Only now, as looking for the difference between your setup and mine, I have noticed that you are setting the rules using ROS 7.0beta8 - it can only be seen in the export header, you don’t mention that anywhere in the text.
On long-term (6.45.9), I’ve just tried the following rules:
[me@MyTik] > interface ethernet switch rule print where !disabled
Flags: X - disabled, I - invalid, D - dynamic
0 switch=switch1 ports=ether5 mac-protocol=arp copy-to-cpu=no redirect-to-cpu=no mirror=no new-dst-ports=switch1-cpu
1 switch=switch1 ports=ether5 mac-protocol=ip copy-to-cpu=no redirect-to-cpu=no mirror=no new-dst-ports=switch1-cpu
2 switch=switch1 ports=ether5 copy-to-cpu=no redirect-to-cpu=no mirror=no new-dst-ports=""
And it just works - if I disable the “accept arp” rule or the “accept ip” rule, it is not possible any more to ping the device connected to ether5; as soon as both are enabled, pinging works again.
So your findings are definitely an important feedback for the ROS 7 development team, but for normal production deployment, there is no issue.
Do you have any special reason why you need to use a ROS 7 beta for the task requiring use of switch chip rules?