The vela packet filter configuration is stored in /var/lib/vela/config/nftables.d directory. The configuration can span in multiple files, generated by different vela components. Furthermore, besides these static configuration files, the vela-nfqueue-helper and vela-zone-helper daemons can upload additional packet filter rules dynamically, to support routing by vela zones and services.

The nftables' default directory /etc/nftables.d is symlinked to the directory containing the current vela packet filter configuration. To make packet filter configuration more resistant to errors, the uploaded configuration first will be tested for syntax errors, after that, if it is valid, copied to a temporary directory, where the symlink will point to. This will guarantee that, when an invalid configuration is uploaded accidentally, packet filter will keep using the last valid config, to ensure the firewall functionality and accessibility from the network.

After installing the firewall a default ruleset is active. Since PNS acts as a default-deny firewall, the ruleset allows only connections from the MS host machine specified during installation to the firewall and the outgoing connections originating from the firewall itself.

For more information, see the installed manual pages of nft (userland utility), and the documentation of Netfilter/nftables project including a detailed tutorial and HOWTO documents accessible from Appendix B, Further readings.