Tag matching rules (packet marking)
Are "advanced" rules such as policy tag matching applied in a rule of their own, or are they applied together with other conditions in a rule?
In other words if I want to reject a packet if it's ((! port X) AND (network Y)) AND (tagged Z) are those capable of being added as single rules or must the tag match rule go in a separate rule of its own?
Firewalls obviously allow multi-criteria rules by entering values (port, IP, interface, direction etc) in multiple fields but is it the same with tags? I don't want to rely on it if it's not expected/reliable behavior and could change.
Further question, what's the correct way to create a rule when the desired action on matching is to policy tag the packet for later use, and continue processing other rules?