1 files changed, 35 insertions, 4 deletions

diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst
index f7f98dc7..39370c86 100644
--- a/docs/configuration/firewall/ipv4.rst
+++ b/docs/configuration/firewall/ipv4.rst
@@ -31,17 +31,34 @@ of the general structure:
                + filter
             - output
                + filter
+               + raw
+            - prerouting
+               + raw
             - name
                + custom_name
 
+First, all traffic is received by the router, and it is processed in the
+**prerouting** section.
+
+This stage includes:
+
+   * **Firewall Prerouting**: commands found under ``set firewall ipv4
+     prerouting raw ...``
+   * :doc:`Conntrack Ignore</configuration/system/conntrack>`: ``set system
+     conntrack ignore ipv4...``
+   * :doc:`Policy Route</configuration/policy/route>`: commands found under
+     ``set policy route ...``
+   * :doc:`Destination NAT</configuration/nat/nat44>`: commands found under
+     ``set nat destination ...``
+
 For transit traffic, which is received by the router and forwarded, base chain
 is **forward**. A simplified packet flow diagram for transit traffic is shown
 next:
 
 .. figure:: /_static/images/firewall-fwd-packet-flow.png
 
-Where firewall base chain to configure firewall filtering rules for transit
-traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5,
+Firewall base chain to configure firewall filtering rules for transit traffic
+is ``set firewall ipv4 forward filter ...``, which happens in stage 5,
 highlighted with red color.
 
 For traffic towards the router itself, base chain is **input**, while traffic
@@ -52,11 +69,17 @@ router (starting from circle number 6):
 
 .. figure:: /_static/images/firewall-input-packet-flow.png
 
-Base chain is for traffic toward the router is ``set firewall ipv4 input
+Base chain for traffic towards the router is ``set firewall ipv4 input
 filter ...``
 
 And base chain for traffic generated by the router is ``set firewall ipv4
-output filter ...``
+output ...``, where two sub-chains are available: **filter** and **raw**:
+
+* **Output Prerouting**: ``set firewall ipv4 output raw ...``.
+  As described in **Prerouting**, rules defined in this section are
+  processed before connection tracking subsystem.
+* **Output Filter**: ``set firewall ipv4 output filter ...``. Rules defined
+  in this section are processed after connection tracking subsystem.
 
 .. note:: **Important note about default-actions:**
    If default action for any base chain is not defined, then the default
@@ -709,6 +732,10 @@ geoip) to keep database and rules updated.
    For example: ``eth2*``. Prepending character ``!`` for inverted matching
    criteria is also supported. For example ``!eth2``
 
+.. note:: If an interface is attached to a non-default vrf, when using
+   **inbound-interface**, vrf name must be used. For example ``set firewall
+   ipv4 forward filter rule 10 inbound-interface name MGMT``
+
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
    inbound-interface group <iface_group>
 .. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
@@ -730,6 +757,10 @@ geoip) to keep database and rules updated.
    For example: ``eth2*``. Prepending character ``!`` for inverted matching
    criteria is also supported. For example ``!eth2``
 
+.. note:: If an interface is attached to a non-default vrf, when using
+   **outbound-interface**, real interface name must be used. For example
+   ``set firewall ipv4 forward filter rule 10 outbound-interface name eth0``
+
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
    outbound-interface group <iface_group>
 .. cfgcmd:: set firewall ipv4 output filter rule <1-999999>