> >>But they test everything twice that way? > > Yes, I don't known why. > maybe they want to be sure that tap to tap filtering is done only on known tap > interfaces with firewall enable ? Yes, I think so. But one could avoid double checks by using '-j cleaup-chain' instead of using RETURN in tab-xxx chains?