What is difference between /interface bridge filter and /ip firewall filter with ip firewall enabled in bridge settings? I mean more technically - is bridge filter hardware accelerated or something? I’m currently using /ip firewall filter for all filtering including L3 filtering between individual bridge ports but I wonder if it’d be maybe worth to migrate to /interface bridge filter at least for filtering between individual bridge ports.
For starters, you need to understand that from a networking perspective. Bridges work just like a switch. When you create a bridge, and add to interfaces together, you are saying that those interfaces are link together as if they were plugged into a same switch. This commonly referred too as a layer 2 device.
With that understanding, a bridge filter controls the type of traffic allowed on the bridge. For instance, I I want to set up a filter rule to block all ping traffic to any device on the interface, then I would setup a bridge filter to all icmp packets and drop them.
IP filtering filters traffic based on a specific interface or IP. It is what you would normally use to allow or drop traffic too and from a single IP subnet, Host or interface. IP traffic is commonly referred to as Layer 3
So why would you use bridge filters instead of IP filters? Not all traffic is IP. Broadcasts, like ARP, DHCP and other kinds of traffic like that are layer 2 and would not be blocked by IP filters.
There are no performance benefits from either approach, but for simplicity, I would use IP filters unless you had a specific reason for bridge filters.
Does MikroTik allow hardware ACLs? Because performance of ROS firewall is okay for internet/DMZ traffic but for LAN it’s not really there yet. I mean yeah sure I actually use CCR1009 and use it as bridge with firewall to handle multi gigabit firewall but it sounds like terrible misuse of device. So I wonder whether MikroTik supports some wire-speed filtering in switch devices. Preferably statefull. Also do I need full blown switch for that or routers with switch chip will do as well?
Stateful wirespeed hardware firewall in switch chip? Are you sure? If you need such functionality, only software running on really powerful hardware can provide that. Or you have to lower your requirements…
I was afraid of that. Welp. Seems I’ll need to continue using CCRs as op software bridges with fw 
Latency is quite high tho in software. Or I’ll need some acl-fu to imitate stateful with stateless rules…