> >>Seems it also breaks container to host. > > could this help ? Sorry, but I lost the focus. We had a working firewall, so why exactly do you want to change it? The commit message from your patch is: > We can now do ACCEPT everywhere, and no need to use marks Which is obviously wrong. So why do you want to keep that patch?