ѽ҉ᶬḳ℠ <vtol@xxxxxxx> wrote: > Finally got it working in the inet table, seems being a matter of rule > position (handle value), The handle has nothing to do with the ordering though, the handle is just a unique identifier. > chain forward { # handle 2 > type filter hook forward priority filter; policy drop; > ct state established,related accept # handle 19 > ct state invalid drop # handle 20 > oif "pppoe-wan" tcp flags syn tcp option maxseg size set > 1300 # handle 21 > iif "br-lan" accept # handle 22 > oif "br-lan" accept # handle 23 > iif "br-mgt" accept # handle 24 > oif "br-mgt" accept # handle 25 iif { "br-lan", "br-mgt } accept oif { "br-lan", "br-mgt } accept or maybe iifname "br-*" saves two rules. > but this does not > > chain forward { # handle 2 > type filter hook forward priority filter; policy drop; > ct state established,related accept # handle 19 > ct state invalid drop # handle 20 > iif "br-lan" accept # handle 21 > oif "br-lan" accept # handle 22 > iif "br-mgt" accept # handle 23 > oif "br-mgt" accept # handle 24 > oif "pppoe-wan" tcp flags syn tcp option maxseg size set 1300 # > handle 25 > log prefix "DROP_FW " level debug flags all counter packets 0 bytes > 0 # handle 26 > > I someone could explain why I would be grateful because I do not comprehend > the varying outcome. Is it because after egress/ingress traffic hitting > handle 21/22 (bottom syntax) the packets are exiting the chain after been > processed and not reaching handle 25 for processing? Yes, this is no different than iptables, a verdict ends packet evaluation in that base chain hook. So, if packet came from "br-lan" forward chain evaluation ends with handle 21.