Is it correct that when writing firewall filters based on in-interface and out-interface, the relevant interfaces are only bridges and master ports, and that they will never match ports connected to a bridge or otherwise marked as slaves?
If that is wrong, please explain when you would filter based on bridge and when based on slave port.