~ # iptables-save | grep br1 -C2
-A _NDM_MASQ -j _NDM_MASQ_BYPASS
-A _NDM_MASQ -s 192.168.1.0/24 ! -o br0 -m ndmmark --ndmmark 0x4/0x0 -j MASQUERADE
-A _NDM_MASQ -s 192.168.2.0/24 ! -o br1 -m ndmmark --ndmmark 0x4/0x0 -j MASQUERADE
-A _NDM_MASQ_BYPASS -s 224.0.0.0/4 -j ACCEPT
-A _NDM_MASQ_BYPASS -d 224.0.0.0/4 -j ACCEPT
--
-A _NDM_STATIC_LOOP -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j SNAT --to-source 192.168.1.1
-A _NDM_STATIC_LOOP -s 192.168.1.0/24 -o br0 -m ndmmark --ndmmark 0x4/0x0 -j SNAT --to-source 192.168.1.1
-A _NDM_STATIC_LOOP -s 192.168.2.0/24 -d 192.168.2.0/24 -o br1 -j SNAT --to-source 192.168.2.1
-A _NDM_STATIC_LOOP -s 192.168.2.0/24 -o br1 -m ndmmark --ndmmark 0x4/0x0 -j SNAT --to-source 192.168.2.1
-A _NDM_UPNP_REDIRECT_SYS -i eth3 -p tcp -m tcp --dport 33339 -j DNAT --to-destination 192.168.1.71:33339
-A _NDM_UPNP_REDIRECT_SYS -i eth3 -p udp -m udp --dport 33339 -j DNAT --to-destination 192.168.1.71:33339
--
-A _NDM_HOTSPOT_PRERT -s 192.168.1.127/32 -i br0 -j RETURN
-A _NDM_HOTSPOT_PRERT -s 192.168.1.86/32 -i br0 -j RETURN
-A _NDM_HOTSPOT_PRERT -s 192.168.2.35/32 -i br1 -j RETURN
-A _NDM_HOTSPOT_PRERT -s 192.168.2.29/32 -i br1 -j RETURN
-A _NDM_HOTSPOT_PRERT -s 192.168.2.30/32 -i br1 -j RETURN
-A _NDM_HOTSPOT_PRERT -s 192.168.2.41/32 -i br1 -m connndmmark --mark 0x0/0x0 -j CONNNDMMARK --set-xmark 0x0/0x0
-A _NDM_HOTSPOT_PRERT -s 192.168.2.41/32 -i br1 -j RETURN
-A _NDM_HTTP_INPUT_TLS_ -p tcp -m tcp --dport 443 --tcp-flags SYN SYN -j CONNNDMMARK --set-xmark 0x20/0x0
-A _NDM_HTTP_INPUT_TLS_ -p tcp -m tcp --dport 443 --tcp-flags SYN SYN -j RETURN
--
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i br1 -o br1 -j ACCEPT
-A OUTPUT -j _NDM_BFD_OUTPUT
-A OUTPUT -j _NDM_ACL_OUT
--
-A _NDM_HOTSPOT_FWD -i br0 -j RETURN
-A _NDM_HOTSPOT_FWD -o br0 -j RETURN
-A _NDM_HOTSPOT_FWD -i br1 -j RETURN
-A _NDM_HOTSPOT_FWD -o br1 -j RETURN
-A _NDM_HOTSPOT_FWD -i eth2.1 -j RETURN
-A _NDM_HOTSPOT_FWD -o eth2.1 -j RETURN
--
-A _NDM_IP_PROTECT -i br0 -p tcp -m tcp --dport 3517 -j _NDM_SL_PROTECT
-A _NDM_IP_PROTECT -i br0 -p udp -m udp --dport 3517 -j _NDM_SL_PROTECT
-A _NDM_IP_PROTECT -i br1 -p tcp -m tcp --dport 3517 -j _NDM_SL_PROTECT
-A _NDM_IP_PROTECT -i br1 -p udp -m udp --dport 3517 -j _NDM_SL_PROTECT
-A _NDM_IP_PROTECT -i br0 -p udp -m udp --dport 3518 -j _NDM_SL_PROTECT
-A _NDM_IP_PROTECT -i br1 -p udp -m udp --dport 3518 -j _NDM_SL_PROTECT
-A _NDM_IP_PUBLIC -p udp -m udp --dport 64192 -j ACCEPT
-A _NDM_IP_PUBLIC -p tcp -m tcp --dport 80 -j ACCEPT
--
-A _NDM_SL_PRIVATE -i br0 -m state --state NEW -j ACCEPT
-A _NDM_SL_PROTECT -j _NDM_SL_PRIVATE
-A _NDM_SL_PROTECT -i br1 -m state --state NEW -j ACCEPT
-A _NDM_SSH_INPUT_IN -p tcp -m tcp --dport 22 -m set --match-set _NDM_BFD_Ssh src --return-nomatch ! --update-counters ! --update-subcounters -j DROP
-A _NDM_SSH_INPUT_OUT -p tcp -m tcp --sport 22 -m set --match-set _NDM_BFD_Ssh dst --return-nomatch ! --update-counters ! --update-subcounters -j DROP