So, just imagine a simple scenario with 2 hosts connected to 2 ports PORTA and PORTB.
And I have this in the policy file installed by cl-acltool :
-A FORWARD -i $PORTA -j ACCEPT
-A FORWARD -o $PORTA -j ACCEPT
-A FORWARD -i $PORTB -j DROP
I should be able to ping between port A and port B without issue because as long as port A is either the ingress or egress port, there is an ACCEPT rule that will be hit. And from my knowledge of linux ebtables, that's how it'd work.
However AFAICT that's not what's happening on a real switch. It seems that the rules with a "-i" are both evaluated first, before the rule with a "-o", which is a massive semantic difference between linux ebtables which are in-order and what the real-hw seems to be executing.
(Of course that's just a theory, something else could be wrong and cause the same effect)
Even weirder the ARP and IP packets seem to be treated differently even though the rules have nothing ARP specific in there. The behavior for ARP is a bit erratic with some packets going through and some others that don't. The IP ones are consistently blocked.