> To me the main question is why does pve-cluster provide a default of 0 > which disables iptables for bridges and makes pve-firewall useless for > linux bridges. AFAIR this is for performance reasons ...