I wonder why it is necessary to us a separate IN/OUT chain for each interface - can't we assemble one IN and one OUT chain to handle all rules (using -i and -o tests)? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20140522/e2a5d182/attachment.htm>