This:
ros code
add chain=input action=drop connection-state=invalid comment="Block invalid connections" add chain=input action=accept in-interface=sfp1.4 protocol=igmp comment="Allow IPTV Multicast" add chain=input action=accept in-interface=sfp1.4 protocol=udp comment="Allow IPTV Multicast" add chain=input action=accept connection-state=new in-interface=ether1 comment="Allow access from LAN" add chain=input action=accept connection-state=established comment="Allow established connections" add chain=input action=accept connection-state=related comment="Allow related connections" add chain=input action=log log-prefix="IP Filter Input Drop:" disabled=yes comment="Log everything else" add chain=input action=drop comment="Drop everything else" add chain=forward action=drop connection-state=invalid comment="Block invalid connections" add chain=forward action=accept in-interface=sfp1.4 protocol=igmp comment="Allow IPTV Multicast" add chain=forward action=accept in-interface=sfp1.4 protocol=udp comment="Allow IPTV Multicast" add chain=forward action=accept connection-state=new in-interface=ether1 comment="Allow access from LAN" add chain=forward action=accept connection-state=established comment="Allow established connections" add chain=forward action=accept connection-state=related comment="Allow related connections" add chain=forward action=log log-prefix="IP Filter Forward Drop:" disabled=yes comment="Log everything else" add chain=forward action=drop comment="Drop everything else"Or this:
ros code
add chain=input action=jump jump-target=common comment="Common Rules" add chain=forward action=jump jump-target=common comment="Common Rules" add chain=common action=drop connection-state=invalid comment="Block invalid connections" add chain=common action=accept in-interface=sfp1.4 protocol=igmp comment="Allow IPTV Multicast" add chain=common action=accept in-interface=sfp1.4 protocol=udp comment="Allow IPTV Multicast" add chain=common action=accept connection-state=new in-interface=ether1 comment="Allow access from LAN" add chain=common action=accept connection-state=established comment="Allow established connections" add chain=common action=accept connection-state=related comment="Allow related connections" add chain=common action=log log-prefix="IP Filter Drop:" disabled=yes comment="Log everything else" add chain=common action=drop comment="Drop everything else"There shouldnt be any difference in functionality AFAIK only one would be 16 lines another is 10 lines.
For lots of port forwards, looks like second one would be better, because there is only need to create third jump into forward chain before "common" named "services" and add those forwards under it.
Before someone asks what I actually try to achieve, is that I try to optimize it and make this easier to read, minimize "duplicates" on different chains, etc, etc...