awall doesn't handle forwarding out the same interface a packet is received on
This set of awall rules
{
"description": "Default awall policy",
"zone": {
"LAN": { "iface": "eth0" },
"VPN": { "iface": "wg0"}
},
"policy": [
{ "in": "_fw", "action": "accept" },
{ "in": "VPN", "out": "VPN", "action": "accept"},
{ "in": "VPN", "out": "LAN", "action": "accept"},
{ "action": "reject" }
]
}
results in
-A FORWARD -i wg0 -o eth0 -j ACCEPT
as expected from { "in": "VPN", "out": "LAN", "action": "accept"},
but does not result in
-A FORWARD -i wg0 -o wg0 -j ACCEPT
as expected from { "in": "VPN", "out": "VPN", "action": "accept"},
Which is a necessary rule to allow wireguard clients to communicate with each other through a central router if for no other reason. (Just to show that there is a valid use case)