From c077c8401afbe3d704b2f99af59f152f8d15db05 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Tue, 6 Nov 2018 10:16:06 -0500
Subject: [PATCH 20/34] firewalld.richlanguage: document priority value
(cherry picked from commit 4e284fb7ba334cfccf410ae5a575d4f27bd2779b)
---
doc/xml/firewalld.richlanguage.xml | 21 +++++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/doc/xml/firewalld.richlanguage.xml b/doc/xml/firewalld.richlanguage.xml
index bf8d766cf3f2..a0562b93249e 100644
--- a/doc/xml/firewalld.richlanguage.xml
+++ b/doc/xml/firewalld.richlanguage.xml
@@ -99,10 +99,15 @@ rule
<title>Rule</title>
<para>
<programlisting>
-rule [family="ipv4|ipv6"]
+rule [family="ipv4|ipv6"] [priority="priority"]
</programlisting>
+ </para>
+ <para>
If the rule family is provided, it can be either "ipv4" or "ipv6", which limits the rule to IPv4 or IPv6. If the rule family is not provided, the rule will be added for IPv4 and IPv6. If source or destination addresses are used in a rule, then the rule family need to be provided. This is also the case for port/packet forwarding.
</para>
+ <para>
+ If the rule priority is provided, it can be in the range of -32768 to 32767 where lower values have higher precendence. Rich rules are sorted by priority. Ordering for rules with the same priority value is undefined. A negative priority value will be executed before other firewalld primitives. A positive priority value will be executed after other firewalld primitives. A priority value of 0 will place the rule in a chain based on the action as per the "Information about logging and actions" below.
+ </para>
</refsect2>
<refsect2>
@@ -332,20 +337,28 @@ limit value="rate/duration"
<refsect2>
<title>Information about logging and actions</title>
<para>
- Logging can be done with the log and also with audit. A new chain is added to all zones: zone_log. This will be jumped into before the deny chain to be able to have a proper ordering.
+ Logging can be done with the log and audit actions. A new chain is added to all zones: zone_log. This will be jumped into before the deny chain to be able to have a proper ordering.
</para>
<para>
- The rules or parts of them are placed in separate chains according to the action of the rule:
+ The rules or parts of them are placed in separate chains according to the priority and action of the rule:
</para>
<para>
<programlisting>
+<replaceable>zone</replaceable>_rich_rule_pre
<replaceable>zone</replaceable>_log
<replaceable>zone</replaceable>_deny
<replaceable>zone</replaceable>_allow
+<replaceable>zone</replaceable>_rich_rule_post
</programlisting>
</para>
<para>
- Then all logging rules will be placed in the zone_log chain, which will be walked first. All reject and drop rules will be placed in the zone_deny chain, which will be walked after the log chain. All accept rules will be placed in the zone_allow chain, which will be walked after the deny chain. If a rule contains log and also deny or allow actions, the parts are placed in the matching chains.
+ When <emphasis>priority < 0</emphasis>, the rich rule will be placed in the <replaceable>zone</replaceable>_rich_rule_pre chain.
+ </para>
+ <para>
+ When <emphasis>priority == 0</emphasis>Then all logging rules will be placed in the <replaceable>zone</replaceable>_log chain. All reject and drop rules will be placed in the <replaceable>zone</replaceable>_deny chain, which will be walked after the log chain. All accept rules will be placed in the <replaceable>zone</replaceable>_allow chain, which will be walked after the deny chain. If a rule contains log and also deny or allow actions, the parts are placed in the matching chains.
+ </para>
+ <para>
+ When <emphasis>priority > 0</emphasis>, the rich rule will be placed in the <replaceable>zone</replaceable>_rich_rule_post chain.
</para>
</refsect2>
</refsect1>
--
2.18.0