feat(rules): add priority field and configurable evaluation mode (#1460)

Add support for explicit rule ordering and configurable evaluation logic:

1. **Priority field**: Rules now have a `priority` field (int, default 0).
   Lower values = higher priority. Rules are sorted by priority first,
   then alphabetically by name. This replaces the implicit file naming
   convention (000-, 001-, etc.) with explicit control.

2. **Evaluation modes**: New config option `Rules.EvaluationMode`:
   - `deny-priority` (default): Current behavior where deny/reject rules
     always win over allow rules, regardless of order
   - `first-match`: RouterOS-style evaluation where the first matching
     rule wins, giving full control via priority ordering

Example config:
```json
"Rules": {
    "Path": "/etc/opensnitchd/rules/",
    "EnableChecksums": false,
    "EvaluationMode": "first-match"
}
```

Example rule with priority:
```json
{
    "name": "block-malware",
    "priority": -100,
    "action": "deny",
    ...
}
```

This provides more intuitive and flexible rule ordering while maintaining
backwards compatibility with existing configurations.

Author: po-nuvai

daemon/data/default-config.json

@@ -30,7 +30,8 @@
     },
     "Rules": {
         "Path": "/etc/opensnitchd/rules/",
-        "EnableChecksums": false
+        "EnableChecksums": false,
+        "EvaluationMode": "deny-priority"
     },
     "Ebpf": {
         "EventsWorkers": 8,

daemon/rule/loader.go

@@ -30,6 +30,7 @@ type Loader struct {
 	liveReload        bool
 	liveReloadRunning bool
 	checkSums         bool
+	evaluationMode    EvaluationMode
 	stopLiveReload    chan struct{}
 
 	sync.RWMutex
@@ -48,10 +49,27 @@ func NewLoader(liveReload bool) (*Loader, error) {
 		liveReload:        liveReload,
 		watcher:           watcher,
 		liveReloadRunning: false,
+		evaluationMode:    EvalDenyPriority,
 		stopLiveReload:    make(chan struct{}),
 	}, nil
 }
 
+// SetEvaluationMode sets the rule evaluation mode.
+// EvalDenyPriority (default): deny/reject rules always win over allow rules.
+// EvalFirstMatch: first matching rule wins (RouterOS-style).
+func (l *Loader) SetEvaluationMode(mode string) {
+	l.Lock()
+	defer l.Unlock()
+	switch mode {
+	case string(EvalFirstMatch):
+		l.evaluationMode = EvalFirstMatch
+		log.Info("[rules] Evaluation mode: first-match (first matching rule wins)")
+	default:
+		l.evaluationMode = EvalDenyPriority
+		log.Info("[rules] Evaluation mode: deny-priority (deny always wins)")
+	}
+}
+
 // NumRules returns he number of loaded rules.
 func (l *Loader) NumRules() int {
 	l.RLock()
@@ -374,7 +392,16 @@ func (l *Loader) sortRules() {
 		}
 		l.activeRules = append(l.activeRules, k)
 	}
-	sort.Strings(l.activeRules)
+	// Sort by priority first (lower = higher priority), then alphabetically by name.
+	// This allows explicit control over rule evaluation order via the Priority field.
+	sort.Slice(l.activeRules, func(i, j int) bool {
+		ri := l.rules[l.activeRules[i]]
+		rj := l.rules[l.activeRules[j]]
+		if ri.Priority != rj.Priority {
+			return ri.Priority < rj.Priority
+		}
+		return l.activeRules[i] < l.activeRules[j]
+	})
 }
 
 func (l *Loader) addUserRule(rule *Rule) {
@@ -494,17 +521,25 @@ Exit:
 }
 
 // FindFirstMatch will try match the connection against the existing rule set.
+// The behavior depends on the evaluation mode:
+// - EvalDenyPriority (default): deny/reject rules always win over allow rules.
+// - EvalFirstMatch: first matching rule wins (RouterOS-style).
 func (l *Loader) FindFirstMatch(con *conman.Connection) (match *Rule) {
 	l.RLock()
 	defer l.RUnlock()
 
 	for _, idx := range l.activeRules {
 		rule, _ := l.rules[idx]
 		if rule.Match(con, l.checkSums) {
-			// We have a match.
-			// Save the rule in order to don't ask the user to take action,
-			// and keep iterating until a Deny or a Priority rule appears.
 			match = rule
+
+			// In first-match mode, return immediately on any match
+			if l.evaluationMode == EvalFirstMatch {
+				return rule
+			}
+
+			// In deny-priority mode (default), keep iterating until a
+			// Deny/Reject or Precedence rule appears
 			if rule.Action == Reject || rule.Action == Deny || rule.Precedence == true {
 				return rule
 			}

daemon/rule/rule.go

@@ -34,6 +34,16 @@ const (
 	Always  = Duration("always")
 )
 
+// EvaluationMode determines how rules are evaluated when multiple match
+type EvaluationMode string
+
+const (
+	// EvalDenyPriority is the default mode: deny/reject rules always win over allow
+	EvalDenyPriority = EvaluationMode("deny-priority")
+	// EvalFirstMatch uses RouterOS-style evaluation: first matching rule wins
+	EvalFirstMatch = EvaluationMode("first-match")
+)
+
 // Rule represents an action on a connection.
 // The fields match the ones saved as json to disk.
 // If a .json rule file is modified on disk, it's reloaded automatically.
@@ -50,6 +60,10 @@ type Rule struct {
 	Enabled     bool     `json:"enabled"`
 	Precedence  bool     `json:"precedence"`
 	Nolog       bool     `json:"nolog"`
+	// Priority determines rule evaluation order (lower = higher priority).
+	// Rules with equal priority are sorted alphabetically by name.
+	// Default is 0. Use negative values for higher priority rules.
+	Priority int `json:"priority"`
 }
 
 // Create creates a new rule object with the specified parameters.

daemon/ui/config/config.go

@@ -52,6 +52,10 @@ type (
 	RulesOptions struct {
 		Path            string `json:"Path"`
 		EnableChecksums bool   `json:"EnableChecksums"`
+		// EvaluationMode determines how rules are matched:
+		// - "deny-priority" (default): deny/reject rules always win over allow
+		// - "first-match": first matching rule wins (RouterOS-style)
+		EvaluationMode string `json:"EvaluationMode"`
 	}
 
 	// FwOptions struct

daemon/ui/config_utils.go

@@ -196,6 +196,7 @@ func (c *Client) reloadConfiguration(reload bool, newConfig *config.Config) (err
 
 	// 1. load rules
 	c.rules.EnableChecksums(newConfig.Rules.EnableChecksums)
+	c.rules.SetEvaluationMode(newConfig.Rules.EvaluationMode)
 	if newConfig.Rules.Path == "" || c.config.Rules.Path != newConfig.Rules.Path {
 		c.rules.Reload(newConfig.Rules.Path)
 		log.Debug("[config] reloading config.rules.path, old: <%s> new: <%s>", c.config.Rules.Path, newConfig.Rules.Path)