Help Isolating VLANs on 1.5-rolling

Yes, thats part of the optimizations regarding nftables (and older iptables) if other rules should be inspected or not (along with that nftables and iptables are first-match firewalls rather than best-match as with the ones in *bsd products).

I have put up an example of zonebased firewalling with the new firewall syntax (who arrived early august for 1.4-rolling and newer) where I simply filter out the destination interfacegroup and then have a default-action of deny or accept set for that.

That is its not necessary for the nftables to evaluate other destination interfacegroups if the traffic is egressing WAN group and have already processed the rules related to egressing WAN group.

Here is the example Im talking about:

2 Likes