Hi,
do bridge filter rules ( /interface bridge filter ) maintain hw offloading?
Wiki does not explicitly answer that ( https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches )
My device: CRS354-48P-4S+2Q+
thanks.
I do not have a CRS3xx to test on, but whilst hardware offloading is active I would expect /interface bridge filter only to process packets between the switch and CPU, and that to process packets between switch ports you would have to use switch ACLs /interface ethernet switch rule - see https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches#Switch_Rules_.28ACL.29
Thanks, you may be right. But I’d be glad if @support will comment on this too…
Well, you should write to support then.
This is a user forum, consider yourself lucky if you get a response from them here on the forum. 
Well, there seems to be a problem with Switch > ACL on this device (6.46.4). There are no ports available. Any ideas?
The bridge firewall/NAT rules do require the main CPU to process the frames. Creating these rules will not disable HW-offloading, but they probably will not work correctly either as the frames are forwarded through the switch chip instead of the CPU. If you let some traffic to reach the CPU (e.g. management or routing between VLANs), these rules can be used.
Regarding the unknown ports on WinBox, we have fixed it on the RouterOS testing channel, see the related changelog:
*) winbox - fixed “Switch” menu on CRS354-48P-4S+2Q+;
Another option is to configure rules through the CLI.