/rule
new file mode 100644
index 00000000..e9e1ebeb
--- /dev/null
+++ b/cdist/conf/type/__firewalld_rule/explorer/rule
@@ -0,0 +1,31 @@
+#
+# 2015 Nico Schottelius (nico-cdist at schottelius.org)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see .
+#
+#
+
+protocol="$(cat "$__object/parameter/protocol")"
+table="$(cat "$__object/parameter/table")"
+chain="$(cat "$__object/parameter/chain")"
+priority="$(cat "$__object/parameter/priority")"
+rule="$(cat "$__object/parameter/rule")"
+
+if firewall-cmd --permanent --direct --query-rule "$protocol" "$table" "$chain" "$priority" $rule >/dev/null; then
+ echo present
+else
+ echo absent
+fi
diff --git a/cdist/conf/type/__firewalld_rule/gencode-remote b/cdist/conf/type/__firewalld_rule/gencode-remote
new file mode 100644
index 00000000..a70dae13
--- /dev/null
+++ b/cdist/conf/type/__firewalld_rule/gencode-remote
@@ -0,0 +1,45 @@
+#
+# 2015 Nico Schottelius (nico-cdist at schottelius.org)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see .
+#
+#
+
+name="$__object_id"
+state_should="$(cat "$__object/parameter/state")"
+state_is="$(cat "$__object/explorer/rule")"
+
+[ "$state_is" = "$state_should" ] && exit 0
+
+protocol="$(cat "$__object/parameter/protocol")"
+table="$(cat "$__object/parameter/table")"
+chain="$(cat "$__object/parameter/chain")"
+priority="$(cat "$__object/parameter/priority")"
+rule="$(cat "$__object/parameter/rule")"
+
+case "$state_should" in
+ present)
+ echo firewall-cmd --permanent --direct --add-rule \"$protocol\" \"$table\" \"$chain\" \"$priority\" $rule
+ ;;
+
+ present)
+ echo firewall-cmd --permanent --direct --remove-rule \"$protocol\" \"$table\" \"$chain\" \"$priority\" $rule
+ ;;
+ *)
+ echo "Unknown state $state_should" >&2
+ exit 1
+ ;;
+esac
diff --git a/cdist/conf/type/__firewalld_rule/man.text b/cdist/conf/type/__firewalld_rule/man.text
new file mode 100644
index 00000000..17296a25
--- /dev/null
+++ b/cdist/conf/type/__firewalld_rule/man.text
@@ -0,0 +1,78 @@
+cdist-type__firewalld_rule(7)
+=============================
+Nico Schottelius
+
+
+NAME
+----
+cdist-type__firewalld_rule - Configure firewalld rules
+
+
+DESCRIPTION
+-----------
+This cdist type allows you to manage rules in firewalld
+using the *direct* way (i.e. no zone support).
+
+
+REQUIRED PARAMETERS
+-------------------
+rule::
+ The rule to apply. Essentially an firewalld command
+ line without firewalld in front of it.
+protocol::
+ Either ipv4, ipv4 or eb. See firewall-cmd(1)
+table::
+ The table to use (like filter or nat). See firewall-cmd(1).
+chain::
+ The chain to use (like INPUT_direct or FORWARD_direct). See firewall-cmd(1).
+priority::
+ The priority to use (0 is topmost). See firewall-cmd(1).
+
+
+OPTIONAL PARAMETERS
+-------------------
+state::
+ 'present' or 'absent', defaults to 'present'
+
+
+EXAMPLES
+--------
+
+--------------------------------------------------------------------------------
+# Allow acces from entrance.place4.ungleich.ch
+__firewalld_rule entrance \
+ --protocol ipv4 \
+ --table filter \
+ --chain INPUT_direct \
+ --priority 0 \
+ --rule '-s entrance.place4.ungleich.ch -j ACCEPT'
+
+# Allow forwarding of traffic from br0
+__firewalld_rule vm-forward --protocol ipv4 \
+ --table filter \
+ --chain FORWARD_direct \
+ --priority 0 \
+ --rule '-i br0 -j ACCEPT'
+
+# Ensure old rule is absent - warning, the rule part must stay the same!
+__firewalld_rule vm-forward
+ --protocol ipv4 \
+ --table filter \
+ --chain FORWARD_direct \
+ --priority 0 \
+ --rule '-i br0 -j ACCEPT' \
+ --state absent
+--------------------------------------------------------------------------------
+
+
+SEE ALSO
+--------
+- cdist-type(7)
+- cdist-type__iptables_rule(7)
+- firewalld(8)
+
+
+COPYING
+-------
+Copyright \(C) 2015 Nico Schottelius. Free use of this software is
+granted under the terms of the GNU General Public License version 3 (GPLv3).
diff --git a/cdist/conf/type/__firewalld_rule/parameter/default/state b/cdist/conf/type/__firewalld_rule/parameter/default/state
new file mode 100644
index 00000000..e7f6134f
--- /dev/null
+++ b/cdist/conf/type/__firewalld_rule/parameter/default/state
@@ -0,0 +1 @@
+present
diff --git a/cdist/conf/type/__firewalld_rule/parameter/optional b/cdist/conf/type/__firewalld_rule/parameter/optional
new file mode 100644
index 00000000..ff72b5c7
--- /dev/null
+++ b/cdist/conf/type/__firewalld_rule/parameter/optional
@@ -0,0 +1 @@
+state
diff --git a/cdist/conf/type/__firewalld_rule/parameter/required b/cdist/conf/type/__firewalld_rule/parameter/required
new file mode 100644
index 00000000..58def7e4
--- /dev/null
+++ b/cdist/conf/type/__firewalld_rule/parameter/required
@@ -0,0 +1,5 @@
+chain
+priority
+protocol
+rule
+table
diff --git a/docs/changelog b/docs/changelog
index 74f400a4..f55a01ac 100644
--- a/docs/changelog
+++ b/docs/changelog
@@ -1,6 +1,9 @@
Changelog
---------
+next:
+ * New type: __firewalld_rule (Nico Schottelius)
+
3.1.11: 2015-02-27
* New type: __staged_file: Manage staged files (Steven Armstrong)
* New type: __config_file: Manage configuration files and run code on change (Steven Armstrong)