On 28.06.2024 18:58, Kenneth Porter wrote:
Coming from iptables, the zone concept was quite alien to me. But I found a blog entry that explained that packets are first classified by zone, then by interface.
Huh? You probably mean source zone vs. interface zone. The packet cannot be "classified by zone" as "zone" does not exist on this level. Packet properties (source address or ingress interface) are used to associate packet with a zone.
And I see now that zones can be ordered:
It does not change the fact that each packet belongs to one and only one zone.