On 6/28/2024 9:16 AM, Andrei Borzenkov wrote:
Huh? You probably mean source zone vs. interface zone. The packet cannot be "classified by zone" as "zone" does not exist on this level. Packet properties (source address or ingress interface) are used to associate packet with a zone.
Thanks, that's much better. What is an egress zone? Can packets enter in one zone and exit in another?
With iptables, I had a diagram that showed where all the filters hook in as a packet passes through the system.