> I find a bug, we should reset the mark to 0 at the begin of tapxxx-IN, or a > marked packet will be accepted. oh, good catch. Fixed with: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff;h=31ff3ef69986d3f600e6d8fc68187d79f5284100 hope that works now.