Wiki is explaining it quite well in my opinion.

I saw no explanation there that would have answered my question. I don't know about the original poster's question, but I see there are answers to it that even add to the confusion. For example:

Nonetheless, what you circled is the forwarding of a packet FROM THE LEDE TO ANOTHER ROUTER IN THE SAME ZONE.

A zone consists of interfaces. And interfaces are a property of a particular device. As far as I know, a single router running OpenWRT knows nothing about what any other device thinks about its interfaces and how it groups these into zones.

I have played with routing protocols and zone-based firewalls in Cisco devices. But that's why I know these things aren't always inevitably related. No matter what Gertrude Stein says, zone is not a zone is not a zone.

So forget the other router. These things are not alive. They don't recognize each other and make friends. For that you would need to run a routing protocol (RIP, OSPF, IS-IS, EIGRP, BGP) and even then the firewall would deal with interfaces. One must think about it in a way where the interface is first defined by you to be a door to a certain subnet, which you can then define to be part of a zone. Then you here have added the interface to a zone according to your previous definition.

openwrt-firewall1024×1024 77.3 KB

A packet comes in. Does it come in from an interface that is part of a zone?

It does: Consult the row dedicated to that particular zone.

Is the packet adressed to the router? If it is, then consult the Input selection on that particular row.

Is it going to another subnet—that is, out through another interface—that is included in the same zone? If so, consult the red, circled number 3.

Is it going to another zone—that is, out through another interface—that is included in some other zone? If so, see if the destination zone is mentioned in the Forwardings column of that particular zone, that is, next to the red, circled number 2.

It does not:

Is it addressed to the router? If it is, then consult the general Input selector near and above the red circled 1.

Is it going somewhere else than the router? Consult the Forward selector next to the red circled 1.