match rules


never change pass/block state

actions are applied on the fly
queue, rtable, set-tos
log (more on that later)
nat-to, rdr-to, binat-to, scrub (later)