> >>another way, we can list of all the tap,group,bridge with firewall > >>enabled, > > I think it can be done fast, listing /sys/class/net/vmbrX/brif/tapX No sure if we need that. > so we can find in iptables-save if stale tap chains exist We can old and new ruleset, so there is no need to list /sys/class/net/vmbrX/brif/tapX