details in commits. I have done prelimary tests with pve-firewall, it's works out the box. vm->vm , vm->host, host->vm each packet is processed twice, we coming/going out of each tap-bridge. (maybe it's possible to do some rules optimisation later)