Customer would like to have the ability to set the firewalld zones in the order they like as per their requirements.

Below is the link where the same topic is being discussed.

Ref: https://github.com/firewalld/firewalld/issues/192  -- Add User Defined Ordering to Govern Resolution when Zone Sources Overlap

Below are the answers of the queries taken from the customer to help support this rfe request.


1. Proposed title of this feature request 
Automatic zone ordering in firewalld. Or subzones.

2. What is the nature and description of the request? 
Current zone ordering is the result of lexicographical ordering based on the name of a zone. In the event of source overlap between zones this may not be a desirable ordering. I propose that firewalld determine the ordering of zones based on decreasing specificity in a zone's defined sources. Or if this proves too difficult, a priority setting. Or sub/child zones.

3. Why do you customer need this? (List the business requirements here)
The current behavior is workable, but it seems to me that the (admittedly minor) administrative overhead of having to name zones in a way to affect ordering could be eliminated, either through determining the correct ordering based on the defined sources for the zones, or a priority field. This would allow zone naming to be precise and descriptive.

 4. How would you like to achieve this? (List the functional requirements here)
Either have firewalld determine an ordering, either at runtime or during zone creation from most restrictive to least restrictive in zones with overlap or implement a priority field for zones. Actually, it may be best to do both, create a priority field basing zone ordering on that, and then have the option to automatically set priorities for all zones based on zone specificity with the original lexicographical ordering being the default priority determinant. Or maybe some sort of sub/child zone concept, where zones can have children that may have more specific restrictions. That way you could have rules that apply to the parent zone and the children, with certain services restricted to subsets of the parent. This would actually be more useful in our case, and save redundant rules in the event of overlap.

 5. For each functional requirement listed, specify how Red Hat and you can test to confirm the requirement is successfully implemented. 
Assume a network exists, we'll define it as 10.0.0.0/8. Assume the host we're protecting with firewalld exists in that network. Assume there are multiple subnets in this network, let's call them 10.0.1.0/24 and 10.0.2.0/24. Clients in both subnets should be able to access ssh on the server. Clients in 10.0.2.0/24 should be able to access a service running on port 6817, clients in 10.9.2.0/24 should not.
6. Do you have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
I would be very grateful if this feature could land in rhel9.
7. Is the sales team involved in this request and do they have any additional input?  
Not presently.
8. List any affected components.
Firewalld
9. Would you be able to assist in testing this functionality if implemented?
Yes.


> why the current zone ordering of lexical order being insufficient?
It's what I would call a work around. It would ease administrative overhead to have the priority specifiable. I really like the sub/child zone idea I've stumbled upon here. That actually seems like the best way to do what I want to do.