> a small difference: > > 1) > -A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-venet0-ipset src -j > PVEFW-VENET-OUT > > all unfirewalled packets (fwpr+->vmbr+) for example, will lookup inside the > ipset PVEFW-venet0-ipset Why? There is no need to do the lookup if '-i venet0' fails.