Firewall4 high-level behavior

Hi all,

On the firewall config page, I am a bit surprised by the lack of high-level explanation of the behavior of the firewall. Each config section is well documented, but it lacks the explanation of the interaction between section (e.g. parsing order).

As a comparison, when one learns about pf, the documentation starts with a very clear high-level explanation, that makes all subsequent information fit into a clear mental scheme:

Filter rules specify the criteria that a packet must match and the resulting action, either block or pass, that is taken when a match is found. Filter rules are evaluated in sequential order, first to last. Unless the packet matches a rule containing the quick keyword, the packet will be evaluated against all filter rules before the final action is taken. The last rule to match is the "winner" and will dictate what action to take on the packet. There is an implicit pass all at the beginning of a filtering ruleset, meaning that the resulting action will be pass if a packet does not match any filter rule.

To be more specific, here are some example of information that I think is missing:

  • Is the firewall config parsed from top to bottom, and stops at the first config rule that matches?

  • if no config rule matches, does the firewall then looks at config zone, config forwarding and config redirect ?

  • In other words, do config rule always override config zone, config forwarding and config redirect, regardless of their position in the file?

  • Are config zone, config forwarding and config redirect nothing more than syntactic sugar to create config rules? In other words, could I have an /etc/config/firewall that contain only config rule and reproduce all behavior?

If someone can confirm the points above, I can try and add it to the documentation, if it's helpful.

config sections are loaded as objects then rules are emitted in final nft ruleset according to their semantics, between auto-generated rules, like per-zone and global default actions.

if no config rule matches default action is taken

no, each type is independent from other, rules are emitted in order of specified precedence

FALSE you cannot make rule to do offloading