I’m trying to figure out how to use the capability rules. From read docs and looking at examples I would have expected the following would allow clients with capability intraweb assigned to access server X, where X is the ZT address for a server. Below is the entire set of rules I was using.
drop
not ethertype ipv4
and not ethertype arp
or not chr ipauth
;
accept ethertype arp;
cap intraweb
id 1000
accept ztdest X and dport 443 and ipprotocol tcp;
;
accept ztsrc X;
drop;