> this is bad, because if you need to firewall tap1i0-OUT -> tap2-IN, it'll do an > ACCEPT in group chain, and bypass tap2 inbound rules. I wonder if we can use --mark to simply the whole thing? Maybe use -J MARK --set-mark 1 to mark packets which should be ACCEPTED? Does that help?