> in this case: > > tap1-out : ACCEPT (ips off) -----> tap2-in : ACCEPT (ips on) > > > We don't want always NFQUEUE in tap1-out, because ips is off, but we want > NFQUEUE if the destination have ips on. I do not understand this. In tap-out we simply set the mark (we do not jump to ACCEPT there), so why is that a problem?