Questions about OPnsem\nse firewall rule processing concerning sequence of execu

[pasha-19]

In general I have seen from OPNsense documentation that firewall rules execute in the following order System Rules, Floating Rules, Group Rules and then Interface Rules.  This seems to be completely logical however they are clearly also subject to interpretation especially considering the documentation's statement "Internal (automatic) rules are usually registered first.".

The following order seems to match the interpretation of OPNsense Documentation Firewall > Rules > Processing Order Flow section that seems to generally support the following interpretation moreso with the lack of any CLEAR reference to Auto Generated rules):

   (Auto Generated) System  rules

   Auto Generated Floating  rules
   User Generated Floating  rules ordered by the user

   Auto Generated Group     rules, if any, there appear to be none
   User Generated Group     rules ordered by the user

   Auto Generated Interface rules
   User Generated Interface rules ordered by the user

An alternative processing order is:
   (Auto Generated) System  rules
   Auto Generated Floating  rules
   Auto Generated Group     rules, if any, there appear to be none
   Auto Generated Interface rules

   User Generated Floating  rules ordered by the user
   User Generated Group     rules ordered by the user
   User Generated Interface rules ordered by the user

First question:  Does the alternative processing order make more sense?  Does "Internal (automatic) rules are usually registered first." from the documentation by any chance mean the alternative processing order is correct?  It would seem to prevent User Generated Floating/Group Rules from interfering with Auto Generated Interface Rules.  Is this a potential enhancement opportunity or the current state of Firewall Rule processing?

Depending on which of the above interpretations are correct and I am assuming the first is correct at this time; maybe some (unforseen by me) Floating Rules and some Group rules will need to become Interface Rules a transition I can probably make using the clone function.

Second question:  If there are multiple groups that have common interfaces assigned; how does one know the execution order of the Group Rules on each interface?  In other words which set of group rules is executed first and which second, etc for common interfaces in multiple groups.

My preferred Group structure is a 2 interface Guest SubGroup and a 5 Interface User SubGroup that become merged into a 7 interface Master Group.  It may work out that the rules in Master Group have no relation in terms of execution order to the rules in either of the SubGroups.  I intend to experiment with that structure to see if it works without me needing to know the execution order for the instructions for the shared interfaces between the SubGroups and the Master Group.  If it becomes a problem the clone function should allow me to duplicate any sequence critical Master Group Rules into both SubGroup's rules where assigning the execution order is possible eliminating the Master Group instance of the duplicated rule(s) in the process.  In my proposed solution the Master Group rules can be executed before or after either of the SubGroup rules without a problem.  For the above to work, my assumption that both applicable set of group rules for a selected traffic item are completed before the execution of the Interface rules start needs to be confirmed (basically that I have interpreted the processing flow identified in OPNsense Documentation Firewall > Rules > Processing Order Flow section correctly).  Any migration of Master Group or SubGroup rules to Interface rules should have been addressed above resulting from the answer to the first question.

Potential improvement (not a request for change just a suggestion) -- the ability to list all rules (Floating, Group, Interface, including Auto Generated and User generated into a single list by interface in the order of their execution would be a mechanism that would simplify a debugging process and show users especially new ones like me the above execution order clearly.

Thanks for reading this I hope it explains the issues I see as well as what I consider to be my potential work arounds based on my interpretations of the OPNsense Documentation Firewall > Rules > Processing Order Flow section.