> But isn't it slower (more taps(in|out) to check), than simply use > > -m conntrack --ctstate RELATED,ESTABLISHED -j PVE-Accept at the begin of > FORWARD ? Maybe, but still faster than -j PVEFW-Accept? And we only need to do that when ips is enabled.